What is Margine?

A sealed system, not a moving target

On a "traditional" Linux distribution (Ubuntu, Debian, Fedora Workstation, …) the operating system is a collection of files on disk that you can edit, add to, or remove. Over time those files drift: every apt install, every kernel upgrade, every /etc tweak adds entropy that nobody fully tracks. After a few months the system is uniquely yours — for better and worse.

Margine works differently. The OS is shipped as a single image (a versioned, signed container under the hood) that gets deployed to your disk as a complete, sealed unit. The same image runs on every Margine machine on the same release. The /usr tree is mounted read-only. Your data (/home, /var, your dotfiles) is yours; the system bits aren't.

Updates are atomic. Rollbacks are one command.

When a new release ships, Margine downloads the new image and stages it as a second deployment alongside the current one. The next time you reboot, you boot into the new one. The previous one is still on disk. If something feels off, bootc rollback swaps back at the next reboot. No "fixing a half-broken upgrade" — you go forward cleanly or you go back cleanly.

What this means for you

• Don't sudo dnf install … for everyday software. Use Flatpak (Bazaar / Software /flatpak install) or a container with Distrobox. See Install & remove apps.
• You can still install OS-level packages with rpm-ostree install if you really need to (e.g. a kernel module driver). They become a layer on top of the base image. Use sparingly — every layer makes future upgrades slower and slightly more fragile.
• System config goes through declarative tooling (GNOME settings, gschema overrides, our margine-configure-* helpers) — not by editing files under /etc by hand. Those edits survive but they're invisible to anyone reading your repo / image.