Can I ignore flatpak indefinitely?
-
Can I ignore flatpak indefinitely?
Sure, at least until software you want to use is flatpak only, e.g. Bottles
Or use a stable distro and need a package newer than 2 years.
-
Haa understood. In that perspective yes it is not simple. I would also be happy if
pacmanhad better support for AUR.But I have a different perspective on this. I always look for the right or the best tool available to do something. So I'm not that hesitant to use another tool for AUR. I guess it's a personal preference after all.
You don't have to use an AUR helper, you could build it all with makepkg, but the helper just allows you to save time searching, downloading, and building.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
Sure you can! Just run
alias flatpak=snapand you'll be golden.(I'll show myself out...)
-
Downsides of distro pacakges:
- someone needs to package an application for each distro
- applications often need to maintain support for multiple versions of some of their dependencies to be able to continue to work on multiple distros
- users of different distros use different versions of the application, creating more support work for upstream
- users of some distros can't use the application at all because there is no package
- adding 3rd party package repos is dangerous; every package effectively gets root access, and in many cases every repo has the ability to replace any distro-provided package by including one with a higher version number. 3rd party repos bring the possibility of breaking your system through malice or incompetence.
Downsides of flatpak:
- application maintainers are responsible for shipping shipping their dependencies, and may not be as competent at shipping security updates as distro security teams
- more disk space is used by applications potentially bringing their own copies of the same dependencies
Another upside is the easy permission management.
You can revoke network access from your password manager to reduce attack surface; you can revoke camera access from your chat app to prevent accidentaly enabling it; You can restrict an App's file system access to prevent unwanted changes; etc.
It's not yet fit to protect from malicious apps, but it still finds some use.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
If your distro provides everything you need then I would avoid flatpak. Getting apps to speak to each other is a pain, updates use more data, backups and restores take much longer, they don't perform as well and config files are not necessarily where you expect them to be.
I have Debian Stable on an older laptop and only install apps as flatpaks if they are not available otherwise. I also have a very new laptop with Fedora on it (because it needs a newer kernel) and have had to install more flatpaks just to make things work properly, because they include their dependencies, codecs etc which are missing in Fedora. Appimages seem to do this too and I find them preferable to flatpak because they integrate more predictably with my system. Apps are slower to launch though and have to be manually updated.
Like you, I'd prefer to just have a package manager and a single source of software and plan to go back to Debian when my newer machine is supported by it.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
That's what I do. But then I mostly use Arch or Arch based distros (e.g. EndeavourOS). So I have access to AUR. If something isn't on AUR (very rare, but can happen), I just create the package for it and publish to AUR. I do use some AlmaLinux machines as server. I don't really need many programs outside of the standard repos there since I use them mostly for hosting Docker images. But if I do need to install something like that, I've some self-written LURE install scripts.
-
Yes. You can always build from source; f need be
Only if the application source code fits the API of the library versions on your system. Otherwise you also need to port the application to your available library versions. Also using different dependency versions might surface bugs that you have to sort out yourself.
I only want to point this out because it often seems that the people that complain about flatpak do not grasp what maintaining a package entails, and your suggestion effectively puts you in the position of being a package maintaier for your specific distro. (But the upshot is that with open source software you are always free to do this, and also share it with other people through (community-) repositories)
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
FLOSS used to include the ability to build software. Perhaps that's not important anymore but now a days some developers don't attend problems with their build recipes because they only consider what they release through binaries, whether on flatpak or whatever other binary repository they like. At least I dislike that, it's ok to me some or most users would prefer to grab a bloated binary rather than building anything, but that doesn't mean forgetting about those actually wanting to build from source, or wanting to use shared libraries and software from their distros, actually that's a requirement for free/libre software repositories. Not sure if the tendency is to move the gnu+linux users into app stores like the ones on windows, now ubuntu snaps, android play store and the like. Sure there's more security with sandboxing, but nothing one can't get with firejail, and if wanting MAC as well then firejail + apparmor for example.
At any rate, just my little rant. And if you're wondering, I use AUR on Artix, and I really hope I won't have a need for a flatpak stuff.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
it comes down to how you use your system. if you're fine using is as described and you're on a distro that gets newest versions, keep on truckin'.
for me, I hate rebooting. I like to leave my system and return to it, be it laptop or desktop, and continue where I left off. sometimes that goes on for days, sometimes weeks. that's virtually impossible when updating both system and app stuff constantly, e.g. new kernel, mesa, plasma, whathaveyous.
so I keep my system stuff that's handled with the package manager and my app stuff separate. almost all of my GUI apps are flatpak and they are on a systemd timer so they get updated daily. my systems don't bother me with update alerts, don't do shit in the background and that's how I like it. once a month or so I do a system upgrade and reboot.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
Arch based distros (except for Manjaro) has every FOSS and some proprietary software on the AUR
-
it comes down to how you use your system. if you're fine using is as described and you're on a distro that gets newest versions, keep on truckin'.
for me, I hate rebooting. I like to leave my system and return to it, be it laptop or desktop, and continue where I left off. sometimes that goes on for days, sometimes weeks. that's virtually impossible when updating both system and app stuff constantly, e.g. new kernel, mesa, plasma, whathaveyous.
so I keep my system stuff that's handled with the package manager and my app stuff separate. almost all of my GUI apps are flatpak and they are on a systemd timer so they get updated daily. my systems don't bother me with update alerts, don't do shit in the background and that's how I like it. once a month or so I do a system upgrade and reboot.
