this post was submitted on 19 Oct 2023
48 points (98.0% liked)

Free and Open Source Software

18017 readers
2 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

I don't understand what problem they are meant to solve. If you have a FOSS piece of software, you can install it via the package manager. Or the store, which is just a frontend for the package manager. I see that they are distribution-independent, but the distro maintainers likely already know what's compatible and what your system needs to install the software. You enjoy that benefit only through the package manager.

If your distro ships broken software because of dependency problems, you don't need a tool like Flatpak, you need a new distro.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 37 points 1 year ago (1 children)

I like Flatpaks and AppImages for application delivery and here's why:

  1. Software doesn't just magically appear in various distros' repositories. There is a considerable amount of work (time/effort/energy/thought) that goes into including and maintaining any given program in a single distro's repo, and then very similar work must be done by the maintainers of other independent repositories. To make matters worse, some programs are not straight-forward to compile and/or may use customized dependencies. In those cases, package maintainers for each distro will have to do even more work and pay close attention to deliver the application as intended, or risk shipping a version that works differently in subtle ways and possibly with rare bugs. (Needing to ship custom versions of deps for a certain program also totally eliminates a lot of the benefits of shared libraries; namely reduced storage space and shared functionality or security.) That's part of the reality of managing packages, and the fact is that there's a lot of wasted effort and repeated work that goes into putting this or that application into a distro repository. I have a ton of respect for distro package maintainers, but I would prefer that their talents and energy could be used on making the user experience and polish of their distro better, or developing new/better software, than wrestling with every new version of every package over and over again multiple times per year.

  2. As a developer it's very nice to know exactly what is being "shipped" to your users, and that most of your users are running the same code in a very similar environment. In my opinion, it's simply better for users and developers of a piece of software to have a more direct path, instead of running through a third party middle-man. Developers ship it, users use it, if there's a bug the users report it, developers fix it and add features and then ship again. It's simple, it's effective, and there's very little reason to add a bunch of extra steps to this process.

  3. The more time I spend using immutable, atomic Linux distros like Silverblue, the more I value a strong separation between system and applications. I want my base system to be solid as a rock, and ideally pretty fucking hard to accidentally break (either on the user end or the distro end). At the same time I also want to be able to use the latest and greatest applications as soon as humanly possible. Well, Silverblue has shown that there's a viable model to do that in the form of an immutable and atomic base system combined with containerized applications and dev environment. What Silverblue does may not be the only way of achieving a separation between system and applications, but I've never been more certain that it's the right direction for creating a more stable and predictable Linux experience without many compromises. I don't necessarily want to update my whole system to get the newest version of an application, and I certainly don't want my system to break due to dependency hell in the process.

  4. The advantages of the old way of distributing applications on Linux are way overblown compared to the advantages of Flatpak. Do flatpaks take up more drive space than traditionally packaged apps? Maybe, I don't even know. But even if they do, who the hell cares? Linux systems and applications are mostly pretty tiny, and a 1TB nvme ssd is like $50 these days. Does using shared library create less potential for security flaws going unfixed? Possibly, but again, sometimes it just isn't possible or practical for applications to share libraries, Flatpaks can technically share libraries too, and the containerized nature of Flatpaks mean that security vulnerabilities in specific applications are mitigated somewhat. I'm not a security guy, but I'd guess that Flatpaks are generally pretty safe.

Well, that's all I can think of right now. I really like Flatpaks and to some extent AppImages too. I still think that most "system-level" stuff is fine to do with traditional packaging (or something like ostree), but for "application-level" stuff, I think Flatpaks are the current king. They're very up-to-date, sandboxed, often packaged by the developers themselves, consistent across many distros, save distro maintainers effort that could be better used elsewhere, easy for users to update, integrate with software centers, are very very unlikely to cause your system to break, and so on.

It would be really hard for me to want to switch back to a traditional distro using only repo packages.

[–] [email protected] 12 points 1 year ago (2 children)

I disagree with so much of this.

You might not care about the extra disk space, network bandwidth, and install time required by having each application package up duplicate copies of all the libraries they depend on, but I sure do. Memory use is also higher, because having separate copies of common libraries means that each copy needs to be loaded into memory separately, and that memory can't be shared across multiple processes. I also trust my distribution to be on top of security updates much more than I trust every random application developer shipping Flatpaks.

