it was really for cross-distro GUI desktop applications. I saw it's used in embedded linux projects that has no GUI, for its portability at a heavy price(flatpak is quite fat, it needs to install a full sandbox)
I chose flatpak some time ago over snaps for gui apps and I don't remember why. I think there are benefits to packaging software this way (especially for immutable OS images) but at the same time there are so many negatives too. I hope they make it more of a priority. Or something better comes out on top.
It still isn't possible to package Tailscale or anything that creates a virtual interface as a Flatpak because there is no permission for that. macOS has an API to ask for permissions to add an interface/change routes.
Thanks to said API, Tailscale on MacOS is even distributed as a sandboxed app through the Mac App Store [1]. Flatpak's restrictions make certain classes of software difficult to use on "atomic" Linux distros like Silverblue or Bluefin that provide a read-only base system and expect users to get their software through Flatpak.
I daily drive an immutable Fedora spin and if I wanted to install Tailscale I would most likely add it to the base image via `rpm-ostree` instead of trying to reach for Flatpak - not because i'm aware of the issues but because it makes more sense to me to add a more system-wide networking layer to the base image.
That being said there are many apps that are not packaged as Flatpaks that I end up adding to the base layer out of necessity which I would have liked to use as Flatpaks.
I'm not sure I'd install tailscale as a flatpak even if it were possible. I've always seen flatpak as a way to install large, potentially crappy desktop applications without polluting your system. OBS studio is a perfect example - it's a great app but it's the only one I use that uses QT, thanks to flatpak I don't even have the QT libraries installed on my system.
Tailscale is more like a system service that I'd prefer a distro package for (Arch Linux repos contain Tailscale, btw).
You don't have QT libraries installed on your system. You just have then in some archive somewhere along with a bunch of copies of stuff you do already have installed on your system.
Im not really much of a flatpak user but to me it seems like permission system on top of Linux is an incredible undertaking. Solving both packaging and retrofitting permissions at the same time seems too big of a cookie to swallow. I don’t know whether the permission system is what killed the momentum and caused this seeming burnout. But it seems incredibly complex.
To me, Linux doesn’t have a granular modern permission system, and I don’t expect my package manager to solve it for me. I still run proprietary software on it, because I kind of have to. Is that an ideal situation? No. But I rather have a distribution system and vet vendors (which I’m doing anyway) than wait another decade for permissions to be perfect. Distribution, packaging and updates is the pressing need imo.
> It still isn't possible to package Tailscale or anything that creates a virtual interface as a Flatpak because there is no permission for that.
It's possible but not ideal. The application could use flatpak-spawn (to get out the sandbox) and then polkit-exec (to ask user for root perms for arbitrary use) to get root privileges on the host, but you're removing nearly all sandboxing.
Interesting read. While Flatpak does work nicely for a lot of things, the downsides are real and have me almost preferring Snap for the most part. Flatpak terminal apps are annoying, the permissions thing is annoying, sound, etc...
Interesting that the creator is thinking about the next thing already.
They could have been good, but they chose not to go down this route. This is one area Snap shines. Flathub rejects terminal only apps for this reason as well
Yet, there are a select few non-gui flatpaks.
One I use frequently is Zola [0], a static site generator that I use because it's significantly faster in building my site with 'zola serve' than the native Alpine Linux package. All I had to do to make it convenient was aliasing flatpak run org.getzola.zola to zola.
> Wick started his talk by saying that it looks like everything is great with the Flatpak project, but if one looks deeper, ""you will notice that it's not being actively developed anymore"". There are people who maintain the code base and fix security issues, for example, but ""bigger changes are not really happening anymore"". He said that there are a bunch of merge requests for new features, but no one feels responsible for reviewing them, and that is kind of problematic.
I think Red Hat should really be stepping up more here, especially since with RHEL 10 they stopped maintaining a ton of desktop packages with the advice for users of those packages being "get the package from Flathub instead of from us" (see https://docs.redhat.com/en/documentation/red_hat_enterprise_... , search for Flathub). If that's Red Hat's attitude towards desktop software, they should be providing the resources to make Flatpak a viable alternative.
> A user's Linux distribution may still be providing an older version of Flatpak that does not have support for --device=input, or whatever new feature that a Flatpak developer may wish to use. Wick said there needs to be a way for applications to use the new permissions by default, but fall back to the older permission models if used on a system with an older version of Flatpak.
I'm glad he brought that up as a problem. I maintain a game on Flathub that has audio and controller support. Because of the limited permissions granularity, that means that the game is displayed as requiring arbitrary device access (--device=input is too new, so the Flathub maintainers don't allow it in packages yet) and being able to listen to your device's microphone (the audio permission doesn't allow only accessing speakers but not microphones). I hope that Flatpak adds backwards compatibility for permissions so newer Flatpak versions can start having more granular permissions.
Red Hat has since walked some of this back. Firefox and Thunderbird were supposed to go Flatpak only for RHEL 10, but they eventually shipped rpms for GA.
Seems there were a myriad of causes for this including lack of Native Messaging, no ability to deploy policies centrally, and broken integrations with various other parts of the desktop ecosystem.
They walked back Firefox and Thunderbird, but Evolution, LibreOffice, GIMP, Inkscape, and Totem have all been dropped. Red Hat no longer packages an office suite, a raster image editor, a vector image editor, or a media player for RHEL. This means that even people using RHEL as a development workstation or something will have to download software from Flathub if they don't want to use a second computer for all their general office tasks.
Given the target of RHEL, I can’t say that I disagree with their decision to not package those applications for RHEL 10. RHEL isn’t really designed to be a user desktop. Ever since RH split out workstation and server versions of the OS, RHEL has always been targeted for servers. I don’t think the lack of an office suite will really be that impactful towards users.
This is just made all the more true if there is an alternative source for these tools, like Flathub.
You're right. And that's something I still don't quite understand.
I'd really like to know how many workstation licenses Redhat really sells. It's been so long, I didn't even realize that they still had a separate workstation license available for purchase. When you have the same distribution setup for Servers and Workstations, it seems to me that one of those flavors is going to dominate and the other will be eventually be neglected. Who are the users that are buying and using Workstation licenses?
But, when it comes down to it, I still don't see why they would want to package an Office Suite for RHEL. Or, more importantly, why a user would want to use it. RHEL is designed for stability. It's a great server OS that's well supported. Because of this, it's also known to have older versions of libraries and programs. This is okay, because many new features and fixes get backported, but it's still usually an older (stable) version of software that's included. Why would you want to have an older version of an Office Suite? Why would they want to package a newer (and riskier) version that can be installed on a server? It just doesn't make that much sense to me... it's a fundamental dichotomy between what makes a good server OS vs a good workstation OS.
Note: this give and take has been going on with Linux on the server vs Linux on the Desktop for decades. It's probably going to keep going on for decades. The things that one wants for one use case isn't what makes sense for other use cases. This is why we have different distributions, which is a good thing. The part I don't get is why RH would want to merge the two back together. Which is why I see the idea of deprecating workstation applications (as packaged by RHEL) in favor of Flatpak versions of them as a good thing from the RHEL point of view.
>Who are the users that are buying and using Workstation licenses?
Sometimes institutes and businesses that insist on support contracts, and ones from the vendor publishing the software itself. Sometimes there is actual legal red tape requiring them of such, usually its just management doing management things.
That requirement immediately cuts down the majority of their options, even if what I would describe as more sensible options exist under such a criteria.
Oh, I could guess who buys the licenses… I’m more curious about who uses them. And the real question is — what applications are being used by the users? I’m sure RH has data on what packages are being installed across their customer base (having a centralized repository does have its advantages). So, figuring out what packages to drop is probably easier for them.
Many companies use RHEL Workstation to run proprietary GUI applications. The application usually runs on RHEL Servers and uses X11 forwarding to show the GUI on the Workstation.
Running the same OS on the client and on the server makes support much simpler. ISVs may not even support more modern OSs like Fedora or Ubuntu.
Those companies don't need an Office Suite as they have Windows machines that can run Microsoft Office. They just need a Linux desktop environment that is easy to use and stays out of the way when accessing the Workstation through VNC.
You can have a stable RHEL desktop that receives few updates and Flatpak apps that are up-to-date and that update regularly.
So, Flatpak makes a distro like RHEL viable as a desktop.
The other option is Distrobox. In both cases, you are basically running an up-to-date distro for your apps and a more stable distro (RHEL) as your host.
> This is just made all the more true if there is an alternative source for these tools, like Flathub.
The point I was trying to make is that Red Hat is deprecating graphical desktop programs on RHEL and telling their customers to switch to getting them from Flathub, while a Red Hat employee giving a talk about the future of Flatpak is saying that it's not actively developed anymore and that there's nobody responsible for reviewing MRs for new features. I'm not saying that it's necessarily a bad thing that Red Hat stopped packaging graphical programs. I'm saying that since they've endorsed Flatpak as their alternative to packaged graphical programs, I wish Red Hat would put some of the development resources they've saved from no longer packaging/supporting those graphical programs into helping to improve Flatpak.
> I wish Red Hat would put some of the development resources they've saved from no longer packaging/supporting those graphical programs into helping to improve Flatpak.
I very much agree with this. It would be nice to see some better coordination and support, especially for those who are able to leverage Flatpaks to reduce their own overhead.
Desktop is not a large market for Red Hat. Even their employees mostly use Fedora.
The only place I really see RHEL workstations is in special purpose applications, and in most of those the users either have a separate Windows box, or they Citrix/RDP into the corporate Windows environment to do normal office productivity things anyway.
Ubuntu basically ate their lunch for the desktop case. It used to be that commercial software required SuSE or RedHat on the desktop to get support. But especially RedHat always suffered from the curse of being ancient compared to other desktop distros. When Ubuntu became big enough for commercial software to target, people chose that because Ubuntu was just more recent.
Also, several releases ago, RedHat already started to wind down their desktop efforts, just leaving server/container/cloud as the primary use case for RHEL, with desktops just as "this could also work". That latest decision to drop a lot of desktop related stuff is just a logical continuation of this policy.
Ubuntu was easier to install, was freely available, and had a business model. Redhat had given up on the home market, Suse sold out to Microsoft, and Fedora seemed like a best effort fork that could disappear at any moment. Plus many of us already loved Debian, and were recommending people use Ubuntu as a friendlier Debian. Being "More Recent" Had very little to do with it.
I'd be more worried about Fedora Silverblue and Kinoite, its variants which rely on Flatpak more, as their point is to experiment with a minimal immutable base OS with every user facing app installed as a Flatpak on top.
As long as Red Hat wants to stay in business selling RHEL, Fedora as a distribution is probably not going away nor losing development focus.
It's too complex. An application format shouldn't need to rely on 5 different APIs to be secure. And the apps aren't portable. I think something like WebAssembly is going to be the way forward.
I hope you're right. But how is WASM going to answer questions like "how does the application play sound?" or "how does the application request a password from the system keychain?"
WASM solves a lot of problems, but I don't think its chances of providing a uniform API to things like that are any better than Snap/Flatpak's, because those problems are fundamentally not about the runtime/packaging system. They're caused by OS functionality being a fragmented and moving target. Directly executable applications have to deal with those complexities themselves. Containerized applications in WASM/Docker/Snap/Flatpak/whatever rely on the container layer to do it. But someone's software has to chase that moving target, and it moves very fast.
