From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
Maybe but probably not. People that develop applications can save a major headache by choosing flatpaks so the ecosystem will gravitate towards it.
At some point new applications that didn't launch a Linux version will do so but only on flatpak and older applications will start moving towards flatpaks since it's less dev time.
It looks to me as inevitable that the best versions of an app will be a flatpak but if you're on Ubuntu based system you can probably get by for very long without them.
Just use Nix. It can run all the packages on whatever platform. It has the largest repository of software & are some of the most up-to-date.
If there is nothing appealing on flatpak, then sure. But for me it was really appealing and I still ignored it because you need to download big files at the beggining. But later on i started using it for steam and all because that thing is better staying as user-installed files in some form of permission sandbox
So far I have also completely ignored them. From what I understand they technically allow you to install old versions of software, potentially having multiple at the same time. This could come in a clutch when working with stuff like Godot or Blender where constantly upgrading to the latest version would cause issues on bigger projects. This is the only thing I can see myself using them for, at least in the near future.
This is what's so great about Linux, you can use whatever the hell you want.
Flatpaks provide some cool security functionalities like revoking network access to a specific application. Maybe you care about this, maybe you don't.
My personal policy is to always install from the repos. Occasionally something is only available in flathub, which is fine for me. I really understand how hard is maintaining something for every single package manager and diatributions and totally respect the devs using a format that just works everywhere. If I were to release a new Linux app, I would totally use flatpak.
I really understand how hard is maintaining something for every single package manager and distributions
But for apps distributed in your system’s package manager, it’s not the devs that are distributing them in every package manager. It’s the distribution itself that goes to each repository, checks and tests the dependencies they need and creates the package for the distribution, along with a compiled binary.
When they aren’t offered in the distro’s package manager (or the version is outdated because the distro isn’t rolling release) things become more complicated indeed, and sometimes you can’t even do it because the dependencies are older than the ones you require.
Same boat. As a user, I greatly prefer everything to come from the repos. However, as a distributor, Flatpak makes so much more sense.
The only Flatpak I have installed is pgAdmin. I looked at the build on Flathub with the idea of porting the package myself but got scared off. It was a maze of Python dependencies running in Electron. That seems like exactly the kind of thing that may be better off in its own sandbox.
As someone who develops and distributes a small application exclusively on Flathub, I prefer that everyone uses the exact same package on every system. That way I know that if something doesn't work, the issue should be easy to reproduce.
Recently, there was a situation where a user indicated in the comments of a release announcement that a newly introduced feature “doesn't work”. It turned out that they installed a third-party package from the AUR (that wasn't updated yet) without knowing that this isn't the official and up to date version.
It just has to always be the first question in a big report or forum question. Have they verified their issue with the Flatpak version?
I prefer packages from the AUR myself but I do not expect the software authors to support me. Distros need to support their own packages but the AUR is not part of the Arch distro. Arch does not support the AUR. The only support I should expect would be from the package author (the AUR package) and they likely do not have the ability.
I think the right way to understand Flatpak is that it is essentially its own Linux distro without a kernel. You have to be running that version if you expect support. People think of Flatpak as a “sandbox” which it is. But it is also like running an app in a Docker container or Distrobox where you have to pick a distro to run in the container. With Flatpak, you are running on the “freedesktop” distro. It is not the same environment as the rest of your system (right down to the filesystem layout and C library).
Yes. Yes you can.
Ignore it. Move on.
Downsides of distro pacakges:
Downsides of flatpak:
🤔
Many of the problems with security and disk space are limited by flatpaks using same base layer for applications that is shared and easy to update.
Another downside of flatpak is that I don't trust upstream devs to have my best interests at heart, but I trust Debian developers far more. I've seen upstream do some annoying or stupid shit and the Debian maintainers not budging.
I think it was poppler or evince that decided they were going to enforce the no-copy-and-paste bit you can set on pdfs. Debian patched it out. I've seen Mozilla decide they were going to enforce their trademarks. They carved out special exceptions for various distros but that still would have meant you would have to rename Firefox if you were to fork Debian. Debian had none of it. There were many dodgy copyright and licensing problems upstream devs gave no shit about. Debian not including these often eventually put pressure on them to fix this shit or for some replacement to get developed.
