I’m admittedly yelling at cloud a bit here, but I like package managers just fine. I don’t want to have to have a plurality of software management tools. However, I also don’t want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don’t develop distributed applications, but Im not understanding how it simplifies dependency management. Isn’t it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don’t maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it’s something I should adopt, or if I can continue to blissfully ignore.
it comes down to how you use your system. if you’re fine using is as described and you’re on a distro that gets newest versions, keep on truckin’.
for me, I hate rebooting. I like to leave my system and return to it, be it laptop or desktop, and continue where I left off. sometimes that goes on for days, sometimes weeks. that’s virtually impossible when updating both system and app stuff constantly, i.e. to get new apps you also get new kernel, mesa, plasma, whathaveyous.
so I keep my system stuff that’s handled with the package manager and my app stuff separate. almost all of my GUI apps are flatpak and they are on a systemd timer so they get updated daily. my systems don’t bother me with update alerts, don’t do shit in the background and that’s how I like it. once a month or so I do a system upgrade and reboot.
This is exactly how I do things too.
The real thing that Flatpak offers is one place to publish for Linux. You put your app in the App Store for Apple, you put it in the Play Store for Android, you put it in Flathub for Linux.
Yes you can. I do. If a software does not offer build instructions, which is rare, I just do not use it.
The build instructions for all flatpaks are in one repo, you could build it yourself and maintain your own registry if you wanted.
Adopt
nixand you will be able to ignore it forever! 😉Seriously though, as others have said, use whatever fits you best. I avoided snaps and flatpaks due to the increased size requirements. So many things were duplicated for no apparent benefit (to me). However, with their introduction of permissions and portals, it does seem like a safer option. Although, we’re in a phase right now where not everything is flatpakked and applications trying to talk to each other is a pain (keepassxc unable to talk to flatpak
firefoxlibrewolf, chromium, etc.).Now that I use nix, I have a whole bunch of other problems, but at least getting packages is quite low on the list.
Thanks for the suggestion. I am interested in nix, but haven’t explored it yet.
I wasn’t being very serious about
nix. IMO, it’s quite the time investment due to its poor documentation and it has a lot of gotcha’s if you aren’t on NixOS e.g one example is that it’s great for terminal applications, but horrendous for GUI applications as it’ll be hit or miss. Again, this is if you’re not on NixOS. So, it can feel like an “all or nothing” approach.If you have the time and will, then it can be very rewarding. But if you just "want something that works ™ " side by side in your current system, personally, I wouldn’t recommend it - unless it’s hidden by some other tool like
devenv(which is a great tool for reproducible developer environments).Lol thanks for clarifying your sarcasm. 😂 I can be an airhead at times.
I was actually interested in trying NixOS on a laptop that is gathering dust. I did see a few months ago that there was some drama surrounding the project owner, though. I never investigated enough to understand what that was all about, but I’m less excited about digging into something if it may suddenly end.
If your distro provides everything you need then I would avoid flatpak. Getting apps to speak to each other is a pain, updates use more data, backups and restores take much longer, they don’t perform as well and config files are not necessarily where you expect them to be.
I have Debian Stable on an older laptop and only install apps as flatpaks if they are not available otherwise. I also have a very new laptop with Fedora on it (because it needs a newer kernel) and have had to install more flatpaks just to make things work properly, because they include their dependencies, codecs etc which are missing in Fedora. Appimages seem to do this too and I find them preferable to flatpak because they integrate more predictably with my system. Apps are slower to launch though and have to be manually updated.
Like you, I’d prefer to just have a package manager and a single source of software and plan to go back to Debian when my newer machine is supported by it.
There are tools to update AppImages, like AM and Gear Lever.
Nice, I will have a look 👍
That’s what I do. But then I mostly use Arch or Arch based distros (e.g. EndeavourOS). So I have access to AUR. If something isn’t on AUR (very rare, but can happen), I just create the package for it and publish to AUR. I do use some AlmaLinux machines as server. I don’t really need many programs outside of the standard repos there since I use them mostly for hosting Docker images. But if I do need to install something like that, I’ve some self-written LURE install scripts.
Flatpak is supposed to “just work” everywhere.
Arch based distros (except for Manjaro) has every FOSS and some proprietary software on the AUR
Let me try to clarify what you are saying.
You are saying that the AUR “has every FOSS and some proprietary software”. Yep. That is why I add an Arch Distrobox to every system regardless of the host distro.
But what do you mean by “except Manjaro”? Most Manjaro fans will say that Manjaro also supports the AUR. They are correct that you can certainly enable it and start installing packages from there.
I assume you are warning that, because Manjaro maintains its own base repos and has different package versions in it than Arch does, that Manjaro is incompatible with the AUR and that using the AUR with Manjaro will cause problems. If that is what you are saying, I agree with you.
Yes. Yes you can.