Nice breakdown. I'm new to Linux and didn't know about this:
> Flatpak still uses PulseAudio even if a host system uses PipeWire. The problem with that is that PulseAudio bundles together access to speakers and microphones—you can have access to both, or neither, but not just one. So if an application has access to play sound, it also has access to capture audio
I sometimes see Linux users sneering at Windows and Mac design mistakes or lack of “freedom”… but then there’s stuff like this.
Of course, Linux is then conveniently redefined in a way that nobody can be responsible, with finger pointing on every issue, rather than admit design flaws like this plague Linux as a whole.
There sort of is, but you can't do anything with it, because you essentially have no user space utilities?
For all of the crap that people gave the term "GNU/Linux" it's even more true today considering there are Linux-based operating systems that don't use GNU utilities.
gjsman-1000 talks about "design flaws" in Linux above, but Linux is just the kernel. There is no "Linux" operating system, despite everyone, and even Linus probably? using that term.
If you call booting init and getting a black screen "an operating system," well... that's cool I guess.
I doubt Linus ever talks to the GTK people in any meaningful way, or any other desktop environment authors. So, what design flaws?
Do you call a ladder a badly designed scaffold because it doesn't have a horizontal platform? No, it's just something entirely different all together.
"GNU/Linux" can still mean too many different things. Even ChromeOS qualifies as that. You want GNU/Linux help, you need to specify what DE and everything. Or as the other comment said, what Bluetooth stack. You can say you're using Manjaro Cinnamon and either that's not specific enough, or someone says it's your fault for not using KDE.
I'm comparing to Windows or Mac. There's only one Bluetooth audio stack in Windows. If you want help with it, whatever you find online will apply to you, unless of course you've gone out of your way to swap it for another. Unlike Windows, Linux is open and people can build their own flavors, but those can have their own names.
Don't even get me started with how Ubuntu changed its entire GUI like 3 times so that it's unrecognizable each time. Feel bad for whatever IT departments had to keep taking new screenshots of how to do stuff.
…it’s just too bad that Bluetooth stack is one of the worst ever conceived, you have zero options for an alternative, and you still have to get all your help from a volunteer support team.
Bluetooth is hard. But it'd at least be easier if the Linux community weren't maxing out on complexity before even reaching the hardware. Even Windows struggled with drivers for a while.
Yep, and there are (were? It's been a while since I checked) even "distros" of FreeBSD that are specialized for desktop use. The main downside of FreeBSD is that it doesn't dumb itself down to appeal to the masses, so while it's great for experienced users it's a bit painful for newbies.
Last time I used FreeBSD, I found it more inherently user-friendly than Linux distros, mainly because it has a very nice handbook (linked in a sibling comment) with realistic examples. Also seems to have more things built in.
What made FreeBSD harder in the end was just that fewer people use it, so tons of third-party software supports Linux better, and it's easier to find online answers.
Documentation-wise it's miles ahead of Linux, mostly because it's developed as a single project rather than a bunch of pieces. Whenever I need to look up anything POSIX in a man page, I always read through FreeBSD's man page first.
Flatpack also ain't it either. Sure flatpack solves a few issues, but it introduces others and so the problem isn't solve. Maybe it will be eventually (though the lack of maintenance implies it won't be), but today it isn't solve.
I found ports works very well myself - everything kept up to date with upstream, and they take care to rebuild everything all the time so you rarely run into library ABI issues.
FreeBSD can run one of several desktops. It doesn't have a desktop though - they are all independent third party desktops. It is a subtle distinction that only rarely matters
I get that you already preempted this, but: Flatpack is a weird extra layer on top of Linux. Most distros have package managers that work just fine. These package managers predate Flatpack and basically are the main thing that the distro provides (other than the community, of course).
You, kind of, don't have much of a choice. There's thousands of packages and it's a ton of work. In addition, as Linux continues to get more popular, more vendors are releasing software that doesn't care to work with newer libraries, so Flatpack handles this nicely.
I only use Linux on servers, so the kind of stuff I need is always traditional apt-get, but yeah I always assumed using it on a PC would involve tons of snap or flatpak apps where they don't want to deal with the complexities of dependencies.
Ok, I do have one spare Linux laptop in my garage that I barely use, and I'm pretty sure how ever I installed Chromium used snap.
I mostly use Linux on my laptop. I thought you server folks needed this kind of functionality—you guys have to, like, serve stuff, be visible on the network, install weird software for business needs, right? As an individual, I can crank up the firewall, trust all of the people who use my laptop (it is just me) and not install sketchy software.
I'm not a server pro, I just use some dev servers at work and have home servers. Most I did was administer the dev servers for small startups where I was mainly a SWE. So what I mean is, I've mostly only used Linux remote+headless and not on my laptop/desktop.
I'm on Ubuntu and mostly use debs (apt), I'll use Snaps if that's the easiest way to get an update. I use Appimages for some ephemeral stuff or when that's the only way developers release it (some 3d printing stuff). I haven't installed Flatpaks at all because it doesn't jibe with the distro overall.
There are about half a dozen cross-distro packaging schemes for Linux, including Nix, Guix, AppImage, Flatpak, Snap, and 0install.
However two are mainstream and supported by large vendors: Flatpak is from the GNOME organisation and is backed by Red Hat and Fedora, and Snap is a Canonical project and part of Ubuntu, the single most widely-used distribution by a considerable margin.
My brother in christ, systemd, x11 and even GNU are weird extra layers on top of Linux. Linux is just the kernel. This is exactly what "redefining Linux so it's never responsible for 99% you need to put on top of Linux to have a functional modern OS" is about.
I explicitly acknowledged that in the other half of the sentence you partially quoted.
I also explained why I thought it was not really right to focus on the deficiencies of Flatpack… so, I’m not sure what the point in repeating that would be. In conclusion,
But those are even worse from this point of view, I have no control over which apps can access my camera, or microphone.
I'm personally disappointed that sandboxing isn't easier in Linux. I hoped it would move past Windows and Mac, imagine a world where the majority of libraries are sandboxed too, we only let compression and decompression libraries read one stream and write to another, this would improve security. This has been done by both Google (in Android) and Apple (in iOS and Mac OS X), but hasn't seen general acceptance in Linux (as far as I can tell).
Because on Linux, everything is based around trusted security since you have access to the sources whereas on iOS and Android, every single app you install could be a malware so those systems are based on untrusted security.
Hahaha, oh that is a hilarious attitude, you really believe that F/OSS means that implicit trust can be granted all across the supply chain. That I have access to the source makes a lick of difference in terms of vulnerabilities or exploits that can be found.
Once in college I cited Linus's Law in an impassioned apologia for Open Source. And I was duly corrected. Because Linus's Law really has no basis in reality.
The reason Linux has such a model of blind trust in system services and applications is because it was based on Unix, which had an even more naïve model, because mostly, it was administrators and authorized users installing that stuff, there was more top-down monitoring and control, and just a smaller incidence of naked malice.
It's the same thing we see in earlier versions of Windows, or macOS, or the Internet. Look at the Internet in the mid-90s. Was it secure, with all the open source running on it? Hell naw. Every OS and protocol is vulnerable and attacked, and every OS and protocol revises security models based on modern-day threats. F/OSS saves nobody and mitigates virtually nothing.
To answer the GP, sandboxing has to be bolted-in to Linux after the fact. Linux's POSIX model is so old and needs to be so compatible. The only sandboxing in SVR3 Unix was chroot(2), you know? The Docker support and cgroups and virtualization are all new layers, and need careful integration. Nobody says that F/OSS doesn't need sandboxing. Nobody says that F/OSS is so secure that it can deviate from better-secured models. Quite the opposite.
Android and iOS are clean starts, mostly; didn't need to be backwards compatible, so they're tuned to the latest threat models of adversarial computing as you describe. But every single app you install on Linux could be a malware, too. I have no idea what "trusted security" or "untrusted security" are, but they aren't real terms of art in Cybersecurity, and they do nothing to describe the provenance or evolution of Linux security (which often has a lot of unused mitigations such as AppArmor or SELinux that get turned off right quick.)
This is kind of a sophism, of course it's not perfect (nothing is) but I'll still trust this model over Android or iOS which have a built-in advertising id, manufacturer modifications I can't even look at and shady processes which have more power than I do.
Yep, most house doors locks won’t survive a well placed kick, but in a safer community, that’s all people have. But in less trusting neighborhoods, everyone use steel bars on windows and have an additional steel door for every wooden one.
So you still can have bad actors in the package manager model, but something like Adobe who treat user agency with contempt is less likely to happen.
So I trust my distros and its maintainers more than I trust Apple. And Apple already have most of my data via iOS.
That assumes that there are never zero days or other unpatched vulnerabilities. You should not trust applications because you have access to the source. Nobody is actively auditing the vast majority of open source code, well except of malicious actors who probably have a handful of remotes in a lot of RSS readers, chat apps, microblogging clients, etc., which they can use to compromise activists and journalist naive enough to trust desktop Linux.
A lot of Android vulnerabilities are bugs in open source parsers of untrusted data (open source as in AOSP or more widely used open source libraries). But the impact is smaller because Android has proper security boundaries. If desktop Linux was as popular as Android -- we would have a security disaster of epic proportions.
But in the mean time, I still trust a Linux distribution more than my phone when it comes to my private data.
My Linux distribution doesn't have a built-in advertising id, unknown manufacturer modifications I can't even look at or shady processes which have more power than I do.
I think it's time for the tech community to move beyond just the tech side and understand that security is also a social contract.
In today's world, attacks on your data are much more common than targeted exploits on the kernel so I would put it in opposite order. If there's no privacy then there's no security.
> Irony being that Mac OS X is the best at privacy out of the commercial OS out there.
The bar is very low and OSX is still way below a Linux distribution
Install GrapheneOS on your phone, problem solved? You get all the security sandboxing and layering of Android (plus the Titan M2 secure element). And you can decide which app stores you want to use and if you find sandboxed Google Play Services acceptable.
Maybe if somebody made a paid version of Linux for desktops, they could pay for people to do the job of designing a sandbox and store.
It sounds like not many volunteers find it very fun (which isn’t surprising, it sounds incredibly tedious, high-stakes, and annoying to work on). This isn’t the sort of thing people do for free and it also isn’t obvious what the business model is supposed to be… the incentives aren’t here.
The article is about the fact that work on Flatpack has really slowed down. So it is reasonable to wonder if maybe nobody found it useful enough to work on it.
Is there an active Flatpack community that is actually interested in it, in the same way communities form around distros and their repos? It seems like probably no…
I dunno. So far my experience with these third party store things (or whatever) is that occasionally Firefox gets switched to a Snap, requiring active intervention and possibly nuking my profile is I do it wrong. It is… pretty annoying.
Flatpak is probably the best way to distribute desktop apps on Linux. I say this as an app dev, a packager, and a user. At one point I maintained close to a dozen packages.
I eagerly waited for months to see what they would do next - what magical features they would introduce. I was active on the forums helping other users package apps, helped review Flathub submissions (since it was always the same problems each time), and started checking out what PRs were happening. Silence.
The months turned into years, and as more years came, I slowly fell away from engaging with Flatpak. I'm back to using the AUR for most things (Arch, btw), but I'm quite sad to hear the situation get spelt out. Flatpak really was revolutionary; bringing modern apps and painless distribution to all desktops - LTS or rolling release. But it hasn't really changed at all since it first took off years ago.
