Exploring Endless OS: A Package-Free Linux Distribution

Date: 18/07/2025

What does an average Linux distribution look like? Generally, it’s like a system assembled from thousands of packages, with additional desktop interface tweaks, possibly its own installer, and configuration system. In essence, most distributions are quite similar and are built on the same idea: package + package + package = OS. Endless is entirely different—it has no traditional packages. Instead, it features a concept of an atomically updatable core system and uses Flatpak sandboxes for applications.

In the early days, when UNIX was just starting to make its mark, there was no third-party software and no associated management issues. If you needed to install an application, you simply compiled it and placed the resulting binary in the /bin directory.

As the number and complexity of applications increased, problems began to emerge. An application could consist of more than just a single binary; it might include various libraries, man pages, configuration files, and more. This led to the idea of using an install target in the app’s build instructions (Makefile) to set up everything needed with a single make install command.

This system functioned effectively until UNIX became mainstream and started to splinter into various forks and clones. The issue was no longer about ease of installation; it was that there were now numerous applications that often depended on each other and required modifications to work properly in different UNIX-like operating systems.

This is how the BSD Ports system was born. Essentially, it was a collection of scripts that allowed users to download, patch, compile, and install applications automatically. Furthermore, it provided a way to correctly uninstall applications, ensuring that no residual files were left behind in the system.

The beauty of the ports system lay in its ability to not only install and remove applications compiled from source code but also to generate binary packages from that same source. It soon became clear that users found it much more convenient to install pre-built packages rather than wait for compilations to finish. Thus began the era of package managers.

In Linux distributions, the package manager is the de facto standard. Unlike BSD systems, which have a clear separation between the indivisible base system and the collection of ports/packages installed on top of it, GNU/Linux distributions are entirely made up of packages. The kernel is one package, the basic set of command-line utilities is another, and the libc library (the main part of the system after the kernel) is yet another package.

This division isn’t coincidental; it’s the essence of GNU/Linux—a collection of components created by different people working together. However, this approach comes with numerous challenges. Keeping track of package dependencies is crucial; changing just one system package can render the whole system inoperative. Upgrading the distribution to a new version often requires elaborate workarounds: all the core components must be updated in a way that prevents the system from getting stuck in a transitional state (where some packages are updated while others are not).

And of course, the well-known limitation familiar to Linux enthusiasts: you just can’t install two different versions of an application. The contents of a package are copied to system directories rather than their own dedicated ones, and even if installation in a dedicated directory is possible, dependency issues will likely arise. For example, the application requires the libxyz.1.2 library, but the system has libxyz.1.3 installed, and you can’t downgrade it because the package manager will complain that applications abc and bca specifically need version 1.3.

In short, it’s complicated. However, there are several methods to tackle these issues today, all of which are implemented in Endless OS.

Endless OS

Endless OS is the creation of the young company Endless Mobile, which focuses on producing affordable compact computers for developing countries. A typical target user of Endless Mobile is someone from a remote African village, where even mobile connectivity is considered a luxury. That’s why the Endless Computer is designed to be not only affordable but also intuitive and easy to use, without requiring internet access.

Endless Mini computer, size of a child
Endless Mini computer, size of a child’s ball.

The full version of Endless OS is about 14 GB and comes with over 100 everyday applications, more than 50,000 Wikipedia articles, as well as various educational programs. There is also a basic version that is 2 GB, which includes only the essentials. Additional resources can be installed from the app store.

Endless OS uses a heavily modified version of GNOME called EOS Shell as its desktop environment. It’s designed to be very straightforward, lacking many features found in standard desktop interfaces. This environment resembles a tablet or smartphone interface more than a traditional desktop: it includes a task switching panel with a system tray, a collection of icons and folders on the desktop, and a search bar that performs searches both on Google and the hard drive simultaneously.

The Endless OS desktop closely resembles the tablet interface of Android version 4.1.
The Endless OS desktop closely resembles the tablet interface of Android version 4.1.