I trust Debian developers far more
i definitely agree with you here :)
I think it was poppler or evince that decided they were going to enforce the no-copy-and-paste bit you can set on pdfs. Debian patched it out.
I found the notion of free software implementing PDF DRM rather hilarious, so I had to know more. First I found this help page which confirms that evince does have code which implements PDF restrictions, but it says that its override_restrictions option is enabled by default.
But I wondered: when did this get implemented? and was it ever enabled by default? So, I went digging, and here are the answers:
override_restrictions option was added in this commit, after discussion in bug #305818override_restrictions be enabled by defaultI don't see any indication that Debian patched this out during the time when evince had it enabled by default, but I'm sure they would have eventually if GNOME hadn't come to their senses :)
I’ve seen Mozilla decide they were going to enforce their trademarks. They carved out special exceptions for various distros but that still would have meant you would have to rename Firefox if you were to fork Debian. Debian had none of it.
In my opinion both sides of the Debian–Mozilla trademark dispute were actually pretty reasonable and certainly grounded in good intentions. Fortunately they resolved it eventually, with Mozilla relaxing their restrictions in 2016 (while still reserving the right to enforce their trademark against derivatives which make modifications they find unreasonable):
Mozilla recognizes that patches applied to Iceweasel/Firefox don't impact the quality of the product.
Patches which should be reported upstream to improve the product always have been forward upstream by the Debian packagers. Mozilla agrees about specific patches to facilitate the support of Iceweasel on architecture supported by Debian or Debian-specific patches.
More generally, Mozilla trusts the Debian packagers to use their best judgment to achieve the same quality as the official Firefox binaries.
In case of derivatives of Debian, Firefox branding can be used as long as the patches applied are in the same category as described above.
https://lwn.net/Articles/335415/
The evince PDF reader ran into this issue back in 2005. It is now rare to find a distributor shipping a version of evince which implements copy restrictions. Xpdf implements copy restrictions unconditionally, but Debian patched that code out in 2002, and that patch has spread to other distributors as well. In general, as one would expect, free PDF readers tend not to implement this behavior. Okular is about the only exception that your editor can find; it's interesting to note that the version of Okular shipped with Fedora Rawhide also implements copy restrictions by default. Perhaps this behavior is result of the relative newness of this application; as it accumulates more users, the pressure for more user-friendly behavior is likely to grow.
I see, here is where Debian patched it out of Xpdf in 2002.
Also lmao @ the fact that Okular's ObeyDRM option still defaults to true today 😂
(Including in Debian, as their KDE maintainer declined to carry a patch to change it.)
Another upside is the easy permission management.
You can revoke network access from your password manager to reduce attack surface; you can revoke camera access from your chat app to prevent accidentaly enabling it; You can restrict an app's file system access to prevent unwanted changes; etc.
It's not yet fit to protect from malicious apps, but it still finds some use.
It’s not yet fit to protect from malicious apps, but it still finds some use.
That it is "not yet fit to protect from malicious apps" is an important point which I think many people are not aware of.
This makes sandboxing something of a mixed bag; it is nice that it protects against some types of incompetent packages, and adds another barrier which attackers exploiting vulnerabilities might need to bypass, but on the other hand it creates a dangerous false sense of security today because, despite the fact that it is still relatively easy to circumvent, it it makes people feel safer (and thus more likely to) than they would be otherwise when installing possibly-malicious apps packaged by random people.
I think (and hope) it is much harder to get a malicious program included in most major distros' main package repos than it is to break out of bubblewrap given the permissions of an average package of flathub.
Personally it depends on distro and package manager.
If your on arch yes you can in a easyish way some aur packages may require you to compile it.
Other distros you can either compile the software from source or convert .deb to .rpm (for example) this is mediumish and takes time to do.
If the distro is rolling release, it can always support the latest software in theory, you’d just need to have the correct package formula, which is exactly what AUR offers.
The problem with AUR is just that the author of the package is likely not the author of the software and not affiliated with the distro, so you should normally check what the script is doing.
Agreed
Sure you can! Just run alias flatpak=snap and you'll be golden.
(I'll show myself out...)
Yes. You can always build from source; If need be
Correct, horse_battery_staple
You're just not the target user.
The whole OCI mindset is geared towards absolute noobs like me, and cloud native devs that develop inside containers on a daily basis.