I feel the same. Like a few years ago Fedora + GNOME + Flatpak was the magic sauce. Not so much anymore. I’m back to Arch as well, which seems as if its package repositories have only grown. The AUR is there but I’m shocked how little I need from it.
I have almost never had a good experience with Flatpaks as a user, outside of ease of installation. They almost never integrate with the system properly. Wrong theme, wrong cursors, wrong file picker, permission issues, drag-and-drop issues. You often need extra tools that broaden the permissions of apps post-install because some feature won't work (global push-to-talk in Discord is always fun, especially with Wayland).
I couldn't care less about sandboxing if the UX sucks as a result.
If binary portability wasn't such a complete joke on Linux we wouldn't need Flatpak, but here we are.
Flatpak does have answers for this stuff but it's more the programs inside them aren't utilizing the right APIs, they are meant to use the portals api for filepickers which would use the system filepicker and securely portal stuff through the sandboxing. But many apps just don't.
Theme is also an odd one. GUI design in general has shifted away from an OS theme and more towards an app/product theme which stays consistent between the product on different platforms. Discord for example looks largely the same on Linux, Windows, iOS, and web.
Even for apps that don't use one of the native toolkits like GTK or Qt, where this has been a solved problem for decades, they should at least respond to a dark/light mode flag if they can. Flatpaks mostly don't.
They don't even have the same cursor as the system a lot of the time. It's especially cool when running display scaling when some apps shrink the cursor to a minuscule size too because of poor system integration.
I’m not sure flatpak is marketed at all. Users might describe it like that.
From my understanding if you use GTK or QT it just works but many programs have their own custom file pickers which don’t work when filesystem access has been restricted.
I believe it doesn't work for me to open a directory of HTML files in Firefox: it just opens one file, and that's it, so style sheets and links are missed.
I've worked around by running a local web server for that content, but I'd rather if it just worked. The problem is also in some apps that open web browser for their documentation by invoking them directly.
You don't need Flatpak at all to have these kind of usability issues, it is deeper than that: For example,
if you mount a samba share in the Linux Mint Cinnamon file explorer it is just good to use it from there. Accessing files from the mounted share from "external" apps is a pita (shares are mounted to some obscure path(permission issues), the apps filepickers never have the information that a share was mounted, etc.).
If you want usesful access to a samba share you have to mount it via terminal; This way at least the path to the share is short.
I think that because a lot of gtk apps use gvfs[0]. And most kde apps use kio[1]. But if you want files access through the standard syscall. You have to use the standard mount program or fuse.
I find Appimage to be better alternative to Flatpak: no install, persistent through linux installations, no issues with themes, icons, Xorg config; in practice - take fraction of flatpak storage size, optional sandboxing with external tools like firejail, easier to run from terminal / dmenu / rofi, very easy to tinker with and fix.
There's just one problem: they don't integrate with desktop without an additional application. We need a feature where dropping an AppImage into "~/.local/share/applications" would automatically detect it as a ".desktop" file and make it appear in the DE menus.
This is both a pro and a con. For example, one big downside of this approach is that it can make installing third party plugins and scripts much harder than it should be.
> There's just one problem: they don't integrate with desktop without an additional application
Their biggest problem is that they're not actually truly portable between distributions. They're a gamble of what they're compiled and bundled against, and it's possible for two distributions to not have binary compatibility with each other due to user space differences (different versions, compile flags etc). The kernel developers may not break userspace between updates, but userspace developers certainly have no qualms about breaking userspace.
When you head out of Ubuntu/Debian where developers often build AppImages on (because Linux is a neglected platform and when they think Linux they think Ubuntu), they often fail to run or have errors (e.g. on Fedora). There's more problems such as the terrible practice of encouraging people to set the execute flag on binaries they download off the web.
Flatpak avoids the dependency problem entirely because it's uses runtimes and namespace to ensure reproducible and stable runtime environments.
• The RISC OS desktop treats folders whose names begin with a pling (`!`, an exclamation mark) specially. It expects a structure inside with an icon, a launcher script, etc.
• RISC OS also had an "icon bar", a forerunner of the Windows taskbar
• One of the Acorn engineers who worked on RISC OS was head-hunted to NeXT Computer in California. He took his Archimedes with him.
I think the makers of Flatpak, Nix, Guix, and Spack -- https://spack.io/ -- all really ought to take a deep look at ROX, AppImage, and GoboLinux.
What all of these do can be done better, in a more human-readable way, if you throw away ancient UNIX assumptions about filesystem directory hierarchies.
This was mostly not designed and was in historical fact accidental anyway:
I've found AppImages less universally functioning, though. Some segfault on start or have some other weird problems later, while presumably they work great on the author's system.
They seem to work on my current systems, though, and I use a few, but flatpak has always worked on any system, and I expect it has higher chance of working as it delivers more of the system.
To make the best out of flatpak, it's best to think of it as a new sandboxed distribution that lives on your host system. E.g You could check if a specific theme is installable as a flatpak application.
Flatpaks are not perfect and I have my gripes with flatpak but the only alternative is Ubuntu's snaps.
Why do these things not work properly when apps are flatpaks? e.g. if an app tries to query the environment and ask "what's the theme", how would it get a different answer when run from a flatpak?
Different answers for different problems, but basically two reasons.
First, library/software/data versions inside the flatpak can and will be different from the ones outside. So a flatpak might as "what is the current Qt5 theme", and get the answer "don't know about Qt5, but the Qt6 theme is cute-cats-qt6" which it cannot interpret. Things like themes might not even be available inside the flatpak, so even if the answer were parseable, cute-cats-qt6 might just not be available on the inside.
Second, flatpaks are sandboxed, so things will be filtered. This means that a query might not get through, an answer might not get through, both might be altered. Or maybe an answer might be useless because "you can get the theme at /usr/share/themes/cute-cats-qt6" points to a path that the flatpak is not allowed to access.
Maybe a contrived example but shouldn't Qt6 be answering with a compatible answer if a Qt5 app asks it what the theme is? And shouldn't the app be asking what the "theme" is, rather than what the Qt5-theme is? It seems like a fundamental issue with compat between apps built for different versions of Qt more than a problem with flatpak?
And is the sandboxing perhaps going a step too far if apps can't access the things they need from the environment?
If Linux libraries had that much respect for backward compatibility, there would never had been any demand for Flatpak. Flatpak (and snap) is merely a workaround for the lack of a common "Linux platform" with comprehensive, versioned APIs analogous to the Windows API or Android API. After all, Flatpak essentially provides a way to run a distribution (provided by Flatpak runtimes) inside the host distribution.
I think that was the role of the distro to integrate a common theme for the various versions of gtk and qt. Yes, it’s often duct taped. But apart from freedesktop, we don’t have an org dictating a common API for stuff like how a graphical app interacts with the DE.
Most desktop environments / window managers support that portal and stuff like Electron does too, so for example with Slack (installed over Flatpak) in can now toggle mute even If i dont focus Slack.
STEAM on Fedora requires a bunch of incantations on the CLI to get controller support working after Flatpak installation. This pretty much solidifies its flaws as a format. "Table stakes" apps should just work.
Have you tried makedeb then as a second channel? https://www.makedeb.org/ It uses PKGBUILDs, so pretty easy to translate. It seems so well-placed to help packagers I'm not sure why it isn't heard of more.
Years ago, I wrote an on-screen display (OSD) in Java for showing keypresses and mouse clicks[1]. Someone thought a flatpack would be useful[2]. I didn't see the point. It meant: (a) maintaining two installation processes; (b) collating download stats from two sources; (c) trusting a third-party system to maintain package indexes over time[3]; (d) adding yet another package manager to a system that already has a package manager; and (e) bloating the repo with another repo.
- Easy use on immutable distros
- The user doesn't have to make sure they have the right version of Java installed
- Auto-updates even if there is no repo for your specific distro
And also you can find it through searching on Flathub I guess
> And also you can find it through searching on Flathub I guess
Did you click the third link I posted, which searches Flathub for KmCaster only to come up dry? This was point (c): You have to trust that their search engine is correct, maintained, and updated. That doesn't come for free, it takes effort, and things go wrong.
This only supports my point about having more stuff to maintain. Now there's this GitHub page having a large "Download on Flathub" link that goes absolutely nowhere because the package is unmaintained. Who makes the GitHub page go away?
Also, the image on that page is outdated, which would have been one more thing to maintain. In addition, the install instructions are four lines of code to run, compared with three lines of code to download without Flathub. My point stands: Flathub adds an unnecessary maintenance burden (to some projects).
I've switched to a flatpak-based immutable distro lately. It's great when it works. But so many niceties don't work, and then it feels like my computer is not really the fantastic tool it should be. For example:
- I had to run around with a distrobox running WINE and a bunch of permissions and kludges to run an external tool for Godot
- I gave up on the flatpak for Firefox because it can't talk to my KeepassDX flatpak
- The Godot and Krita flatpaks are oddly unstable and crash more than they did on Windows (may just be Gnome or something)
- non-flatpak tools like AppImages and .rpms feel pretty dang grungy
I want to see more cool stuff with Flatpak so seeing the state it's in is kind of a bummer.
If a packaging mechanism, respecting virtualisation had been capable of existing 30 years ago we'd have one. Now, given how the fracture lines run, we're fated to have three or more.
It's pythons virtual environment and pip-is-weak problem, magnified. It's homebrew or Mac ports or fink or pkgsrc.
Mechanisms designed after fork, are never fork neutral.
For a long time, there was a pax debiana in my world. I used Ubuntu mostly (swapped to Debian and added Fedora towards the end) and the package management was really good. APT was a great tool and I got quite chummy with its ways. It was straightforward to keep my system updated and resolve dependencies. It was way smoother than any other updater system had been, even across major system upgrades.
I sort of lost it when snap started usurping stuff. I knew it was coming, because docker was already making inroads. Then we had flatpak and company. As an admin, as a system architect, I felt that's the point when I lost control of my system. It wasn't possible to know its update state anymore. It wasn't possible to centrally manage or monitor those updates. It became a free-for-all of self-updates and shadow updates. Ubuntu was also introducing livepatch and kernel updates that went outside the apt model.
I think that perhaps it became too great a burden for the major distros to be packaging all of their own downstream packages. Perhaps they saw the opportunity to offload some of that packaging burden on a really pro service that could just package everything, and make pan-distro packages available. If Debian and RHEL packagers are doing less downstream packaging, then perhaps they could focus on their core competencies. I noticed that nearly every Ubuntu package needed to include Ubuntu-specific tweaks, and basically when Ubuntu was already downstream from Debian, why should Canonical be maintaining every damn package themselves as well?
So what's the endgame for all this? Would apt or dnf/rpm eventually get abandoned and have them go all-in on a new system? Or does the proliferation and splintering continue? Many of us said that the beauty of Linux is our freedom of choice. Well there's too much choice. Look at Distrowatch and be paralyzed by not knowing what to choose. Windows or macOS on your desktop is easy to choose because there's... one of each.
When I visited Catalonia my friend took me to Carrefour. We strolled the aisles and I spotted pig-legs (jamon serrano) on every counter. A huge selection of eggs. Everything my stomach could desire. She led me into the olives aisle and gestured around to all the olives there. She said pick whichever I want. There were so many. They were all in fancy jars. I knew nothing of olives. I left without choosing any.