The installer matches the desktop environment—straightforward and doesn’t bombard you with unnecessary questions. The first boot kicks off with an interactive tutorial video that walks you through the interface, showing you how to find everything, listen to music, watch videos, and install third-party software.

Installer
Installer

The 2 GB software bundle is quite standard: it includes Google Chrome, LibreOffice, Totem video player, Rhythmbox audio player, Shotwell photo viewer, Duolingo for language learning, a file manager, calculator, settings (the usual GNOME settings), and a terminal (which can only be launched through the search feature).

The browser and terminal are quite standard.
The browser and terminal are quite standard.

The app store is user-friendly. Simply click “install,” and the app will be installed without a single question or a request for superuser permissions. All apps are distributed as self-contained packages. The installer places them in the /var/lib/flatpak/app directory, and when launched, it sets up a virtual environment for the application to run in (we’ll discuss this in more detail later).

App Store
App Store
To install, simply select the application and click the install button.
To install, simply select the application and click the install button.

OSTree

Endless OS does not use a package manager or individual packages. The core part of the distribution, which is the system itself weighing in at about two gigabytes, is a single, monolithic, indivisible piece. Unlike other distributions, you can’t swap out or remove certain parts or uninstall unnecessary software. It’s a unified system, similar to how Windows or macOS operate.

Unlike Windows and macOS, the core of Endless OS doesn’t maintain a fixed state. Instead, all its files are stored in a Git-like repository called OSTree. This means that updating to a new version of the distribution doesn’t occur “live” as it does in other systems where updates are directly applied to the active system. Instead, the eos-updater downloads the modified files into the repository and then creates hard links to them in the root directory. For example, /bin/bash in Endless OS is simply a hard link to a file in the /ostree/repo repository. If bash is updated as part of the system update, eos-updater will remove the old link and create a new one pointing to a different file in the repository.

OSTree repository illustration
OSTree repository illustration

Compared to the traditional package-based approach, OSTree offers several advantages. It enables atomic updates, meaning the system doesn’t switch to a new updated state until it is entirely ready. In a typical Linux setup, interrupting a package installation can leave the system in an inconsistent state, potentially rendering the OS unusable and needing a full reinstallation. With OSTree, such issues are avoided.

Moreover, because OSTree maintains a history of changes, it allows the operating system to roll back to a previous state. In other words, the system enables a downgrade without the need to download or reinstall anything. The entire process takes just a few seconds.

Lastly, although Endless OS doesn’t support this, OSTree allows you to create multiple installations of different versions of the same OS. All their files are stored in a single repository, so you won’t have to use up extra disk space.

Flatpak

The base installation of Endless OS is read-only. You can’t modify it, which means you can’t install packages or build applications from source using the command ./configure && make && make install. Instead, Endless OS uses self-contained Flatpak packages for software installation.

Flatpak is a modern implementation of a concept as old as Linux itself: applications should be installed in isolated directories rather than mingling their files with the system’s. Beyond just placing applications in their own folders, which allows for the installation of multiple versions of the same app and resolves dependency issues, Flatpak creates a sandbox for each application. This sandbox utilizes namespaces, cgroups, and seccomp to restrict and manage the app’s access to different system resources. For instance, you can deny an application access to the network or limit its view of the file system to the user’s home directory.

All applications installed via Flatpak are located in the /var/lib/flatpak directory. When a Flatpak application starts, it dynamically sets up the environment it needs to run. Specifically, a root file system is created in memory (tmpfs) just for the application, with the system’s /usr directory mounted in read-only mode, along with /proc, /sys, and /dev directories with a restricted set of device files. An /etc with a minimal set of necessary configuration files is also set up. Access to potentially “dangerous” system calls is restricted using seccomp. If needed, the user’s home directory is mounted with read and write access, allowing the application access to required OS functionality.

Each application has a metadata file that describes not only the application itself but also its permissions.
Each application has a metadata file that describes not only the application itself but also its permissions.

