Can I ignore flatpak indefinitely?
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
So far I have also completely ignored them. From what I understand they technically allow you to install old versions of software, potentially having multiple at the same time. This could come in a clutch when working with stuff like Godot or Blender where constantly upgrading to the latest version would cause issues on bigger projects.
This is the only thing I can see myself using them for, at least in the near future. -
Downsides of distro pacakges:
- someone needs to package an application for each distro
- applications often need to maintain support for multiple versions of some of their dependencies to be able to continue to work on multiple distros
- users of different distros use different versions of the application, creating more support work for upstream
- users of some distros can't use the application at all because there is no package
- adding 3rd party package repos is dangerous; every package effectively gets root access, and in many cases every repo has the ability to replace any distro-provided package by including one with a higher version number. 3rd party repos bring the possibility of breaking your system through malice or incompetence.
Downsides of flatpak:
- application maintainers are responsible for shipping shipping their dependencies, and may not be as competent at shipping security updates as distro security teams
- more disk space is used by applications potentially bringing their own copies of the same dependencies
Another downside of flatpak is that I don't trust upstream devs to have my best interests at heart, but I trust Debian developers far more. I've seen upstream do some annoying or stupid shit and the Debian maintainers not budging.
I think it was poppler or evince that decided they were going to enforce the no-copy-and-paste bit you can set on pdfs. Debian patched it out. I've seen Mozilla decide they were going to enforce their trademarks. They carved out special exceptions for various distros but that still would have meant you would have to rename Firefox if you were to fork Debian. Debian had none of it. There were many dodgy copyright and licensing problems upstream devs gave no shit about. Debian not including these often eventually but pressure on them to fix this shit or for some replacement to get developed.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
If there is nothing appealing on flatpak, then sure. But for me it was really appealing and I still ignored it because you need to download big files at the beggining. But later on i started using it for steam and all because that thing is better staying as user-installed files in some form of permission sandbox
-
Another downside of flatpak is that I don't trust upstream devs to have my best interests at heart, but I trust Debian developers far more. I've seen upstream do some annoying or stupid shit and the Debian maintainers not budging.
I think it was poppler or evince that decided they were going to enforce the no-copy-and-paste bit you can set on pdfs. Debian patched it out. I've seen Mozilla decide they were going to enforce their trademarks. They carved out special exceptions for various distros but that still would have meant you would have to rename Firefox if you were to fork Debian. Debian had none of it. There were many dodgy copyright and licensing problems upstream devs gave no shit about. Debian not including these often eventually but pressure on them to fix this shit or for some replacement to get developed.
I trust Debian developers far more
i definitely agree with you here
I think it was poppler or evince that decided they were going to enforce the no-copy-and-paste bit you can set on pdfs. Debian patched it out.
This is hilarious and I had to know more. First I found this help page which confirms that evince does have code which implements PDF restrictions, but it says that its
override_restrictionsoption is enabled by default. But I wondered: was it ever enabled by default? And who implemented it?Here are the answers to these questions:
- in May 2005, a redhat employee implemented the restrictions in evince in this commit
- in September 2005, a yandex employee added the
override_restrictionsoption in this commit, after discussion in bug #305818 - in December 2006, someone opened bug #382700 requesting that
override_restrictionsbe enabled by default - in January 2008, a GNOME maintainer changed the default in this commit in 2008 - but only after someone showed a maintainer that the PDF spec does not in fact require the restrictions to be enforced. (The spec says "It is up to the implementors of PDF consumer applications to respect the intent of the document creator by restricting user access")
I don't see any indication that Debian patched this out during the time when evince had it enabled by default, but I'm sure they would have eventually if GNOME hadn't come to their senses
I’ve seen Mozilla decide they were going to enforce their trademarks. They carved out special exceptions for various distros but that still would have meant you would have to rename Firefox if you were to fork Debian. Debian had none of it.
