this post was submitted on 17 Feb 2024
173 points (93.9% liked)

Linux

48332 readers
714 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Basically title.

I’m wondering if a package manager like flatpak comes with any drawback or negatives. Since it just works on basically any distro. Why isn’t this just the default? It seems very convenient.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 9 months ago* (last edited 9 months ago) (2 children)

How? Security is one of its selling points.

[–] [email protected] 7 points 9 months ago (1 children)

libxyz has security vulnerability:

Your distro updates libxyz. Fixed and every piece of software gets the fix for free.

Every single flatpak that uses libxyz has to update to include the fix. Let's hope all those package maintainers are on the their game.

[–] [email protected] 11 points 9 months ago (1 children)

That's not how Flatpak works.

Flatpak has runtimes, which is where most shared libraries are. There's a common base one called Freedesktop, a GNOME runtime, a KDE runtime , an Elementary runtime, and more. (The GNOME and KDE ones are built on top and inherit from the Freedesktop base runtime.)

https://docs.flatpak.org/en/latest/available-runtimes.html

Additionally, at least for Flathub, they have shared modules for commonly used libraries that aren't in runtimes. (Many are related to games or legacy support like GTK2.)

https://github.com/flathub/shared-modules

Lastly, some distributions are building their own runtimes and apps on top, so the packages they build are available as flatpaks as well. This is the case for Fedora, Elementary, Endless, and others.

https://fedoraproject.org/wiki/Flatpak

[–] [email protected] 5 points 9 months ago* (last edited 9 months ago) (1 children)

That's not how Flatpak works.

That's exactly how flatpaks work if the library you need is not in the runtime. Which is very often the case.

I know because I made one for my personal use and the package was not available elsewhere.

Additionally, at least for Flathub, they have shared modules for commonly used libraries that aren't in runtimes. (Many are related to games or legacy support like GTK2.)

So we're just reinventing the wheel with more bloat? Brilliant.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (1 children)

Yeah, that's a big, weird if though. Most modern apps can rely on the runtimes for their dependencies and not have to ship their own custom dependencies.

It's different from something like AppImage, where everything is bundled (or Snap, where a lot more needs to be bundled than a typical Flatpak, but not as much as with an AppImage).

Additionally, there's always some level of sandboxing in Flatpaks (and Snap packages) and none at all for RPMs, Debs, or AppImages.

Also, Flatpak dedupicates common files shared across flatpak apps and runtimes, so there isn't "bloat" like what you're talking about.

https://blogs.gnome.org/wjjt/2021/11/24/on-flatpak-disk-usage-and-deduplication/

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

I think bringing in an entire operating system, which may well include libraries and other files that I already have installed, to run something small can be considered bloat.

I currently have multiple versions of Nvidia's libraries installed for some reason on my system through flatpak. I have no idea why that's necessary but if I don't allow this to happen I get dropped down to software rendering.

[–] [email protected] 5 points 9 months ago

It sells security through isolation, but packages are not cryptographically verified after download. This is done in package managers like apt, but not flatpak