An application run using Flatpak is isolated from the main system and operates within its own environment. While it does have access to directories like /usr, it cannot modify them. It cannot see the processes running on the main system, does not have access to users’ personal files (by default), cannot interact with the hardware, and cannot escape its virtual environment.

However, because of these same sandboxes, Flatpak becomes ineffective when it comes to system applications. This is why Endless OS is divided into two parts: one is the core system, and the other is a set of Flatpak applications running in sandboxes.

Conclusion

Endless OS is not the only operating system that uses OSTree for atomic updates. OSTree is also the basis for Atomic, an OS designed for running containers, and for meta-updater, a system for atomic updates of embedded systems built with the OpenEmbedded framework.

However, Endless OS appears to be the only consumer operating system that utilizes this technology. It’s also the only OS where all third-party software is installed using Flatpak.

Endless OS essentially showcases what a Linux distribution designed solely for desktop use can be like. It features a simple and intuitive interface, with an indivisible core OS that includes a minimal set of necessary software. It’s very easy to install and hard to break during updates, with all third-party applications running in sandboxed environments and installed in their own directories. It’s the perfect desktop for users who aren’t particularly tech-savvy.

Interesting Facts

  • Endless OS ranks 171st on distrowatch.com.
  • Until mid-2016, Endless OS was only available in source code form.
  • Members of Endless Mobile serve on the board of the GNOME Foundation.
  • The Endless Mini computer was highlighted at CES 2016.
  • The cheapest Endless computer is priced at 79,whilethemostexpensiveis79, while the most expensive is 229.
Related posts:
2022.04.04 — Fastest shot. Optimizing Blind SQL injection

Being employed with BI.ZONE, I have to exploit Blind SQL injection vulnerabilities on a regular basis. In fact, I encounter Blind-based cases even more frequently…

Full article →
2023.07.29 — Invisible device. Penetrating into a local network with an 'undetectable' hacker gadget

Unauthorized access to someone else's device can be gained not only through a USB port, but also via an Ethernet connection - after all, Ethernet sockets…

Full article →
2022.04.04 — Elephants and their vulnerabilities. Most epic CVEs in PostgreSQL

Once a quarter, PostgreSQL publishes minor releases containing vulnerabilities. Sometimes, such bugs make it possible to make an unprivileged user a local king superuser. To fix them,…

Full article →
2022.06.03 — Challenge the Keemaker! How to bypass antiviruses and inject shellcode into KeePass memory

Recently, I was involved with a challenging pentesting project. Using the KeeThief utility from GhostPack, I tried to extract the master password for the open-source KeePass database…

Full article →
2023.02.21 — Pivoting District: GRE Pivoting over network equipment

Too bad, security admins often don't pay due attention to network equipment, which enables malefactors to hack such devices and gain control over them. What…

Full article →
2022.02.15 — EVE-NG: Building a cyberpolygon for hacking experiments

Virtualization tools are required in many situations: testing of security utilities, personnel training in attack scenarios or network infrastructure protection, etc. Some admins reinvent the wheel by…

Full article →
2022.06.02 — Climb the heap! Exploiting heap allocation problems

Some vulnerabilities originate from errors in the management of memory allocated on a heap. Exploitation of such weak spots is more complicated compared to 'regular' stack overflow; so,…

Full article →
2022.02.09 — F#ck da Antivirus! How to bypass antiviruses during pentest

Antiviruses are extremely useful tools - but not in situations when you need to remain unnoticed on an attacked network. Today, I will explain how…

Full article →
2022.06.01 — Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols

The magic and charm of dynamic routing protocols can be deceptive: admins trust them implicitly and often forget to properly configure security systems embedded in these protocols. In this…

Full article →
2023.02.21 — SIGMAlarity jump. How to use Sigma rules in Timesketch

Information security specialists use multiple tools to detect and track system events. In 2016, a new utility called Sigma appeared in their arsenal. Its numerous functions will…

Full article →