In my opinion both sides of the Debian–Mozilla trademark dispute were actually pretty reasonable and certainly grounded in good intentions. Fortunately they resolved it eventually, with Mozilla relaxing their restrictions in 2016 (while still reserving the right to enforce their trademark against derivatives which make modifications they find unreasonable):
Mozilla recognizes that patches applied to Iceweasel/Firefox don't
impact the quality of the product.Patches which should be reported upstream to improve the product always
have been forward upstream by the Debian packagers. Mozilla agrees about
specific patches to facilitate the support of Iceweasel on architecture
supported by Debian or Debian-specific patches.More generally, Mozilla trusts the Debian packagers to use their best
judgment to achieve the same quality as the official Firefox binaries.In case of derivatives of Debian, Firefox branding can be used as long
as the patches applied are in the same category as described above.
Ubuntu having a different packaging, this does not apply to that
distribution. -
I trust Debian developers far more
i definitely agree with you here
I think it was poppler or evince that decided they were going to enforce the no-copy-and-paste bit you can set on pdfs. Debian patched it out.
This is hilarious and I had to know more. First I found this help page which confirms that evince does have code which implements PDF restrictions, but it says that its
override_restrictionsoption is enabled by default. But I wondered: was it ever enabled by default? And who implemented it?Here are the answers to these questions:
- in May 2005, a redhat employee implemented the restrictions in evince in this commit
- in September 2005, a yandex employee added the
override_restrictionsoption in this commit, after discussion in bug #305818 - in December 2006, someone opened bug #382700 requesting that
override_restrictionsbe enabled by default - in January 2008, a GNOME maintainer changed the default in this commit in 2008 - but only after someone showed a maintainer that the PDF spec does not in fact require the restrictions to be enforced. (The spec says "It is up to the implementors of PDF consumer applications to respect the intent of the document creator by restricting user access")
I don't see any indication that Debian patched this out during the time when evince had it enabled by default, but I'm sure they would have eventually if GNOME hadn't come to their senses
I’ve seen Mozilla decide they were going to enforce their trademarks. They carved out special exceptions for various distros but that still would have meant you would have to rename Firefox if you were to fork Debian. Debian had none of it.
In my opinion both sides of the Debian–Mozilla trademark dispute were actually pretty reasonable and certainly grounded in good intentions. Fortunately they resolved it eventually, with Mozilla relaxing their restrictions in 2016 (while still reserving the right to enforce their trademark against derivatives which make modifications they find unreasonable):
Mozilla recognizes that patches applied to Iceweasel/Firefox don't
impact the quality of the product.Patches which should be reported upstream to improve the product always
have been forward upstream by the Debian packagers. Mozilla agrees about
specific patches to facilitate the support of Iceweasel on architecture
supported by Debian or Debian-specific patches.More generally, Mozilla trusts the Debian packagers to use their best
judgment to achieve the same quality as the official Firefox binaries.In case of derivatives of Debian, Firefox branding can be used as long
as the patches applied are in the same category as described above.
Ubuntu having a different packaging, this does not apply to that
distribution.https://lwn.net/Articles/335415/
The evince PDF reader ran into this issue back in 2005. It is now rare to find a distributor shipping a version of evince which implements copy restrictions. Xpdf implements copy restrictions unconditionally, but Debian patched that code out in 2002, and that patch has spread to other distributors as well. In general, as one would expect, free PDF readers tend not to implement this behavior. Okular is about the only exception that your editor can find; it's interesting to note that the version of Okular shipped with Fedora Rawhide also implements copy restrictions by default. Perhaps this behavior is result of the relative newness of this application; as it accumulates more users, the pressure for more user-friendly behavior is likely to grow.
-
Ok, show me how you compile Emacs 29/30 on a fresh Debian 10 install in a few minutes...
-
https://lwn.net/Articles/335415/
The evince PDF reader ran into this issue back in 2005. It is now rare to find a distributor shipping a version of evince which implements copy restrictions. Xpdf implements copy restrictions unconditionally, but Debian patched that code out in 2002, and that patch has spread to other distributors as well. In general, as one would expect, free PDF readers tend not to implement this behavior. Okular is about the only exception that your editor can find; it's interesting to note that the version of Okular shipped with Fedora Rawhide also implements copy restrictions by default. Perhaps this behavior is result of the relative newness of this application; as it accumulates more users, the pressure for more user-friendly behavior is likely to grow.