Linux will die a death of a thousand cuts, until some consolidation and unification can happen that's beyond the kernel.
>APT was a great tool
you had me up until this bit lol
apt's spaghetti of software and state assumptions is horrendous. the software itself functions mostly fine for those who havent used more modern package managers, but the user experience itself is a nightmare as soon as you start needing anything outside the distro's default repos
Look, no illusions or exaggerations here; APT is an imperfect tool and it's intricate, complex and unwieldy sometimes. But please consider the status quo ante. I've run Minix-286, OpenBSD, NetBSD, SunOS, HP/UX, and Linux, and in the years between 1990-2003, there were zero package managers in use.
Like literally APT did not exist, no predecessor existed, there was absolutely no package management for those systems. Or if there was, it was by script or some bespoke framework that came with the app you downloaded. There was 100% no system-wide management of what was installed on my computers.
I've been in states of recompiling the kernel from source. I've run those "./configure" scripts that came with GNU. I've fiddled with custom kernel configuration files and Tripwire databases that tried to keep track of everything there. I've applied patches issued by Sun Microsystems.
Absolutely none of that above jumble can hold a candle to the way we use APT today. I'm sorry you suffered nightmares and needed 3rd-party stuff. But it was a dream come true to type out a one-liner and have the system upgrade itself, accounting for all dependencies, replacing all necessary files, being aware of all config updates, leaving audit trails and versioned files. Simply like falling off a log at this point.
Who would ever go back? What can be simpler? It was simply the degrading of this unified control and the loss of a singular point of management that has begun to dismay us.
I really wish Linux distributions started adopting a similar model to the BSDs. Ship a base system that's minimal but rock solid; stick to LTS kernels, etc. Issue patches/updates for security issues ONLY. Ship another major release once or twice a year. (Fedora Silverblue is kinda going in that direction.)
Everything else? Pick from Flatpak, Snap, or AppImage, but just go all-in on that. Focus all development on making the experience first-class. Let Gnome, KDE, etc ship their own builds.
The tricky question is how much to include in the base system vs Flatpak. It's kinda-obvious that for workstations, the installation media must ship enough GUI to get you a functioning desktop, a web browser, and an app manager ("store"). OpenBSD's base system includes X11 and a couple basic WMs, but the story is a bit more complex if your target audience is less technical.
This path would kinda dilute the difference between distributions, but that would actually be good for them. I already tell friends, if you want to try Linux, just pick between Ubuntu and Fedora. They're both OK.
Servers? Go all-in on Docker/Podman. There are plenty of existing distros that do exactly that.
I've installed flatpak to install VSCode/Codium to have an usable debugger for a Python project I'm working on. After some time tweaking VSCode/Codium trying to get the debbuger to work, just realized flatpak could be the problem. After another considerable amount of time trying different flatpak permissions, realized this is not a good use of my time. Installed the same packages from snap, and everything worked OK.
If not Flatpak, what is the future for portable sandboxed applications on Linux? I would love a solution where I can run semi-trusted or untrusted applications (e.g. vscode+extensions) confident that it doesn't have uncontrolled access to whatever my userid privileges permit.
Both flatpak and snap have been a bane with inconsistent behaviors, permissions bugs, and a bunch of stuff I never figured out. I got so frustrated with them that I wiped, put Debian on and just the old package systems.
I'd largely agree. Snap was what drove me away from Ubuntu, after the calculator app started taking ages to load. The calculator! It was instant before snapification.
I have played with using FlatPak, and while it seems snappier than snap, I always ended up with something not quite working, because of permissions or sandboxing. The answer to a lot of problems seemed to be "don't use the FlatPak version".
The set of software I use complex enough to need something like FlatPak while also not needing to interact with other things is basically very, very small.
Snap _was_ a bit slow in the early days. It's not any more.
I use Ubuntu 22.04, 24.04 and 25.04. Snap is pretty fast these days.
I have gone around purging all my custom repos and PPAs, removing those apps, and reinstalling the snap versions. It's just easier and it works.
I am running 3 quite elderly Thinkpads in near-daily use: an X220, T420, and W520. All Core i7, all with RAM maxed out, all with SSDs. They are perfectly usable for what I need and they have great keyboards which no more modern Thinkpads do.
Ubuntu 22.04 on a 13-year-old Thinkpad loads snap apps in an eyeblink now. I can't detect any delay compared to natively-packaged apps.
Yes, it uses a bit more disk space.
I used to remove all snaps and then `apt purge snapd` but it's not worth the extra effort any more.
See, I really don't understand how my experiences were so different from yours. Not in terms of speed, but in terms of just working. It was always things like missing or misconfigured apparmor profiles causing errors with snap and/or flatpak, sandboxes needing to run/be owned as root error messages, failure to save documents in one of my home folders, adjusting permissions for that, still doesn't work...and on and on.
I have natively-packaged browsers: Waterfox and Chrome.
In Snaps I run less essential but workaday stuff: Ferdium (my multi-protocol messaging client), Slack, Signal, Telegram, Skype (RIP), Spotify. I don't care if they can't access my filesystem; I don't want them to.
All are trouble-free for me.
I used to carefully remove all snaps, then do `apt purge snapd`, then block it from being reinstalled. After that I installed deb-get:
And then I used that to get, install, and update all the apps I needed that weren't in the Ubuntu repos.
It worked very well, but Ubuntu version upgrades were hazardous: the best result will be that the `do-release-upgrade` tool disables them all, the upgrade works fine, then you have to go through and manually re-enable them all, where necessary, editing the apt `.list` files to point to the new version of each app's repo.
It was a PITA, and that's why now, I recommend just leaving snap there.
In case anyone ever seriously contemplates a new design, here's an anecdote:
Quite a few years ago, when Flatpak was a brand new project, I met some of the original developers. I tried, and failed, to convince them to change one particular fundamental part of the design. In the original design, and today, an installed Flatpak has a name, the permissions are bound to that name, you run that Flatpak and it has its assigned permissions, and, if anything else talks to it, it talks to it by that name. If I install a VSCode Flatpak as my UID and grant it access to my Documents directory, then VSCode, running as me, has access to Documents.
I argued that this was the wrong design. If I install VSCode as me, then there should be an installed copy, and that should have approximately no significance. If I run VSCode, then the running instance should have some id (possibly ephemeral), and that instance should have a set of permissions. If I want to run VSCode with access to ~/project_a and another instance with access to ~/project_b, it should just work and the instances should not be able to access each other's data, even if they're running at the same time. If I want to run two Tailscales, it should work. If I want to fire up an ephemeral instance of Firefox, that should work, too.
However many years later, I still think I was right. Flatpak gets this wrong, MS and Apple's App Stores get this wrong, Mac OS gets this (very very) wrong, etc. There's plenty of opportunity to do better.
(This is important from a bug-mitigation perspective: a LibreOffice document that achieves RCE should not be able to access my other documents. It's also important frmo a vendor-doesn't-care-at-all perspective: VScode has basically no security to begin with, and VSCode inside Flatpak ought to have a degree of real security courtesy of Flatpak.)
Mildly OT but I have longed for this kind of app portability in Android too. Some OEMs like Xiaomi apparently took note a few years back, offering inbuilt app "duplication" features in their OS's but only for a few popular apps like WhatsApp.
Yes, that would be better, for specific instances of the running program to have a set of permissions instead. However, I think this is not the only issue.
It is what I had wanted too, not only you.
I think that the entire operating system should need to be redesigned for many reasons (I mentioned before how to design a better one), and it would have that effect, that specific instances of a running program would be given capabilities as arguments (or through other capabilities, but the first ones must be given as arguments), and these capabilities can have restricted permissions, as well as more versatile things e.g. to log access, or to go through a proxy, or to set a disk quota, etc.
You are right, but actually I think you would want to go beyond that and build a hybrid of your approach and their approach:
For your documents, you will usually want your approach. Maybe with some optinal allowance for useful things like a "recently used documents" menu or something.
But for more enviromental things, I would want at least the option of allowing all instances the same access without a lot of permission prompts later on. E.g. my git config, my fonts folder, my code snippets library, stuff like that.
I do think this would be good for power users who want strict isolation between different instances of apps (and I'd also love to see better QubesOS type approaches, using a hypervisor), but perhaps most of this kind of work should be prioritized inside the application itself, using nested sandboxing. That way, the barriers are exactly where the user expects them to be based on the normal behavior of the application. Assuming vulnerabilities in the code that glues it all together don't get explosive, of course.
Web browsers do already use a variety of sandboxing techniques to achieve separation between tabs. Some of these techniques work inside Flatpak, but some of them are broken by Flatpak:
> Ideally, Flatpak would simply support nested namespacing and nested sandboxes, but currently it does not. Flatpak uses seccomp to prevent applications in a sandbox from having direct access to user namespaces.
Some of them are replaced by Flatpak, for application developers that wish to use the APIs:
> What Flatpak does instead, currently, is to have a kind of side sandbox that applications can call to and spawn another Flatpak instance that can be restricted even further
Fortunately, it seems Wick is optimistic about UID namespacing, the main thing stopping Firefox and Chrome from fixing this:
> Wick feels that user namespaces are, nowadays, a well-tested and a much-used interface. He does not think that there is much of a good argument against user namespaces anymore.
Back to the topic of instanced Flatpaks, as I understand one snag is that there is a long-term desire (by app stores/platforms in general) for a full boot-to-userspace code-signing setup to be tied into the sandboxing. The identity of each application should remain the same (unless specifically overridden by a power user) so that a fake version of an application can't adopt an existing application's confidential encrypted files if it doesn't meet the codesigning requirements. I guess one solution here would be for the segregated instances to be nested inside the application's identity, but that's getting quite complex. And we don't even have encryption nor any functioning secure boot + confidential computing implementation yet -- all we really have so far on this front is the reverse domain name notation being verified by Flathub, with filesystem access sandboxing to keep these folders separate.
I really dislike these towers of complexity in the name of security. A PC is a general purpose device and it is mine. I don't need to have permissions per each instance, i don't want sandboxes that cannot share files with other applications and I don't want the concept of everything is a file to go away in my PC. My PC is not a single window device, nor do I run a server facing the internet. Please model the threats and adjust security with usability accordingly.
I have a reason for this: Thunderbird and firefox on Ubuntu now do not have access to the /tmp directory and instead have their own directories in some unconventional place. When i want to do something as simple as save an attachment in thunderbird and open it in another program I cannot have done to /tmp and need to put it in some permanent storage. But it gets worse due to the sandboxing. Now thunderbird cannot also show me viewer applications because it is sandboxed and does have the means to suggest other installed applications.
The computer stops being mine so it becomes the playground of architecture astronauts that think usability of said programs are always less important than security. To those people I would like them to tinker on the most secure devices in the planet [1] so they would not intrude on people trying to get things done.
The whole “server facing the Internet” attack model is real, but it’s rather out of date. Especially if you’re a programmer, the software on your machine is likely to try to attack you.
In any case, the right solution for saving files from Thunderbird has been known for years: “portals” or whatever a particular sandbox system calls it. The sandboxed code in Thunderbird asks more privileged code to pop up a file chooser, and Thunderbird gets to save the chosen file. Zero friction and excellent security. Sadly, no one has gotten the whole ecosystem to play along. Android has supported this for years and app developers complain and refuse to use the correct API. iOS apps barely support files. I think Flatpak can do this, but almost no one does it.
