I’m admittedly yelling at cloud a bit here, but I like package managers just fine. I don’t want to have to have a plurality of software management tools. However, I also don’t want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.

I don’t develop distributed applications, but Im not understanding how it simplifies dependency management. Isn’t it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?

Don’t maintainers have to release new bundles if they contain dependencies with vulnerabilities?

Is it because developers are often using dependencies that are ahead of release versions?

Also, how is it so much better than images for your applications on Docker Hub?

Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it’s something I should adopt, or if I can continue to blissfully ignore.

  • communism@lemmy.ml
    0·
    5 hours ago

    I never use flatpaks and am doing just fine. I don’t want my packages to be installed from a bunch of different places; I want it all managed by one package manager, which for me is my distro package manager. I’ve never noticed a problem arising out of not using flatpaks; everything I want is either already packaged for me, or I can make a package myself.

  • pathief@lemmy.world
    0·
    6 hours ago

    This is what’s so great about Linux, you can use whatever the hell you want.

    Flatpaks provide some cool security functionalities like revoking network access to a specific application. Maybe you care about this, maybe you don’t.

    My personal policy is to always install from the repos. Occasionally something is only available in flathub, which is fine for me. I really understand how hard is maintaining something for every single package manager and diatributions and totally respect the devs using a format that just works everywhere. If I were to release a new Linux app, I would totally use flatpak.

    • LeFantome@programming.dev
      0·
      4 hours ago

      Same boat. As a user, I greatly prefer everything to come from the repos. However, as a distributor, Flatpak makes so much more sense.

      The only Flatpak I have installed is pgAdmin. I looked at the build on Flathub with the idea of porting the package myself but got scared off. It was a maze of Python dependencies running in Electron. That seems like exactly the kind of thing that may be better off in its own sandbox.

  • Mwa@lemm.eeEnglish
    0·
    7 hours ago

    Personally it depends on distro and package manager.
    If your on arch yes you can in a easyish way some aur packages may require you to compile it.
    Other distros you can either compile the software from source or convert .deb to .rpm (for example) this is mediumish and takes time to do.

  • Papamousse@beehaw.org
    0·
    9 hours ago

    I’m using MX Linux AHS, it is Debian based, it is always up to date, like latest firefox a few hours after it’s out, kernel 6.12.17 as of today, etc.

    It has no systemd, no snap, no flatpak. It just uses the good old .deb and everything is working fine.

  • onlinepersona@programming.devEnglish
    0·
    9 hours ago

    Adopt nix and you will be able to ignore it forever! 😉

    Seriously though, as others have said, use whatever fits you best. I avoided snaps and flatpaks due to the increased size requirements. So many things were duplicated for no apparent benefit (to me). However, with their introduction of permissions and portals, it does seem like a safer option. Although, we’re in a phase right now where not everything is flatpakked and applications trying to talk to each other is a pain (keepassxc unable to talk to flatpak firefox librewolf, chromium, etc.).

    Now that I use nix, I have a whole bunch of other problems, but at least getting packages is quite low on the list.

    Anti Commercial-AI license

      • onlinepersona@programming.devEnglish
        0·
        5 hours ago

        I wasn’t being very serious about nix. IMO, it’s quite the time investment due to its poor documentation and it has a lot of gotcha’s if you aren’t on NixOS e.g one example is that it’s great for terminal applications, but horrendous for GUI applications as it’ll be hit or miss. Again, this is if you’re not on NixOS. So, it can feel like an “all or nothing” approach.

        If you have the time and will, then it can be very rewarding. But if you just "want something that works ™ " side by side in your current system, personally, I wouldn’t recommend it - unless it’s hidden by some other tool like devenv (which is a great tool for reproducible developer environments).

        Anti Commercial-AI license

  • d_k_bo@feddit.org
    0·
    10 hours ago

    As someone who develops an distributes a small application exclusively on Flathub, I prefer that everyone uses the exact same package on every system. That way I know that if something doesn’t work, the issue should be easy to reproduce.

    Recently, there was a situation where a user indicated in the comments of a release announcement that a newly introduced feature “doesn’t work”. It turned out that they installed a third-party package from the AUR (that wasn’t updated yet) without knowing that this isn’t the official and up to date version.

    • LeFantome@programming.dev
      0·
      6 hours ago

      It just has to always be the first question in a big report or forum question. Have they verified their issue with the Flatpak version?

      I prefer packages from the AUR myself but I do not expect the software authors to support me. Distros need to support their own packages but the AUR is not part of the Arch distro. Arch does not support the AUR. The only support I should expect would be from the package author (the AUR package) and they likely do not have the ability.

      I think the right way to understand Flatpak is that it is essentially its own Linux distro without a kernel. You have to be running that version if you expect support. People think of Flatpak as a “sandbox” which it is. But it is also like running an app in a Docker container or Distrobox where you have to pick a distro to run in the container. With Flatpak, you are running on the “freedesktop” distro. It is not the same environment as the rest of your system (right down to the filesystem layout and C library).

    • corsicanguppy@lemmy.caEnglish
      0·
      7 hours ago

      This seems to be a dependency failure.

      I’m sad that we had this solved 20 years ago. It’s like Texas measles.

      • Mayoman68@lemmy.world
        0·
        4 hours ago

        What do you mean by this? Flatpak definitely solved the Linux distro balkanization problem for application developers without trying to destroy the benefits of having different distros. Having a distinction between system software, utilities, and advanced end user applications does solve a problem.

  • ColdWater@lemmy.ca
    0·
    11 hours ago

    Arch based distros (except for Manjaro) has every FOSS and some proprietary software on the AUR

    • LeFantome@programming.dev
      0·
      6 hours ago

      Let me try to clarify what you are saying.