This is exactly how I do things too.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
As someone who develops an distributes a small application exclusively on Flathub, I prefer that everyone uses the exact same package on every system. That way I know that if something doesn't work, the issue should be easy to reproduce.
Recently, there was a situation where a user indicated in the comments of a release announcement that a newly introduced feature “doesn't work”. It turned out that they installed a third-party package from the AUR (that wasn't updated yet) without knowing that this isn't the official and up to date version.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
Yes. Yes you can.
Ignore it. Move on.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
Adopt
nixand you will be able to ignore it forever!
Seriously though, as others have said, use whatever fits you best. I avoided snaps and flatpaks due to the increased size requirements. So many things were duplicated for no apparent benefit (to me). However, with their introduction of permissions and portals, it does seem like a safer option. Although, we're in a phase right now where not everything is flatpakked and applications trying to talk to each other is a pain (keepassxc unable to talk to flatpak
firefoxlibrewolf, chromium, etc.).Now that I use nix, I have a whole bunch of other problems, but at least getting packages is quite low on the list.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
I'm using MX Linux AHS, it is Debian based, it is always up to date, like latest firefox a few hours after it's out, kernel 6.12.17 as of today, etc.
It has no systemd, no snap, no flatpak. It just use the good old .deb and everything is working fine.
-
Yes you can. I do. If a software does not offer build instructions, which is rare, I just do not use it.
The build instructions for all flatpaks are in one repo, you could build it yourself and maintain your own registry if you wanted.
-
Or use a stable distro and need a package newer than 2 years.
-
As someone who develops an distributes a small application exclusively on Flathub, I prefer that everyone uses the exact same package on every system. That way I know that if something doesn't work, the issue should be easy to reproduce.
Recently, there was a situation where a user indicated in the comments of a release announcement that a newly introduced feature “doesn't work”. It turned out that they installed a third-party package from the AUR (that wasn't updated yet) without knowing that this isn't the official and up to date version.
This seems to be a dependency failure.
I'm sad that we had this solved 20 years ago. It's like Texas measles.
-
I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
Is it because developers are often using dependencies that are ahead of release versions?
Also, how is it so much better than images for your applications on Docker Hub?
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
Personally it depends on distro and package manager.
If your on arch yes you can in a easyish way
Other distros you can either compile the software from source or convert .deb to .rpm (for example) this is mediumish and takes time to do. -
It depends a bit on perspective and use-case, really. A flatpak'd application can be a fully-featured (all dependencies bundled) package in order to be portable. However, most flatpaks you might commonly encounter don't quite do this. A good portion of the libraries may be distributed in common runtime packages. This will be the case if you use flatpaks from Flathub or Fedora. There still can be bundled libraries with vulnerabilities, but in many cases, there are basic dependencies from external, common library sets.
As far as varying dependency versions, a developer may be on a host with either newer or older dependencies than expected by the user, but as long as the developer's application (and any unique libraries) are compiled against a common runtime as previously mentioned, it does make distribution to a wide variety of distros (LTS, 6-month, and rolling alike) relatively easy.
In comparison to OCI images (the kind of images that make up Docker, Podman, and a good portion of Kubernetes container images), flatpaks are a bit less extreme. Flatpaks contain much the same kind of files and structure that a standard distro package would, but simply get sandboxed into their own environment (via bubblewrap). Additionally, flatpaks don't necessarily need system-level access for installation and usage (full userland confinement). It heavily depends on host environment and configuration, but typically OCI containers are a full, minimal, immutable filesystem structure run in a virtual environment. Not quite a virtual machine, as (in Linux anyway) they are run on the host (almost always in a sandbox) without extensive virtualization capabilities being needed. The general difference in security capabilities depends on the differences in sandboxing between a flatpak behind bubblewrap and an OCI container's runtime sandboxing. There is also the notion with OCI containers being able to run as virtualized users, including root. With OCI containers that can obtain root access and a flaw in the sandboxing of say Docker in its standard rootful mode could allow for root level processes in the sandbox to act upon the host.
From what I can think of in comparison, there is the big problem with Flatpak in that it really isn't suitable for packaging command-line applications: only GUI applications and libraries. OCI container images are often tailored for running web apps and other persistent CLI applications
OCI CLI apps can also be obtained from brew