I see, it was Xpdf where Debian patched it out in 2002.
Also lmao @ the fact that Okular's
ObeyDRMoption still defaults to true today(Including in Debian, as their KDE maintainer declined to carry a patch to change it.)
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
Just use Nix. It can run all the packages on whatever platform. It has the largest repository of software & are some of the most up-to-date.
-
apt install build-essential apt build-dep emacs wget https://ftp.gnu.org/gnu/emacs/emacs-30.1.tar.xz tar -xf emacs-30.1.tar.xz ./configure —prefix=/usr/local make make installDid I ask for a command? Give that a try in Debian 10...
-
This is what's so great about Linux, you can use whatever the hell you want.
Flatpaks provide some cool security functionalities like revoking network access to a specific application. Maybe you care about this, maybe you don't.
My personal policy is to always install from the repos. Occasionally something is only available in flathub, which is fine for me. I really understand how hard is maintaining something for every single package manager and diatributions and totally respect the devs using a format that just works everywhere. If I were to release a new Linux app, I would totally use flatpak.
But for apps distributed in your system’s package manager, it’s not the devs that are distributing them in every package manager. It’s the distribution itself that goes to each repository, checks and tests the dependencies they need and create the package for the distribution, along with a compiled binary version of it.
When they aren’t offered in the distro’s package manager (or the version is outdated because the distro isn’t rolling release) things become more complicated.
-
Personally it depends on distro and package manager.
If your on arch yes you can in a easyish way
Other distros you can either compile the software from source or convert .deb to .rpm (for example) this is mediumish and takes time to do.If the distro is rolling release, it can always support the latest software in theory, you’d just need to have the correct package formula, which is exactly what AUR is.
The problem with AUR is just that the author of the package is likely not the author of the software so you should normally check what the script is doing.
-
Did I ask for a command? Give that a try in Debian 10...
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
Maybe but probably not. People that develop applications can save a major headache by choosing flatpaks so the ecosystem will gravitate towards it.
At some point new applications that didn't launch a Linux version will do so but only on flatpak and older applications will start moving towards flatpaks since it's less dev time.
It looks to me as inevitable that the best versions of an app will be a flatpak but if you're on Ubuntu based system you can probably get by for very long without them.
-
Downsides of distro pacakges:
- someone needs to package an application for each distro
- applications often need to maintain support for multiple versions of some of their dependencies to be able to continue to work on multiple distros
- users of different distros use different versions of the application, creating more support work for upstream
- users of some distros can't use the application at all because there is no package
- adding 3rd party package repos is dangerous; every package effectively gets root access, and in many cases every repo has the ability to replace any distro-provided package by including one with a higher version number. 3rd party repos bring the possibility of breaking your system through malice or incompetence.
Downsides of flatpak:
- application maintainers are responsible for shipping shipping their dependencies, and may not be as competent at shipping security updates as distro security teams
- more disk space is used by applications potentially bringing their own copies of the same dependencies
Many of the problems with security and disk space are limited by flatpaks using same base layer for applications that is shared and easy to update.
-
Just use Nix. It can run all the packages on whatever platform. It has the largest repository of software & are some of the most up-to-date.
But then I'd have to run Nix.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
The real thing that Flatpak offers is one place to publish for Linux. You put your app in the App Store for Apple, you put it in the Play Store for Android, you put it in Flathub for Linux.
-
But then I'd have to run Nix.
So? Not everything is packaged on all distros & you can benefit from sharing & reusing declarative configuration even if for specific scopes (meaning not just NixOS).
-
I might be an exception here, but I really like flatpaks. I like their sandboxed nature and using Flatseal, you can cherry pick the permissions you want to give to a flatpak application. Don't want to give n/w access, boom done, like that. And finally if anything goes wrong, delete the app data and you are fresh to go. Also from a security standpoint, you can grand or deny access to specific directories and most apps don't have root access.
I love Flatpaks. It's always the default for me and I use Arch. Packages from the Arch repos or the AUR are almost always the last resort.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
Flatpak is supposed to "just work" everywhere.
-
No missing/outdated/renamed dependencies while building it?