But tbh, even if you do want each application to bundle its own libraries, there was already a solution for that which has been around forever: static linking. I never understood why we're now trying to create systems that look like static linking, but using dynamic linking to do it.

I think it's convenient for developers to be able to know or control what gets shipped to users, but I think the freedom of users to decide what they will run on their own system is much more important.

I think the idea that it's not practical for different software to share the same libraries is overblown. Most common libraries are generally very good about maintaining backwards compatibility within a major version, and different major versions can be installed side-by-side. I run gentoo on my machines, and with the configurability the package manager exposes, I'd wager that no two gentoo installations are alike, either in version of packages installed, or in the options those packages are built with. And for a lot of software that tries to vendor its own copies of libraries, gentoo packages often give the option of forcing them to use the system copy of the library instead. And you know what? It's actually works almost all the time. If gentoo can make it work across the massive variability of their installs, a distribution which offers less configurability should have virtually no problem.

You are right that some applications are a pain to package, and that the traditional distribution model does have some duplication of effort. But I don't think it's as bad as it's made out to be. Distributions push a lot of patches upstream, where other distributions will get that work for free. And even for things that aren't ready to go upstream, there's still a lot of sharing across distributions. My system runs musl for its C library, instead of the more common glibc. There aren't that many musl-based distributions out there, and there's some software that needs to be patched to work -- though much less than used to be the case, thanks to the work of the distributions. But it's pretty common for other musl-based distributions to look at what Alpine or Void have done when packaging software and use it as a starting point.

In fact, I'd say that the most important role distributions play is when they find and fix bugs and get those fixes upstreamed. Different distributions will be on different versions of libraries at different times, and so will run into different bugs. You could make the argument that by using the software author's "blessed" version of each library, everybody can have a consistent experience with the software. I would argue that this means that bugs will be found and fixed more slowly. For example, a rolling release distro that's packaging libraries on the bleeding edge might find and fix bugs that would eventually get hit in the Flatpak version, but might do so far sooner.

The one thing I've heard about Flatpak/Snap/etc that sounds remotely interesting to me is the sandboxing.

[–] hunger 1 points 1 year ago

You might not care about the extra disk space, network bandwidth, and install time required by having each application package up duplicate copies of all the libraries they depend on, but I sure do.

Updates in flatpak tend to be smaller in flatpak than with packages. Flatpak only downloads files that changed, packages always download all files. But yes, the initial install of the first flatpak is going to take more bandwidth. The second package is then already reusing a lot of files already installed by the first.

Memory use is also higher, because having separate copies of common libraries means that each copy needs to be loaded into memory separately, and that memory can't be shared across multiple processes.

All the base libraries are ahared between all flatpaks. Only very specialized libs end up getting installed several times (or libs with a different build configuration), but those are very like going to be used by one application anyway, independent of how youninstall the application.

I also trust my distribution to be on top of security updates much more than I trust every random application developer shipping Flatpaks.

I trust developers to have a way better idea what the software actually needs than some random packages that also packages 200 other things.

But tbh, even if you do want each application to bundle its own libraries, there was already a solution for that which has been around forever: static linking. I never understood why we're now trying to create systems that look like static linking, but using dynamic linking to do it.

Yeap, static linking cannget similar results, but at the price of more bandwidth usage (you need to download the same library code over and over again) and resource usage: You do not get deduplication of libraries, so that code needs to be loaded into RAM repeatedly.

I think the idea that it's not practical for different software to share the same libraries is overblown.

I tried that: It is a huge pain. You basically can not use anything newer than 3 years or so as distributions will not have the new code yet. It is also eating a lot of time when you get but reports and then find out some packager has shipped your code linked to a library kniwn to be broken. Happens all the time:-( You need to be able to point people to working binaries of your product, so you will just package the stuff yourself. Doing that once properly for flatpak is very nice -- oder doing it a dozen times, each time testing with the package versions and patches applied on top of that version the distribution ships.

But younleft out the one thing that makes me prefer flatpak: I can restrict what an application can do. E.g. no broser can access anything outside the downloads folder, etc. I care about my stuff in the home directory. Traditional Unix security has nothing to help me stop one application messing with the data from another, stealing my ssh keys or turn on my cameras or microphones. Flatpak can limit all that to certain applications -- and when thebapplication supports it, even more than that.