The threat model for a programmer is likely much more complicated than for a regular user, but not related to sandboxing.
Regarding the "server facing the internet is real", I am not sure I get your point. Could you elaborate?
The point you make about portals and how the support exists but neither Flatpack/IOS or Android ecosystems get it right is very revealing: when nobody gets it right then it likely means the design is broken. Even Fuscia failed and it was an OS built from scratch to focus on userspace isolation and contracts for IPC and syscall.
Anyway it is very unfair to the users when designs supplant existing ones breaking things that used to work. Again we are talking about very basic computer usage patterns that have existed for several decades.
> Regarding the "server facing the internet is real", I am not sure I get your point. Could you elaborate?
What I mean is: once upon a time, computers were often not really accessible to the Internet, and a server with an open port was the major attack vector. Sure, you could maybe get compromised by opening a malicious document that someone emailed you or gave you, but that was a slower-moving and more unusual attack vector. The code that you intentionally executed was largely things that you bought, possibly offline and possibly online, installed, and used for a long time.
Nowadays, everything has a web browser, but fortunately it has a decent internal sandbox. But people run "apps", and "apps" have broad permissions and, by design, execute code that comes from their supposed vendor. And people literally buy out vendors of popular apps to be able to deploy arguably malicious code to their user base. And some of these "apps" and plenty of developer applications, by design, run code or the equivalent of native code (thanks, Apple, for your lovely incoherent policies about code integrity) that come from third parties, and possibly from the fourth parties selected by those third parties, etc, and auto-update this code. Increasingly, people do things like running MCP, which is basically a tool to give a remote system remote control of your system. And, in my book, on client machines (e.g. the kind that are likely to use Flatpak or similar systems, all these things are more important attack vectors than servers facing the Internet.
That is the problem, though. It was never yours. It belonged to app developers, some of them potentially nefarious. When you have thousands of packages supporting your desktop environment, the only sane security model is to treat everything like a threat, and make permissions opt-in, not opt-out. X for example just lets every program spy on your keyboard input, sample memory /framebuffers, etc.
In the end, when it comes to security, the average user doesn't know best and should let the people who do design the systems. This is why we have seatbelt and child endangerment laws.
> That is the problem, though. It was never yours. It belonged to app developers, some of them potentially nefarious.
But it has been mine for decades and nefarious developers somehow weren't a real issue in my distro's repositories for this whole time. It's a self-inflicted problem.
Supply chain attacks have been an issue as long as you've relied on distributions. I can point to plenty examples in the wild, but you don't have wait for an incident to occur before creating a safer userspace.
Even if you’re right about how software packages should work (I tend to agree), whether Flatpak should take on enforcing this model is a whole other question.
As far as I know, older packaging systems like dnf/yum and apt allow what Flatpak allows.
Maybe the developers just wanted to focus on being a good packaging system, which as we’re seeing is a hard enough job, and not on changing the permission model of packaging systems. Seems reasonable?
You may be right. And it’s even possible that the flatpak developers believed you were right.
And it mah still not have been the right decision because when it comes to products like Flatpak there are a lot of considerations beyond just what the best technically correct choice is.
For example, based only on your comment, basically every other OS does it the same way Flatpak does it. So if the Flatpak developers had done it the technically correct way like you suggested, it may have been enough of a burden for app developers, especially multiplatform app decelopers, that they wouldn’t have used Flatpak in the first place.
I see the real utility these tools are providing to many folks, but ...
It just feels so ugly. Square peg meets round hole.
We built all these tools for defining security boundaries for user-installed applications, and it turned out that the Linux packaging/distribution landscape was such a wasteland that people spent a lot of time duct taping software distribution artifact reproducibility onto the security-boundary tools.
So now we're in this weird worst-of-all-worlds spot:
The simplicity, performance, and decades of work we spent to make it easy to develop powerful applications that run directly on userland is now bifurcated/trifurcated and a mess. The legibility of "I want to run an application that dynamically links a cryptography library; that library is provided by the distro and I know it is both patched and compatible with the rest of the distro" or "my application can access files/devices at /path/to/whatever and use those resources if it has permission to do so" is buried under tons of container indirection.
Meanwhile, as TFA explains in detail, the actual security/encapsuation boundaries that these tools were originally built for proved to be a fast-moving target for which tons of support is still missing years later.
We can see the possibilities of what could have been in other systems. Take BSD's pledge(2) for example: its approach is so aggressively oriented towards only solving the security problem that I can't really imagine a world where the pledge/capability system "grew" a packaging/distribution ecosystem the way Snap and Flatpak did. Or take plan9's approach: perhaps if we had modeled the entirety of the OS in such a way that the basic SysV permissions model (users, groups, files, permissions) covered as much as possible of applications' security sandboxing needs, then things like SElinux/snap/flatpak wouldn't have ended up being necessary.
The biggest thing that got us into this state wasn't the tools, though--it was the human stuff: the tensions between "distro/package repo maintainers are burnt out and want to support a relatively small number of dependency targets and ways to add things to the package graph on a given OS"; "app developers want to make complex software available to users as quickly as possible"; and "users are very willing to do insecure things to get new applications to run, but are generally unwilling to do complex things (configure/make, customize AUR sources, know what nix is) in order to install stuff".
Fast forward a few years, add a lot of false starts and other bullshit due to dueling desktop environments/compositors/audio systems, and where we ended up is not good.
The current situation is basically:
"Come on down to DLL hell but way worse, we have: tons of brittleness when apps want to talk to the rest of the OS (sucks for users--but only when apps need rare and advanced functionality like ... uuuh basic audio playback), all baked into highly complex container systems (sucks for application authors) aimed at delivering apps that each package their own look/feel/OS integrations (sucks for distro maintainers and consistency of UX) in massive "it's not actually static linking, I promise" images, each of which contains 75% of an OS, running on leaky isolates (sucks for the security patchers) with an update story of "just download the universe again" (sucks for bandwidth/CDN costs)."
Like, I understand how we got here. I get that it's better than the bad old days of "but which autoconf?"/"I just wanted to update my browser but then glibc-2.11-compat-compat-compat-but-for-real-this-time-FINAL updated and broke my bootloader". And I get that some of those areas might improve over time (e.g. OCI images help with redownload-the-world; eventua...
It still irks me that AppImages (the unambiguously superior choice) are not more successful than Flatpak or Snap solely because Linux users (in their characteristic laziness) are only used to getting their software from monolith stores and repositories.
I love AppImages, but Flatpak tried to go way beyond - centralized updates, sandboxing/permissions system, package once, run on many distributions...
Getting software from repositories is not just laziness, you automatically get updates and the software from repos is supposed to work with your distro, that apparently is not always true with AppImages.
I'm not an open source maintainer or even a dev, but it seems bonkers to me that with all the numerous distributions out there, all facing the same problem of package management, that they couldn't just refocus their combined efforts toward improving Flatpak and guiding it toward universal adoption.
271 comments
[ 4.1 ms ] story [ 261 ms ] threadIt still isn't possible to package Tailscale or anything that creates a virtual interface as a Flatpak because there is no permission for that. macOS has an API to ask for permissions to add an interface/change routes.
[1] https://tailscale.com/kb/1016/install-mac
Tailscale is more like a system service that I'd prefer a distro package for (Arch Linux repos contain Tailscale, btw).
To me, Linux doesn’t have a granular modern permission system, and I don’t expect my package manager to solve it for me. I still run proprietary software on it, because I kind of have to. Is that an ideal situation? No. But I rather have a distribution system and vet vendors (which I’m doing anyway) than wait another decade for permissions to be perfect. Distribution, packaging and updates is the pressing need imo.
It's possible but not ideal. The application could use flatpak-spawn (to get out the sandbox) and then polkit-exec (to ask user for root perms for arbitrary use) to get root privileges on the host, but you're removing nearly all sandboxing.
Interesting that the creator is thinking about the next thing already.
They could have been good, but they chose not to go down this route. This is one area Snap shines. Flathub rejects terminal only apps for this reason as well
[0]: https://flathub.org/apps/org.getzola.zola
Edit: I could be misremembering, but there was an attempt to add donations. Maybe it was rejected
I think Red Hat should really be stepping up more here, especially since with RHEL 10 they stopped maintaining a ton of desktop packages with the advice for users of those packages being "get the package from Flathub instead of from us" (see https://docs.redhat.com/en/documentation/red_hat_enterprise_... , search for Flathub). If that's Red Hat's attitude towards desktop software, they should be providing the resources to make Flatpak a viable alternative.
> A user's Linux distribution may still be providing an older version of Flatpak that does not have support for --device=input, or whatever new feature that a Flatpak developer may wish to use. Wick said there needs to be a way for applications to use the new permissions by default, but fall back to the older permission models if used on a system with an older version of Flatpak.
I'm glad he brought that up as a problem. I maintain a game on Flathub that has audio and controller support. Because of the limited permissions granularity, that means that the game is displayed as requiring arbitrary device access (--device=input is too new, so the Flathub maintainers don't allow it in packages yet) and being able to listen to your device's microphone (the audio permission doesn't allow only accessing speakers but not microphones). I hope that Flatpak adds backwards compatibility for permissions so newer Flatpak versions can start having more granular permissions.
Seems there were a myriad of causes for this including lack of Native Messaging, no ability to deploy policies centrally, and broken integrations with various other parts of the desktop ecosystem.
This is just made all the more true if there is an alternative source for these tools, like Flathub.
Didn't that get undone with RHEL 8?
I'd really like to know how many workstation licenses Redhat really sells. It's been so long, I didn't even realize that they still had a separate workstation license available for purchase. When you have the same distribution setup for Servers and Workstations, it seems to me that one of those flavors is going to dominate and the other will be eventually be neglected. Who are the users that are buying and using Workstation licenses?
But, when it comes down to it, I still don't see why they would want to package an Office Suite for RHEL. Or, more importantly, why a user would want to use it. RHEL is designed for stability. It's a great server OS that's well supported. Because of this, it's also known to have older versions of libraries and programs. This is okay, because many new features and fixes get backported, but it's still usually an older (stable) version of software that's included. Why would you want to have an older version of an Office Suite? Why would they want to package a newer (and riskier) version that can be installed on a server? It just doesn't make that much sense to me... it's a fundamental dichotomy between what makes a good server OS vs a good workstation OS.
Note: this give and take has been going on with Linux on the server vs Linux on the Desktop for decades. It's probably going to keep going on for decades. The things that one wants for one use case isn't what makes sense for other use cases. This is why we have different distributions, which is a good thing. The part I don't get is why RH would want to merge the two back together. Which is why I see the idea of deprecating workstation applications (as packaged by RHEL) in favor of Flatpak versions of them as a good thing from the RHEL point of view.
Sometimes institutes and businesses that insist on support contracts, and ones from the vendor publishing the software itself. Sometimes there is actual legal red tape requiring them of such, usually its just management doing management things. That requirement immediately cuts down the majority of their options, even if what I would describe as more sensible options exist under such a criteria.
Running the same OS on the client and on the server makes support much simpler. ISVs may not even support more modern OSs like Fedora or Ubuntu.
Those companies don't need an Office Suite as they have Windows machines that can run Microsoft Office. They just need a Linux desktop environment that is easy to use and stays out of the way when accessing the Workstation through VNC.