Ignore it. Move on.
I’m using MX Linux AHS, it is Debian based, it is always up to date, like latest firefox a few hours after it’s out, kernel 6.12.17 as of today, etc.
It has no systemd, no snap, no flatpak. It just uses the good old .deb and everything is working fine.
Glad it is working well for you. What does that have to do with this post?
no flatpak. chill.
FLOSS used to include the ability to build software. Perhaps that’s not important anymore but now a days some developers don’t attend problems with their build recipes because they only consider what they release through binaries, whether on flatpak or whatever other binary repository they like. At least I dislike that, it’s ok to me some or most users would prefer to grab a bloated binary rather than building anything, but that doesn’t mean forgetting about those actually wanting to build from source, or wanting to use shared libraries and software from their distros, actually that’s a requirement for free/libre software repositories. Not sure if the tendency is to move the gnu+linux users into app stores like the ones on windows, now ubuntu snaps, android play store and the like. Sure there’s more security with sandboxing, but nothing one can’t get with firejail, and if wanting MAC as well then firejail + apparmor for example.
At any rate, just my little rant. And if you’re wondering, I use AUR on Artix, and I really hope I won’t have a need for a flatpak stuff.
Downsides of distro pacakges:
- someone needs to package an application for each distro
- applications often need to maintain support for multiple versions of some of their dependencies to be able to continue to work on multiple distros
- users of different distros use different versions of the application, creating more support work for upstream
- users of some distros can’t use the application at all because there is no package
- adding 3rd party package repos is dangerous; every package effectively gets root access, and in many cases every repo has the ability to replace any distro-provided package by including one with a higher version number. 3rd party repos bring the possibility of breaking your system through malice or incompetence.
Downsides of flatpak:
- application maintainers are responsible for shipping and updating their dependencies, and may be less competent at doing timely security updates than distro security teams
- more disk space is used by applications potentially bringing their own copies of the same dependencies
🤔
Another downside of flatpak is that I don’t trust upstream devs to have my best interests at heart, but I trust Debian developers far more. I’ve seen upstream do some annoying or stupid shit and the Debian maintainers not budging.
I think it was poppler or evince that decided they were going to enforce the no-copy-and-paste bit you can set on pdfs. Debian patched it out. I’ve seen Mozilla decide they were going to enforce their trademarks. They carved out special exceptions for various distros but that still would have meant you would have to rename Firefox if you were to fork Debian. Debian had none of it. There were many dodgy copyright and licensing problems upstream devs gave no shit about. Debian not including these often eventually put pressure on them to fix this shit or for some replacement to get developed.
I trust Debian developers far more
i definitely agree with you here :)
I think it was poppler or evince that decided they were going to enforce the no-copy-and-paste bit you can set on pdfs. Debian patched it out.
I found the notion of free software implementing PDF DRM rather hilarious, so I had to know more. First I found this help page which confirms that evince does have code which implements PDF restrictions, but it says that its
override_restrictionsoption is enabled by default.But I wondered: when did this get implemented? and was it ever enabled by default? So, I went digging, and here are the answers:
- in May 2005, the restrictions were implemented in evince in this commit
- in September 2005, the
override_restrictionsoption was added in this commit, after discussion in bug #305818 - in December 2006 bug #382700 was opened, requesting that
override_restrictionsbe enabled by default - in January 2008, the default changed in this commit - but only after someone pointed out that the PDF spec does not in fact require the restrictions to be enforced. (The spec says “It is up to the implementors of PDF consumer applications to respect the intent of the document creator by restricting user access”) 😂
I don’t see any indication that Debian patched this out during the time when evince had it enabled by default, but I’m sure they would have eventually if GNOME hadn’t come to their senses :)
I’ve seen Mozilla decide they were going to enforce their trademarks. They carved out special exceptions for various distros but that still would have meant you would have to rename Firefox if you were to fork Debian. Debian had none of it.
In my opinion both sides of the Debian–Mozilla trademark dispute were actually pretty reasonable and certainly grounded in good intentions. Fortunately they resolved it eventually, with Mozilla relaxing their restrictions in 2016 (while still reserving the right to enforce their trademark against derivatives which make modifications they find unreasonable):
Mozilla recognizes that patches applied to Iceweasel/Firefox don’t impact the quality of the product.
Patches which should be reported upstream to improve the product always have been forward upstream by the Debian packagers. Mozilla agrees about specific patches to facilitate the support of Iceweasel on architecture supported by Debian or Debian-specific patches.
More generally, Mozilla trusts the Debian packagers to use their best judgment to achieve the same quality as the official Firefox binaries.