Take me for example. I use Bazzite, it's the first distro I couldn't break. On top of that, flatpaks, appimages and brew are my only options for software. Since Bazzite is an atomic distro (think immutable ) I could also use Distrobox but I don't want to deal with it.
Everything just works for me, I don't care about anything. I broke so many distros before. Sure, I don't control every nut and cranny but I don't want to.
If you know how to not break your stuff then that's great, but I don't, and I don't want to learn that. I just want to learn other things.
Adopt nix and you will be able to ignore it forever! 😉
Seriously though, as others have said, use whatever fits you best. I avoided snaps and flatpaks due to the increased size requirements. So many things were duplicated for no apparent benefit (to me). However, with their introduction of permissions and portals, it does seem like a safer option. Although, we're in a phase right now where not everything is flatpakked and applications trying to talk to each other is a pain (keepassxc unable to talk to flatpak ~~firefox~~ librewolf, chromium, etc.).
Now that I use nix, I have a whole bunch of other problems, but at least getting packages is quite low on the list.
Thanks for the suggestion. I am interested in nix, but haven't explored it yet.
I wasn't being very serious about nix. IMO, it's quite the time investment due to its poor documentation and it has a lot of gotcha's if you aren't on NixOS e.g one example is that it's great for terminal applications, but horrendous for GUI applications as it'll be hit or miss. Again, this is if you're not on NixOS. So, it can feel like an "all or nothing" approach.
If you have the time and will, then it can be very rewarding. But if you just "want something that works ™ " side by side in your current system, personally, I wouldn't recommend it - unless it's hidden by some other tool like devenv (which is a great tool for reproducible developer environments).
Lol thanks for clarifying your sarcasm. 😂 I can be an airhead at times.
I was actually interested in trying NixOS on a laptop that is gathering dust. I did see a few months ago that there was some drama surrounding the project owner, though. I never investigated enough to understand what that was all about, but I'm less excited about digging into something if it may suddenly end.
I might be an exception here, but I really like flatpaks. I like their sandboxed nature and using Flatseal, you can cherry pick the permissions you want to give to a flatpak application. Don't want to give n/w access, boom done, like that. And finally if anything goes wrong, delete the app data and you are fresh to go. Also from a security standpoint, you can grand or deny access to specific directories and most apps don't have root access.
I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?
That's correct. This simplifies the dependency management system because not every distribution ships with every version of every package, so when software requires a version of a package that the distro dosesn't ship with or have in its repositories, the end user has to either build the package from source, or find some other way to run their software. Flatpaks developers will define the versions of dependencies that are required for an application to run and that exact version is pulled in when the flatpak is installed. This makes the issue of every distro not having every version of every package moot.
Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?
They don't have to, no. But they absolutely should.
Is it because developers are often using dependencies that are ahead of release versions?
Sometimes, yes. Or the software is using a dependency that is so old that it's no longer included in a distro's package repositories.
Also, how is it so much better than images for your applications on Docker Hub?
I would say they're suited to different purposes.
Docker shines when availability is a concern and replication is desired. It's fantastic for running a swarm of applications spread across multiple machines automatically managing their lifecycles based on load. In general though, I wouldn't use Docker containers to run graphical applications. Most images are not suited for this by default, and would require you install a bunch of additional packages before you could consider running any graphical apps. Solutions to run graphical applications in Docker do exist (see x11docker), but it doesn't really seem like a common practice.
Flatpaks are designed to integrate into an existing desktops that already have a graphical environment running. Some flatpaks include the packages required for hardware acceleration (Steam, OBS) which can eliminate the need for those packages to be available via your distro's package manager.
What this means is that a distro like Alpine Linux that doesn't have an nvidia package in its repos can still run Steam because the Steam flatpak includes the nvidia driver if you have an nvidia GPU installed.
Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.
¯_(ツ)_/¯ It's a tool. Use it when it's useful, or don't.
Thanks for the detailed answer. I think I have a clearer picture of the problems it's trying to solve and the solutions it's delivering.
It also now seems connected to immutable distros I've heard about recently. So I guess the idea there is that the OS is just a tiny core set of libraries that never have to change, then the applications have their dependencies bundled, instead of requiring them as system dependencies.
I'm not convinced it's something I want as a user, but more importantly not something I need.