You can have a stable RHEL desktop that receives few updates and Flatpak apps that are up-to-date and that update regularly.
So, Flatpak makes a distro like RHEL viable as a desktop.
The other option is Distrobox. In both cases, you are basically running an up-to-date distro for your apps and a more stable distro (RHEL) as your host.
The point I was trying to make is that Red Hat is deprecating graphical desktop programs on RHEL and telling their customers to switch to getting them from Flathub, while a Red Hat employee giving a talk about the future of Flatpak is saying that it's not actively developed anymore and that there's nobody responsible for reviewing MRs for new features. I'm not saying that it's necessarily a bad thing that Red Hat stopped packaging graphical programs. I'm saying that since they've endorsed Flatpak as their alternative to packaged graphical programs, I wish Red Hat would put some of the development resources they've saved from no longer packaging/supporting those graphical programs into helping to improve Flatpak.
I very much agree with this. It would be nice to see some better coordination and support, especially for those who are able to leverage Flatpaks to reduce their own overhead.
The only place I really see RHEL workstations is in special purpose applications, and in most of those the users either have a separate Windows box, or they Citrix/RDP into the corporate Windows environment to do normal office productivity things anyway.
Also, several releases ago, RedHat already started to wind down their desktop efforts, just leaving server/container/cloud as the primary use case for RHEL, with desktops just as "this could also work". That latest decision to drop a lot of desktop related stuff is just a logical continuation of this policy.
As long as Red Hat wants to stay in business selling RHEL, Fedora as a distribution is probably not going away nor losing development focus.
WASM solves a lot of problems, but I don't think its chances of providing a uniform API to things like that are any better than Snap/Flatpak's, because those problems are fundamentally not about the runtime/packaging system. They're caused by OS functionality being a fragmented and moving target. Directly executable applications have to deal with those complexities themselves. Containerized applications in WASM/Docker/Snap/Flatpak/whatever rely on the container layer to do it. But someone's software has to chase that moving target, and it moves very fast.
> Flatpak still uses PulseAudio even if a host system uses PipeWire. The problem with that is that PulseAudio bundles together access to speakers and microphones—you can have access to both, or neither, but not just one. So if an application has access to play sound, it also has access to capture audio
That's a pretty decent sized hole.
Of course, Linux is then conveniently redefined in a way that nobody can be responsible, with finger pointing on every issue, rather than admit design flaws like this plague Linux as a whole.
For all of the crap that people gave the term "GNU/Linux" it's even more true today considering there are Linux-based operating systems that don't use GNU utilities.
gjsman-1000 talks about "design flaws" in Linux above, but Linux is just the kernel. There is no "Linux" operating system, despite everyone, and even Linus probably? using that term.
If you call booting init and getting a black screen "an operating system," well... that's cool I guess.
I doubt Linus ever talks to the GTK people in any meaningful way, or any other desktop environment authors. So, what design flaws?
Do you call a ladder a badly designed scaffold because it doesn't have a horizontal platform? No, it's just something entirely different all together.
I'm comparing to Windows or Mac. There's only one Bluetooth audio stack in Windows. If you want help with it, whatever you find online will apply to you, unless of course you've gone out of your way to swap it for another. Unlike Windows, Linux is open and people can build their own flavors, but those can have their own names.
Don't even get me started with how Ubuntu changed its entire GUI like 3 times so that it's unrecognizable each time. Feel bad for whatever IT departments had to keep taking new screenshots of how to do stuff.
https://docs.freebsd.org/en/books/handbook/desktop/
What made FreeBSD harder in the end was just that fewer people use it, so tons of third-party software supports Linux better, and it's easier to find online answers.
I found ports works very well myself - everything kept up to date with upstream, and they take care to rebuild everything all the time so you rarely run into library ABI issues.
Interestingly he has had arguments with them over the years, most fervently related to the development of https://subsurface-divelog.org/
Ok, I do have one spare Linux laptop in my garage that I barely use, and I'm pretty sure how ever I installed Chromium used snap.
Flatpack is useful for the few ones that aren’t or for actively developed apps that get new useful features frequently.
I'm on Ubuntu and mostly use debs (apt), I'll use Snaps if that's the easiest way to get an update. I use Appimages for some ephemeral stuff or when that's the only way developers release it (some 3d printing stuff). I haven't installed Flatpaks at all because it doesn't jibe with the distro overall.
Debian: probably, yes.
Ubuntu derivatives such as Mint, Zorin OS, and ArduinOS use Flatpak instead.
Others, such as Asmi and Linux Lite, remove snap and offer the user the option of adding it back if they wish.
The first version with snap as standard was 16.04 in 2016:
https://ubuntu.com/blog/canonical-unveils-6th-lts-release-of...
However Ubuntu Core, its immutable distro built entirely from snap packages, was launched in 2014 and there was a Core version of Ubuntu 12:
https://old-releases.ubuntu.com/releases/ubuntu-core/release...
There are about half a dozen cross-distro packaging schemes for Linux, including Nix, Guix, AppImage, Flatpak, Snap, and 0install.
However two are mainstream and supported by large vendors: Flatpak is from the GNOME organisation and is backed by Red Hat and Fedora, and Snap is a Canonical project and part of Ubuntu, the single most widely-used distribution by a considerable margin.
My brother in christ, systemd, x11 and even GNU are weird extra layers on top of Linux. Linux is just the kernel. This is exactly what "redefining Linux so it's never responsible for 99% you need to put on top of Linux to have a functional modern OS" is about.
I also explained why I thought it was not really right to focus on the deficiencies of Flatpack… so, I’m not sure what the point in repeating that would be. In conclusion,
> Linux is […] exactly what […] you need
I agree!
I'm personally disappointed that sandboxing isn't easier in Linux. I hoped it would move past Windows and Mac, imagine a world where the majority of libraries are sandboxed too, we only let compression and decompression libraries read one stream and write to another, this would improve security. This has been done by both Google (in Android) and Apple (in iOS and Mac OS X), but hasn't seen general acceptance in Linux (as far as I can tell).
Once in college I cited Linus's Law in an impassioned apologia for Open Source. And I was duly corrected. Because Linus's Law really has no basis in reality.
https://en.wikipedia.org/wiki/Linus%27s_law
The reason Linux has such a model of blind trust in system services and applications is because it was based on Unix, which had an even more naïve model, because mostly, it was administrators and authorized users installing that stuff, there was more top-down monitoring and control, and just a smaller incidence of naked malice.
It's the same thing we see in earlier versions of Windows, or macOS, or the Internet. Look at the Internet in the mid-90s. Was it secure, with all the open source running on it? Hell naw. Every OS and protocol is vulnerable and attacked, and every OS and protocol revises security models based on modern-day threats. F/OSS saves nobody and mitigates virtually nothing.
To answer the GP, sandboxing has to be bolted-in to Linux after the fact. Linux's POSIX model is so old and needs to be so compatible. The only sandboxing in SVR3 Unix was chroot(2), you know? The Docker support and cgroups and virtualization are all new layers, and need careful integration. Nobody says that F/OSS doesn't need sandboxing. Nobody says that F/OSS is so secure that it can deviate from better-secured models. Quite the opposite.
Android and iOS are clean starts, mostly; didn't need to be backwards compatible, so they're tuned to the latest threat models of adversarial computing as you describe. But every single app you install on Linux could be a malware, too. I have no idea what "trusted security" or "untrusted security" are, but they aren't real terms of art in Cybersecurity, and they do nothing to describe the provenance or evolution of Linux security (which often has a lot of unused mitigations such as AppArmor or SELinux that get turned off right quick.)
Security is also a social contract.
So you still can have bad actors in the package manager model, but something like Adobe who treat user agency with contempt is less likely to happen.
So I trust my distros and its maintainers more than I trust Apple. And Apple already have most of my data via iOS.
A lot of Android vulnerabilities are bugs in open source parsers of untrusted data (open source as in AOSP or more widely used open source libraries). But the impact is smaller because Android has proper security boundaries. If desktop Linux was as popular as Android -- we would have a security disaster of epic proportions.
My Linux distribution doesn't have a built-in advertising id, unknown manufacturer modifications I can't even look at or shady processes which have more power than I do.
I think it's time for the tech community to move beyond just the tech side and understand that security is also a social contract.
Irony being that Mac OS X is the best at privacy out of the commercial OS out there.
> Irony being that Mac OS X is the best at privacy out of the commercial OS out there.
The bar is very low and OSX is still way below a Linux distribution
It sounds like not many volunteers find it very fun (which isn’t surprising, it sounds incredibly tedious, high-stakes, and annoying to work on). This isn’t the sort of thing people do for free and it also isn’t obvious what the business model is supposed to be… the incentives aren’t here.
[0] An example https://flathub.org/apps/vet.rsc.OpenRSC.Launcher
I dunno. So far my experience with these third party store things (or whatever) is that occasionally Firefox gets switched to a Snap, requiring active intervention and possibly nuking my profile is I do it wrong. It is… pretty annoying.
[0] https://discourse.flathub.org/
Flatpak is probably the best way to distribute desktop apps on Linux. I say this as an app dev, a packager, and a user. At one point I maintained close to a dozen packages.
I eagerly waited for months to see what they would do next - what magical features they would introduce. I was active on the forums helping other users package apps, helped review Flathub submissions (since it was always the same problems each time), and started checking out what PRs were happening. Silence.
The months turned into years, and as more years came, I slowly fell away from engaging with Flatpak. I'm back to using the AUR for most things (Arch, btw), but I'm quite sad to hear the situation get spelt out. Flatpak really was revolutionary; bringing modern apps and painless distribution to all desktops - LTS or rolling release. But it hasn't really changed at all since it first took off years ago.
I couldn't care less about sandboxing if the UX sucks as a result.
If binary portability wasn't such a complete joke on Linux we wouldn't need Flatpak, but here we are.
Theme is also an odd one. GUI design in general has shifted away from an OS theme and more towards an app/product theme which stays consistent between the product on different platforms. Discord for example looks largely the same on Linux, Windows, iOS, and web.
They don't even have the same cursor as the system a lot of the time. It's especially cool when running display scaling when some apps shrink the cursor to a minuscule size too because of poor system integration.
From my understanding if you use GTK or QT it just works but many programs have their own custom file pickers which don’t work when filesystem access has been restricted.
I've worked around by running a local web server for that content, but I'd rather if it just worked. The problem is also in some apps that open web browser for their documentation by invoking them directly.
0: https://en.wikipedia.org/wiki/GVfs
1: https://en.wikipedia.org/wiki/KIO
There's just one problem: they don't integrate with desktop without an additional application. We need a feature where dropping an AppImage into "~/.local/share/applications" would automatically detect it as a ".desktop" file and make it appear in the DE menus.
https://www.omgubuntu.co.uk/2022/10/appimagelauncher-install...
GitHub link: https://github.com/TheAssassin/AppImageLauncher
- installing: easy to locate, install and has centralized management for updates.
- flatpaks are also persistent. User-installs are in the home dir.
- sandboxing built-in.
Can't comment on other stuff. Haven't had issues.
This is both a pro and a con. For example, one big downside of this approach is that it can make installing third party plugins and scripts much harder than it should be.
Their biggest problem is that they're not actually truly portable between distributions. They're a gamble of what they're compiled and bundled against, and it's possible for two distributions to not have binary compatibility with each other due to user space differences (different versions, compile flags etc). The kernel developers may not break userspace between updates, but userspace developers certainly have no qualms about breaking userspace.