      You are saying that the AUR “has every FOSS and some proprietary software”. Yep. That is why I add an Arch Distrobox to every system regardless of the host distro.

      But what do you mean by “except Manjaro”? Most Manjaro fans will say that Manjaro also supports the AUR. They are correct that you can certainly enable it and start installing packages from there.

      I assume you are warning that, because Manjaro maintains its own base repos and has different package versions in it than Arch does, that Manjaro is incompatible with the AUR and that using the AUR with Manjaro will cause problems. If that is what you are saying, I agree with you.

  • dingdongitsabear@lemmy.ml
    0·
    11 hours ago

    it comes down to how you use your system. if you’re fine using is as described and you’re on a distro that gets newest versions, keep on truckin’.

    for me, I hate rebooting. I like to leave my system and return to it, be it laptop or desktop, and continue where I left off. sometimes that goes on for days, sometimes weeks. that’s virtually impossible when updating both system and app stuff constantly, i.e. to get new apps you also get new kernel, mesa, plasma, whathaveyous.

    so I keep my system stuff that’s handled with the package manager and my app stuff separate. almost all of my GUI apps are flatpak and they are on a systemd timer so they get updated daily. my systems don’t bother me with update alerts, don’t do shit in the background and that’s how I like it. once a month or so I do a system upgrade and reboot.

  • kixik@lemmy.ml
    0·
    11 hours ago

    FLOSS used to include the ability to build software. Perhaps that’s not important anymore but now a days some developers don’t attend problems with their build recipes because they only consider what they release through binaries, whether on flatpak or whatever other binary repository they like. At least I dislike that, it’s ok to me some or most users would prefer to grab a bloated binary rather than building anything, but that doesn’t mean forgetting about those actually wanting to build from source, or wanting to use shared libraries and software from their distros, actually that’s a requirement for free/libre software repositories. Not sure if the tendency is to move the gnu+linux users into app stores like the ones on windows, now ubuntu snaps, android play store and the like. Sure there’s more security with sandboxing, but nothing one can’t get with firejail, and if wanting MAC as well then firejail + apparmor for example.

    At any rate, just my little rant. And if you’re wondering, I use AUR on Artix, and I really hope I won’t have a need for a flatpak stuff.

  • Churbleyimyam@lemm.ee
    0·
    13 hours ago

    If your distro provides everything you need then I would avoid flatpak. Getting apps to speak to each other is a pain, updates use more data, backups and restores take much longer, they don’t perform as well and config files are not necessarily where you expect them to be.

    I have Debian Stable on an older laptop and only install apps as flatpaks if they are not available otherwise. I also have a very new laptop with Fedora on it (because it needs a newer kernel) and have had to install more flatpaks just to make things work properly, because they include their dependencies, codecs etc which are missing in Fedora. Appimages seem to do this too and I find them preferable to flatpak because they integrate more predictably with my system. Apps are slower to launch though and have to be manually updated.

    Like you, I’d prefer to just have a package manager and a single source of software and plan to go back to Debian when my newer machine is supported by it.

  • Decker108@lemmy.ml
    0·
    13 hours ago

    Sure you can! Just run alias flatpak=snap and you’ll be golden.

    (I’ll show myself out…)

  • jokeyrhyme@lemmy.mlEnglish
    0·
    14 hours ago

    Can I ignore flatpak indefinitely?

    Sure, at least until software you want to use is flatpak only, e.g. Bottles

    • Shareni@programming.dev
      0·
      14 hours ago

      Or use a stable distro, need a package newer than 2 years, and don’t want spend a day compiling dependencies of dependencies.

  • Arthur Besse@lemmy.mlMEnglish
    0·
    14 hours ago

    Downsides of distro pacakges:

    • someone needs to package an application for each distro
    • applications often need to maintain support for multiple versions of some of their dependencies to be able to continue to work on multiple distros
    • users of different distros use different versions of the application, creating more support work for upstream
    • users of some distros can’t use the application at all because there is no package
    • adding 3rd party package repos is dangerous; every package effectively gets root access, and in many cases every repo has the ability to replace any distro-provided package by including one with a higher version number. 3rd party repos bring the possibility of breaking your system through malice or incompetence.

    Downsides of flatpak:

    • application maintainers are responsible for shipping shipping their dependencies, and may not be as competent at shipping security updates as distro security teams
    • more disk space is used by applications potentially bringing their own copies of the same dependencies

    🤔

    • argon@lemmy.today
      0·
      13 hours ago

      Another upside is the easy permission management.

      You can revoke network access from your password manager to reduce attack surface; you can revoke camera access from your chat app to prevent accidentaly enabling it; You can restrict an app’s file system access to prevent unwanted changes; etc.

      It’s not yet fit to protect from malicious apps, but it still finds some use.

      • Arthur Besse@lemmy.mlMEnglish
        0·
        5 hours ago

        It’s not yet fit to protect from malicious apps, but it still finds some use.

        That it is “not yet fit to protect from malicious apps” is an important point which I think many people are not aware of.

        This makes sandboxing something of a mixed bag; it is nice that it protects against some types of incompetent packages, and adds another barrier which attackers exploiting vulnerabilities might need to bypass, but on the other hand it creates a dangerous false sense of security today because, despite the fact that it is still relatively easy to circumvent, it it makes people feel safer (and thus more likely to) than they would be otherwise when installing possibly-malicious apps packaged by random people.

        I think (and hope) it is much harder to get a malicious program included in most major distros’ main package repos than it is to break out of bubblewrap given the permissions of an average package of flathub.

    • warmaster@lemmy.world
      0·
      8 hours ago

      The build instructions for all flatpaks are in one repo, you could build it yourself and maintain your own registry if you wanted.