From a development perspective, it seems downright seductive, allowing almost total freedom of opinion.
Is it because developers are often using dependencies that are ahead of release versions?
That has been my experience recently. I had the same mindset as you until a critical piece of software I use shat the bed on Arch (LiveCaptions) that affected my being able to watch training videos for work.
Because it was time critical and I didn’t feel like possibly breaking other things for one package, I grabbed the flatpak. It came with its own nvidia driver package (mine was newer) and it worked out of the box without having to mess with anything and that was enough to change my hardline view on that.
Now it’s just another tool to use in an emergency when important things randomly break.
Can I ignore flatpak indefinitely?
Sure, at least until software you want to use is flatpak only, e.g. Bottles
Or use a stable distro, need a package newer than 2 years, and don't want spend a day compiling dependencies of dependencies.
I never use flatpaks and am doing just fine. I don't want my packages to be installed from a bunch of different places; I want it all managed by one package manager, which for me is my distro package manager. I've never noticed a problem arising out of not using flatpaks; everything I want is either already packaged for me, or I can make a package myself.
it comes down to how you use your system. if you're fine using is as described and you're on a distro that gets newest versions, keep on truckin'.
for me, I hate rebooting. I like to leave my system and return to it, be it laptop or desktop, and continue where I left off. sometimes that goes on for days, sometimes weeks. that's virtually impossible when updating both system and app stuff constantly, i.e. to get new apps you also get new kernel, mesa, plasma, whathaveyous.
so I keep my system stuff that's handled with the package manager and my app stuff separate. almost all of my GUI apps are flatpak and they are on a systemd timer so they get updated daily. my systems don't bother me with update alerts, don't do shit in the background and that's how I like it. once a month or so I do a system upgrade and reboot.
Just as my two cents, as a user - I like flatpaks because I can have up to date versions of certain applications on a more stable Debian base. I also like that application configs all go in one spot (~/.var/app/com.Example.example), and having granular permissions management per application. As for immutable distros, I'd happily use one if I wasn't already getting all the stability I need from LMDE :)
I personally like flatpak and its build system. Flatpak applications are sandboxed by default and don't require root during any part of installation, reducing the risk of malicious/broken software damaging the host. They also are available for basically any base distro, meaning i can use the same apps if a ever distrohop and i can even just copy over the config folders as if nothing happened.
FLOSS used to include the ability to build software. Perhaps that's not important anymore but now a days some developers don't attend problems with their build recipes because they only consider what they release through binaries, whether on flatpak or whatever other binary repository they like. At least I dislike that, it's ok to me some or most users would prefer to grab a bloated binary rather than building anything, but that doesn't mean forgetting about those actually wanting to build from source, or wanting to use shared libraries and software from their distros, actually that's a requirement for free/libre software repositories. Not sure if the tendency is to move the gnu+linux users into app stores like the ones on windows, now ubuntu snaps, android play store and the like. Sure there's more security with sandboxing, but nothing one can't get with firejail, and if wanting MAC as well then firejail + apparmor for example.
At any rate, just my little rant. And if you're wondering, I use AUR on Artix, and I really hope I won't have a need for a flatpak stuff.
I'm using MX Linux AHS, it is Debian based, it is always up to date, like latest firefox a few hours after it's out, kernel 6.12.17 as of today, etc.
It has no systemd, no snap, no flatpak. It just uses the good old .deb and everything is working fine.
If your distro provides everything you need then I would avoid flatpak. Getting apps to speak to each other is a pain, updates use more data, backups and restores take much longer, they don't perform as well and config files are not necessarily where you expect them to be.
I have Debian Stable on an older laptop and only install apps as flatpaks if they are not available otherwise. I also have a very new laptop with Fedora on it (because it needs a newer kernel) and have had to install more flatpaks just to make things work properly, because they include their dependencies, codecs etc which are missing in Fedora. Appimages seem to do this too and I find them preferable to flatpak because they integrate more predictably with my system. Apps are slower to launch though and have to be manually updated.
Like you, I'd prefer to just have a package manager and a single source of software and plan to go back to Debian when my newer machine is supported by it.
Yes you can. I do. If a software does not offer build instructions, which is rare, I just do not use it.
The build instructions for all flatpaks are in one repo, you could build it yourself and maintain your own registry if you wanted.