When you head out of Ubuntu/Debian where developers often build AppImages on (because Linux is a neglected platform and when they think Linux they think Ubuntu), they often fail to run or have errors (e.g. on Fedora). There's more problems such as the terrible practice of encouraging people to set the execute flag on binaries they download off the web.
Flatpak avoids the dependency problem entirely because it's uses runtimes and namespace to ensure reproducible and stable runtime environments.
Me too.
But there is a "bigger picture" view of this which I think is important and relevant:
• AppImage encapsulates apps' requirements using the app bundle format from the ROX desktop: https://rox.sourceforge.net/desktop/
• ROX borrowed the idea of app bundles from Acorn's RISC OS, which is still around and is FOSS now: https://www.riscosopen.org/content/
• The RISC OS desktop treats folders whose names begin with a pling (`!`, an exclamation mark) specially. It expects a structure inside with an icon, a launcher script, etc.
• RISC OS also had an "icon bar", a forerunner of the Windows taskbar
• One of the Acorn engineers who worked on RISC OS was head-hunted to NeXT Computer in California. He took his Archimedes with him.
Source: an interview I arranged: https://www.theregister.com/2022/06/23/how_risc_os_happened/
• About a year later, Steve Jobs demonstrated NeXTstep 0.8 with a Dock
• NeXTstep also has app bundles, demarked by a folder called $NAME.app instead of !$NAME
This is a pervasive and influential idea. It's how macOS apps work and that can be traced to RISC OS.
NeXT style bundles are available and work on Linux if you have GNUstep. There are 2 extant GNUstep desktops:
https://onflapp.github.io/gs-desktop/index.html
https://github.com/trunkmaster/nextspace
But there is a distro which takes this idea much further and packages the _entire Linux OS_ in app-bundle directories:
https://gobolinux.org/
I think the makers of Flatpak, Nix, Guix, and Spack -- https://spack.io/ -- all really ought to take a deep look at ROX, AppImage, and GoboLinux.
What all of these do can be done better, in a more human-readable way, if you throw away ancient UNIX assumptions about filesystem directory hierarchies.
This was mostly not designed and was in historical fact accidental anyway:
https://lists.busybox.net/pipermail/busybox/2010-December/07...
They seem to work on my current systems, though, and I use a few, but flatpak has always worked on any system, and I expect it has higher chance of working as it delivers more of the system.
Flatpaks are not perfect and I have my gripes with flatpak but the only alternative is Ubuntu's snaps.
First, library/software/data versions inside the flatpak can and will be different from the ones outside. So a flatpak might as "what is the current Qt5 theme", and get the answer "don't know about Qt5, but the Qt6 theme is cute-cats-qt6" which it cannot interpret. Things like themes might not even be available inside the flatpak, so even if the answer were parseable, cute-cats-qt6 might just not be available on the inside.
Second, flatpaks are sandboxed, so things will be filtered. This means that a query might not get through, an answer might not get through, both might be altered. Or maybe an answer might be useless because "you can get the theme at /usr/share/themes/cute-cats-qt6" points to a path that the flatpak is not allowed to access.
And is the sandboxing perhaps going a step too far if apps can't access the things they need from the environment?
For example "global push-to-talk in Discord is always fun, especially with Wayland" was solved by using the [Global Shortcuts Portal](https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.fr...).
Most desktop environments / window managers support that portal and stuff like Electron does too, so for example with Slack (installed over Flatpak) in can now toggle mute even If i dont focus Slack.
True enough I'm happy with flatpak but I never stray from the default GTK themes.
I was unhappy with flatpak until I found Flatseal, now I include it on all my workstation setups.
But I can't help you with the theming unfortunately, I think that's a sore point for a lot of users that like customizing their Linux DE.
> I'm back to using the AUR for most
Have you tried makedeb then as a second channel? https://www.makedeb.org/ It uses PKGBUILDs, so pretty easy to translate. It seems so well-placed to help packagers I'm not sure why it isn't heard of more.
Years later, I still only see drawbacks.
[1]: https://gitlab.com/DaveJarvis/KmCaster
[2]: https://github.com/flathub/com.whitemagicsoftware.kmcaster
[3]: https://flathub.org/apps/search?q=kmcaster - whoops!
- Easy use on immutable distros - The user doesn't have to make sure they have the right version of Java installed - Auto-updates even if there is no repo for your specific distro
And also you can find it through searching on Flathub I guess
Did you click the third link I posted, which searches Flathub for KmCaster only to come up dry? This was point (c): You have to trust that their search engine is correct, maintained, and updated. That doesn't come for free, it takes effort, and things go wrong.
[0] https://flathub.org/apps/com.whitemagicsoftware.kmcaster
https://github.com/flathub/com.whitemagicsoftware.kmcaster?t...
Also, the image on that page is outdated, which would have been one more thing to maintain. In addition, the install instructions are four lines of code to run, compared with three lines of code to download without Flathub. My point stands: Flathub adds an unnecessary maintenance burden (to some projects).
https://flathub.org/apps/com.whitemagicsoftware.kmcaster
https://github.com/flathub/com.whitemagicsoftware.kmcaster/p...
- I had to run around with a distrobox running WINE and a bunch of permissions and kludges to run an external tool for Godot
- I gave up on the flatpak for Firefox because it can't talk to my KeepassDX flatpak
- The Godot and Krita flatpaks are oddly unstable and crash more than they did on Windows (may just be Gnome or something)
- non-flatpak tools like AppImages and .rpms feel pretty dang grungy
I want to see more cool stuff with Flatpak so seeing the state it's in is kind of a bummer.
It's pythons virtual environment and pip-is-weak problem, magnified. It's homebrew or Mac ports or fink or pkgsrc.
Mechanisms designed after fork, are never fork neutral.
Virtualised container apps have simpler dependencies.
https://m.xkcd.com/927/
For a long time, there was a pax debiana in my world. I used Ubuntu mostly (swapped to Debian and added Fedora towards the end) and the package management was really good. APT was a great tool and I got quite chummy with its ways. It was straightforward to keep my system updated and resolve dependencies. It was way smoother than any other updater system had been, even across major system upgrades.
I sort of lost it when snap started usurping stuff. I knew it was coming, because docker was already making inroads. Then we had flatpak and company. As an admin, as a system architect, I felt that's the point when I lost control of my system. It wasn't possible to know its update state anymore. It wasn't possible to centrally manage or monitor those updates. It became a free-for-all of self-updates and shadow updates. Ubuntu was also introducing livepatch and kernel updates that went outside the apt model.
I think that perhaps it became too great a burden for the major distros to be packaging all of their own downstream packages. Perhaps they saw the opportunity to offload some of that packaging burden on a really pro service that could just package everything, and make pan-distro packages available. If Debian and RHEL packagers are doing less downstream packaging, then perhaps they could focus on their core competencies. I noticed that nearly every Ubuntu package needed to include Ubuntu-specific tweaks, and basically when Ubuntu was already downstream from Debian, why should Canonical be maintaining every damn package themselves as well?
So what's the endgame for all this? Would apt or dnf/rpm eventually get abandoned and have them go all-in on a new system? Or does the proliferation and splintering continue? Many of us said that the beauty of Linux is our freedom of choice. Well there's too much choice. Look at Distrowatch and be paralyzed by not knowing what to choose. Windows or macOS on your desktop is easy to choose because there's... one of each.
When I visited Catalonia my friend took me to Carrefour. We strolled the aisles and I spotted pig-legs (jamon serrano) on every counter. A huge selection of eggs. Everything my stomach could desire. She led me into the olives aisle and gestured around to all the olives there. She said pick whichever I want. There were so many. They were all in fancy jars. I knew nothing of olives. I left without choosing any.
Linux will die a death of a thousand cuts, until some consolidation and unification can happen that's beyond the kernel.
That's underway, it's called systemd.
Soon, something like Modal Systemd Installers: `systemd-msid`
Like literally APT did not exist, no predecessor existed, there was absolutely no package management for those systems. Or if there was, it was by script or some bespoke framework that came with the app you downloaded. There was 100% no system-wide management of what was installed on my computers.
I've been in states of recompiling the kernel from source. I've run those "./configure" scripts that came with GNU. I've fiddled with custom kernel configuration files and Tripwire databases that tried to keep track of everything there. I've applied patches issued by Sun Microsystems.
Absolutely none of that above jumble can hold a candle to the way we use APT today. I'm sorry you suffered nightmares and needed 3rd-party stuff. But it was a dream come true to type out a one-liner and have the system upgrade itself, accounting for all dependencies, replacing all necessary files, being aware of all config updates, leaving audit trails and versioned files. Simply like falling off a log at this point.
Who would ever go back? What can be simpler? It was simply the degrading of this unified control and the loss of a singular point of management that has begun to dismay us.
I really wish Linux distributions started adopting a similar model to the BSDs. Ship a base system that's minimal but rock solid; stick to LTS kernels, etc. Issue patches/updates for security issues ONLY. Ship another major release once or twice a year. (Fedora Silverblue is kinda going in that direction.)
Everything else? Pick from Flatpak, Snap, or AppImage, but just go all-in on that. Focus all development on making the experience first-class. Let Gnome, KDE, etc ship their own builds.
The tricky question is how much to include in the base system vs Flatpak. It's kinda-obvious that for workstations, the installation media must ship enough GUI to get you a functioning desktop, a web browser, and an app manager ("store"). OpenBSD's base system includes X11 and a couple basic WMs, but the story is a bit more complex if your target audience is less technical.
This path would kinda dilute the difference between distributions, but that would actually be good for them. I already tell friends, if you want to try Linux, just pick between Ubuntu and Fedora. They're both OK.
Servers? Go all-in on Docker/Podman. There are plenty of existing distros that do exactly that.
Oh, hey... I made that feature. Nice to see that other people want narrower permissions, too.
I have played with using FlatPak, and while it seems snappier than snap, I always ended up with something not quite working, because of permissions or sandboxing. The answer to a lot of problems seemed to be "don't use the FlatPak version".
The set of software I use complex enough to need something like FlatPak while also not needing to interact with other things is basically very, very small.
Snap _was_ a bit slow in the early days. It's not any more.
I use Ubuntu 22.04, 24.04 and 25.04. Snap is pretty fast these days.
I have gone around purging all my custom repos and PPAs, removing those apps, and reinstalling the snap versions. It's just easier and it works.
I am running 3 quite elderly Thinkpads in near-daily use: an X220, T420, and W520. All Core i7, all with RAM maxed out, all with SSDs. They are perfectly usable for what I need and they have great keyboards which no more modern Thinkpads do.
Ubuntu 22.04 on a 13-year-old Thinkpad loads snap apps in an eyeblink now. I can't detect any delay compared to natively-packaged apps.
Yes, it uses a bit more disk space.
I used to remove all snaps and then `apt purge snapd` but it's not worth the extra effort any more.
I have natively-packaged browsers: Waterfox and Chrome.
In Snaps I run less essential but workaday stuff: Ferdium (my multi-protocol messaging client), Slack, Signal, Telegram, Skype (RIP), Spotify. I don't care if they can't access my filesystem; I don't want them to.
All are trouble-free for me.