In case of derivatives of Debian, Firefox branding can be used as long as the patches applied are in the same category as described above.
https://lwn.net/Articles/335415/
The evince PDF reader ran into this issue back in 2005. It is now rare to find a distributor shipping a version of evince which implements copy restrictions. Xpdf implements copy restrictions unconditionally, but Debian patched that code out in 2002, and that patch has spread to other distributors as well. In general, as one would expect, free PDF readers tend not to implement this behavior. Okular is about the only exception that your editor can find; it’s interesting to note that the version of Okular shipped with Fedora Rawhide also implements copy restrictions by default. Perhaps this behavior is result of the relative newness of this application; as it accumulates more users, the pressure for more user-friendly behavior is likely to grow.
I see, here is where Debian patched it out of Xpdf in 2002.
Also lmao @ the fact that Okular’s
ObeyDRMoption still defaults to true today 😂(Including in Debian, as their KDE maintainer declined to carry a patch to change it.)
🥱
Another upside is the easy permission management.
You can revoke network access from your password manager to reduce attack surface; you can revoke camera access from your chat app to prevent accidentaly enabling it; You can restrict an app’s file system access to prevent unwanted changes; etc.
It’s not yet fit to protect from malicious apps, but it still finds some use.
It’s not yet fit to protect from malicious apps, but it still finds some use.
That it is “not yet fit to protect from malicious apps” is an important point which I think many people are not aware of.
This makes sandboxing something of a mixed bag; it is nice that it protects against some types of incompetent packages, and adds another barrier which attackers exploiting vulnerabilities might need to bypass, but on the other hand it creates a dangerous false sense of security today because, despite the fact that it is still relatively easy to circumvent, it it makes people feel safer (and thus more likely to) than they would be otherwise when installing possibly-malicious apps packaged by random people.
I think (and hope) it is much harder to get a malicious program included in most major distros’ main package repos than it is to break out of bubblewrap given the permissions of an average package of flathub.
You’re just not the target user.
The whole OCI mindset is geared towards absolute noobs like me, and cloud native devs that develop inside containers on a daily basis.
Take me for example. I use Bazzite, it’s the first distro I couldn’t break. On top of that, flatpaks, appimages and brew are my only options for software. Since Bazzite is an atomic distro (think immutable ) I could also use Distrobox but I don’t want to deal with it.
Everything just works for me, I don’t care about anything. I broke so many distros before. Sure, I don’t control every nut and cranny but I don’t want to.
If you know how to not break your stuff then that’s great, but I don’t, and I don’t want to learn that. I just want to learn other things.
Not to be that person, but you aren’t restricted to those solutions for software, that’s what
rpm-ostreeis there for. It layers applications over your system image and installs software in a similar manner to a “normal” package manager.I’ve used it here and there when there is no other option, still no problems yet for the OS itself, but I have run into issues installing certain things, most likely due to my lack of knowledge.
I think I may be giving arch another shot soon as my needs have changed and it was so godamn close to everything I needed.
rpm-ostree is intended to be the last resort because layering causes issues with updates and other things
Sure, I was just saying that you could use it and aren’t necessarily restricted to the other options.
I just use it if the package/dependencies aren’t available or functional in the default arch repo. I like to be able to turn nuts and bolts but also avoid it when it’s inconvenient.
2 package managers is fine for me.
I never use flatpaks and am doing just fine. I don’t want my packages to be installed from a bunch of different places; I want it all managed by one package manager, which for me is my distro package manager. I’ve never noticed a problem arising out of not using flatpaks; everything I want is either already packaged for me, or I can make a package myself.
I like package managers just fine. I don’t want to have to have a plurality of software management tools.
Same. I grumble when I have to install things through the AUR. I’d prefer if it was in the official repos.
can continue to blissfully ignore
That’s what I’ve been doing. I haven’t run into a situation where I’ve needed to mess with Flatpak. 🤷 Curious to hear other folk’s experiences though.
Also for your consideration, Flatpak seems to be mainly used for desktop GUI apps. You’ll still need your regular package manager to install CLIs. So… if you wanna keep your software management tools to a minimum…
doesn’t
yaysimplifies the AUR installation? Things have been pretty easy for me after I started usingyayyaysimplifies the AUR installationSimple to me means not having to install some random extra tool and just using
pacmanlike normal. That’s why I grumble.Haa understood. In that perspective yes it is not simple. I would also be happy if
pacmanhad better support for AUR.But I have a different perspective on this. I always look for the right or the best tool available to do something. So I’m not that hesitant to use another tool for AUR. I guess it’s a personal preference after all.
You don’t have to use an AUR helper, you could build it all with makepkg, but the helper just allows you to save time searching, downloading, and building.
The AUR is a different kettle of fish entirely, though. I do see your point, but the AUR is solving a problem common to all distros; hosting a repository for applications that there isn’t willingness or capacity to host in the official binary repos.
Installation, removal, dependency management, etc are all still handled by pacman. As others have pointed out there are great tools available to aid in AUR usability. My favorite is aurutils.