I used to carefully remove all snaps, then do `apt purge snapd`, then block it from being reinstalled. After that I installed deb-get:
https://github.com/wimpysworld/deb-get
And then I used that to get, install, and update all the apps I needed that weren't in the Ubuntu repos.
It worked very well, but Ubuntu version upgrades were hazardous: the best result will be that the `do-release-upgrade` tool disables them all, the upgrade works fine, then you have to go through and manually re-enable them all, where necessary, editing the apt `.list` files to point to the new version of each app's repo.
It was a PITA, and that's why now, I recommend just leaving snap there.
Glad to hear they fixed the speed issues; I just moved to PopOS.
Quite a few years ago, when Flatpak was a brand new project, I met some of the original developers. I tried, and failed, to convince them to change one particular fundamental part of the design. In the original design, and today, an installed Flatpak has a name, the permissions are bound to that name, you run that Flatpak and it has its assigned permissions, and, if anything else talks to it, it talks to it by that name. If I install a VSCode Flatpak as my UID and grant it access to my Documents directory, then VSCode, running as me, has access to Documents.
I argued that this was the wrong design. If I install VSCode as me, then there should be an installed copy, and that should have approximately no significance. If I run VSCode, then the running instance should have some id (possibly ephemeral), and that instance should have a set of permissions. If I want to run VSCode with access to ~/project_a and another instance with access to ~/project_b, it should just work and the instances should not be able to access each other's data, even if they're running at the same time. If I want to run two Tailscales, it should work. If I want to fire up an ephemeral instance of Firefox, that should work, too.
However many years later, I still think I was right. Flatpak gets this wrong, MS and Apple's App Stores get this wrong, Mac OS gets this (very very) wrong, etc. There's plenty of opportunity to do better.
(This is important from a bug-mitigation perspective: a LibreOffice document that achieves RCE should not be able to access my other documents. It's also important frmo a vendor-doesn't-care-at-all perspective: VScode has basically no security to begin with, and VSCode inside Flatpak ought to have a degree of real security courtesy of Flatpak.)
It is what I had wanted too, not only you.
I think that the entire operating system should need to be redesigned for many reasons (I mentioned before how to design a better one), and it would have that effect, that specific instances of a running program would be given capabilities as arguments (or through other capabilities, but the first ones must be given as arguments), and these capabilities can have restricted permissions, as well as more versatile things e.g. to log access, or to go through a proxy, or to set a disk quota, etc.
For your documents, you will usually want your approach. Maybe with some optinal allowance for useful things like a "recently used documents" menu or something.
But for more enviromental things, I would want at least the option of allowing all instances the same access without a lot of permission prompts later on. E.g. my git config, my fonts folder, my code snippets library, stuff like that.
Web browsers do already use a variety of sandboxing techniques to achieve separation between tabs. Some of these techniques work inside Flatpak, but some of them are broken by Flatpak:
> Ideally, Flatpak would simply support nested namespacing and nested sandboxes, but currently it does not. Flatpak uses seccomp to prevent applications in a sandbox from having direct access to user namespaces.
Some of them are replaced by Flatpak, for application developers that wish to use the APIs:
> What Flatpak does instead, currently, is to have a kind of side sandbox that applications can call to and spawn another Flatpak instance that can be restricted even further
Fortunately, it seems Wick is optimistic about UID namespacing, the main thing stopping Firefox and Chrome from fixing this:
> Wick feels that user namespaces are, nowadays, a well-tested and a much-used interface. He does not think that there is much of a good argument against user namespaces anymore.
Back to the topic of instanced Flatpaks, as I understand one snag is that there is a long-term desire (by app stores/platforms in general) for a full boot-to-userspace code-signing setup to be tied into the sandboxing. The identity of each application should remain the same (unless specifically overridden by a power user) so that a fake version of an application can't adopt an existing application's confidential encrypted files if it doesn't meet the codesigning requirements. I guess one solution here would be for the segregated instances to be nested inside the application's identity, but that's getting quite complex. And we don't even have encryption nor any functioning secure boot + confidential computing implementation yet -- all we really have so far on this front is the reverse domain name notation being verified by Flathub, with filesystem access sandboxing to keep these folders separate.
I really dislike these towers of complexity in the name of security. A PC is a general purpose device and it is mine. I don't need to have permissions per each instance, i don't want sandboxes that cannot share files with other applications and I don't want the concept of everything is a file to go away in my PC. My PC is not a single window device, nor do I run a server facing the internet. Please model the threats and adjust security with usability accordingly.
I have a reason for this: Thunderbird and firefox on Ubuntu now do not have access to the /tmp directory and instead have their own directories in some unconventional place. When i want to do something as simple as save an attachment in thunderbird and open it in another program I cannot have done to /tmp and need to put it in some permanent storage. But it gets worse due to the sandboxing. Now thunderbird cannot also show me viewer applications because it is sandboxed and does have the means to suggest other installed applications.
The computer stops being mine so it becomes the playground of architecture astronauts that think usability of said programs are always less important than security. To those people I would like them to tinker on the most secure devices in the planet [1] so they would not intrude on people trying to get things done.
[1] https://en.wikipedia.org/wiki/Useless_machine
In any case, the right solution for saving files from Thunderbird has been known for years: “portals” or whatever a particular sandbox system calls it. The sandboxed code in Thunderbird asks more privileged code to pop up a file chooser, and Thunderbird gets to save the chosen file. Zero friction and excellent security. Sadly, no one has gotten the whole ecosystem to play along. Android has supported this for years and app developers complain and refuse to use the correct API. iOS apps barely support files. I think Flatpak can do this, but almost no one does it.
The threat model for a programmer is likely much more complicated than for a regular user, but not related to sandboxing.
Regarding the "server facing the internet is real", I am not sure I get your point. Could you elaborate?
The point you make about portals and how the support exists but neither Flatpack/IOS or Android ecosystems get it right is very revealing: when nobody gets it right then it likely means the design is broken. Even Fuscia failed and it was an OS built from scratch to focus on userspace isolation and contracts for IPC and syscall.
Anyway it is very unfair to the users when designs supplant existing ones breaking things that used to work. Again we are talking about very basic computer usage patterns that have existed for several decades.
What I mean is: once upon a time, computers were often not really accessible to the Internet, and a server with an open port was the major attack vector. Sure, you could maybe get compromised by opening a malicious document that someone emailed you or gave you, but that was a slower-moving and more unusual attack vector. The code that you intentionally executed was largely things that you bought, possibly offline and possibly online, installed, and used for a long time.
Nowadays, everything has a web browser, but fortunately it has a decent internal sandbox. But people run "apps", and "apps" have broad permissions and, by design, execute code that comes from their supposed vendor. And people literally buy out vendors of popular apps to be able to deploy arguably malicious code to their user base. And some of these "apps" and plenty of developer applications, by design, run code or the equivalent of native code (thanks, Apple, for your lovely incoherent policies about code integrity) that come from third parties, and possibly from the fourth parties selected by those third parties, etc, and auto-update this code. Increasingly, people do things like running MCP, which is basically a tool to give a remote system remote control of your system. And, in my book, on client machines (e.g. the kind that are likely to use Flatpak or similar systems, all these things are more important attack vectors than servers facing the Internet.
Flatpak can do it poorly. What I see is opening a file for read once gives the sandboxed app write access to that path name forever.
In the end, when it comes to security, the average user doesn't know best and should let the people who do design the systems. This is why we have seatbelt and child endangerment laws.
But it has been mine for decades and nefarious developers somehow weren't a real issue in my distro's repositories for this whole time. It's a self-inflicted problem.
As far as I know, older packaging systems like dnf/yum and apt allow what Flatpak allows.
Maybe the developers just wanted to focus on being a good packaging system, which as we’re seeing is a hard enough job, and not on changing the permission model of packaging systems. Seems reasonable?
And it mah still not have been the right decision because when it comes to products like Flatpak there are a lot of considerations beyond just what the best technically correct choice is.
For example, based only on your comment, basically every other OS does it the same way Flatpak does it. So if the Flatpak developers had done it the technically correct way like you suggested, it may have been enough of a burden for app developers, especially multiplatform app decelopers, that they wouldn’t have used Flatpak in the first place.
It just feels so ugly. Square peg meets round hole.
We built all these tools for defining security boundaries for user-installed applications, and it turned out that the Linux packaging/distribution landscape was such a wasteland that people spent a lot of time duct taping software distribution artifact reproducibility onto the security-boundary tools.
So now we're in this weird worst-of-all-worlds spot:
The simplicity, performance, and decades of work we spent to make it easy to develop powerful applications that run directly on userland is now bifurcated/trifurcated and a mess. The legibility of "I want to run an application that dynamically links a cryptography library; that library is provided by the distro and I know it is both patched and compatible with the rest of the distro" or "my application can access files/devices at /path/to/whatever and use those resources if it has permission to do so" is buried under tons of container indirection.
Meanwhile, as TFA explains in detail, the actual security/encapsuation boundaries that these tools were originally built for proved to be a fast-moving target for which tons of support is still missing years later.
We can see the possibilities of what could have been in other systems. Take BSD's pledge(2) for example: its approach is so aggressively oriented towards only solving the security problem that I can't really imagine a world where the pledge/capability system "grew" a packaging/distribution ecosystem the way Snap and Flatpak did. Or take plan9's approach: perhaps if we had modeled the entirety of the OS in such a way that the basic SysV permissions model (users, groups, files, permissions) covered as much as possible of applications' security sandboxing needs, then things like SElinux/snap/flatpak wouldn't have ended up being necessary.
The biggest thing that got us into this state wasn't the tools, though--it was the human stuff: the tensions between "distro/package repo maintainers are burnt out and want to support a relatively small number of dependency targets and ways to add things to the package graph on a given OS"; "app developers want to make complex software available to users as quickly as possible"; and "users are very willing to do insecure things to get new applications to run, but are generally unwilling to do complex things (configure/make, customize AUR sources, know what nix is) in order to install stuff".
Fast forward a few years, add a lot of false starts and other bullshit due to dueling desktop environments/compositors/audio systems, and where we ended up is not good.
The current situation is basically:
"Come on down to DLL hell but way worse, we have: tons of brittleness when apps want to talk to the rest of the OS (sucks for users--but only when apps need rare and advanced functionality like ... uuuh basic audio playback), all baked into highly complex container systems (sucks for application authors) aimed at delivering apps that each package their own look/feel/OS integrations (sucks for distro maintainers and consistency of UX) in massive "it's not actually static linking, I promise" images, each of which contains 75% of an OS, running on leaky isolates (sucks for the security patchers) with an update story of "just download the universe again" (sucks for bandwidth/CDN costs)."
Like, I understand how we got here. I get that it's better than the bad old days of "but which autoconf?"/"I just wanted to update my browser but then glibc-2.11-compat-compat-compat-but-for-real-this-time-FINAL updated and broke my bootloader". And I get that some of those areas might improve over time (e.g. OCI images help with redownload-the-world; eventua...
Personally I use AppImage whenever it's an option. It's the closest we get to Windows and MacOS executable applications
Getting software from repositories is not just laziness, you automatically get updates and the software from repos is supposed to work with your distro, that apparently is not always true with AppImages.
Diversity is good. I don't want "one distribution" that chooses the init system, distribution, compositor, window manager, etc. I want to have choice.
When it comes to distributing packages, I personally like system package managers. Not such a big fan of flatpak.
For example it's completely useless to me. Why do you expect me to help on something I don't use?