I never use flatpaks and am doing just fine. I don't want my packages to be installed from a bunch of different places; I want it all managed by one package manager, which for me is my distro package manager. I've never noticed a problem arising out of not using flatpaks; everything I want is either already packaged for me, or I can make a package myself.
this post was submitted on 04 Mar 2025
144 points (98.0% liked)
Linux
50838 readers
752 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
Yes you can. I do. If a software does not offer build instructions, which is rare, I just do not use it.
The build instructions for all flatpaks are in one repo, you could build it yourself and maintain your own registry if you wanted.
It depends a bit on perspective and use-case, really. A flatpak'd application can be a fully-featured (all dependencies bundled) package in order to be portable. However, most flatpaks you might commonly encounter don't quite do this. A good portion of the libraries may be distributed in common runtime packages. This will be the case if you use flatpaks from Flathub or Fedora. There still can be bundled libraries with vulnerabilities, but in many cases, there are basic dependencies from external, common library sets.
As far as varying dependency versions, a developer may be on a host with either newer or older dependencies than expected by the user, but as long as the developer's application (and any unique libraries) are compiled against a common runtime as previously mentioned, it does make distribution to a wide variety of distros (LTS, 6-month, and rolling alike) relatively easy.
In comparison to OCI images (the kind of images that make up Docker, Podman, and a good portion of Kubernetes container images), flatpaks are a bit less extreme. Flatpaks contain much the same kind of files and structure that a standard distro package would, but simply get sandboxed into their own environment (via bubblewrap). Additionally, flatpaks don't necessarily need system-level access for installation and usage (full userland confinement). It heavily depends on host environment and configuration, but typically OCI containers are a full, minimal, immutable filesystem structure run in a virtual environment. Not quite a virtual machine, as (in Linux anyway) they are run on the host (almost always in a sandbox) without extensive virtualization capabilities being needed. The general difference in security capabilities depends on the differences in sandboxing between a flatpak behind bubblewrap and an OCI container's runtime sandboxing. There is also the notion with OCI containers being able to run as virtualized users, including root. With OCI containers that can obtain root access and a flaw in the sandboxing of say Docker in its standard rootful mode could allow for root level processes in the sandbox to act upon the host.
From what I can think of in comparison, there is the big problem with Flatpak in that it really isn't suitable for packaging command-line applications: only GUI applications and libraries. OCI container images are often tailored for running web apps and other persistent CLI applications
OCI CLI apps can also be obtained from brew
I like package managers just fine. I don’t want to have to have a plurality of software management tools.
Same. I grumble when I have to install things through the AUR. I'd prefer if it was in the official repos.
can continue to blissfully ignore
That's what I've been doing. I haven't run into a situation where I've needed to mess with Flatpak. 🤷 Curious to hear other folk's experiences though.
Also for your consideration, Flatpak seems to be mainly used for desktop GUI apps. You'll still need your regular package manager to install CLIs. So... if you wanna keep your software management tools to a minimum...
The AUR is a different kettle of fish entirely, though. I do see your point, but the AUR is solving a problem common to all distros; hosting a repository for applications that there isn't willingness or capacity to host in the official binary repos.
Installation, removal, dependency management, etc are all still handled by pacman. As others have pointed out there are great tools available to aid in AUR usability. My favorite is aurutils.
doesn't yay simplifies the AUR installation? Things have been pretty easy for me after I started using yay
yaysimplifies the AUR installation
Simple to me means not having to install some random extra tool and just using pacman like normal. That's why I grumble.
Haa understood. In that perspective yes it is not simple. I would also be happy if pacman had better support for AUR.
But I have a different perspective on this. I always look for the right or the best tool available to do something. So I'm not that hesitant to use another tool for AUR. I guess it's a personal preference after all.
You don't have to use an AUR helper, you could build it all with makepkg, but the helper just allows you to save time searching, downloading, and building.
The risk of dependency vulnerabilities is real.
Also, flatpak packages are not digitally signed, unlike apt and all other major Linux distro package managers.
Do you have a resource I can take a look at for what this implies at what it accomplishes?
Sure, here are some:
http://security.stackexchange.com/questions/259088/ddg#270934
https://en.wikipedia.org/wiki/Digital_signature
The main feature would be that if flathub (or a hacker with access to flathub) acted maliciously, digital signatures would prevent them from issuing malware infested updates to flatpaks. Only the software's originator would have the cryptographic key needed to sign releases of the software.
Thanks!
Arch based distros (except for Manjaro) has every FOSS and some proprietary software on the AUR
Let me try to clarify what you are saying.
You are saying that the AUR “has every FOSS and some proprietary software”. Yep. That is why I add an Arch Distrobox to every system regardless of the host distro.
But what do you mean by “except Manjaro”? Most Manjaro fans will say that Manjaro also supports the AUR. They are correct that you can certainly enable it and start installing packages from there.
I assume you are warning that, because Manjaro maintains its own base repos and has different package versions in it than Arch does, that Manjaro is incompatible with the AUR and that using the AUR with Manjaro will cause problems. If that is what you are saying, I agree with you.
That's what I do. But then I mostly use Arch or Arch based distros (e.g. EndeavourOS). So I have access to AUR. If something isn't on AUR (very rare, but can happen), I just create the package for it and publish to AUR. I do use some AlmaLinux machines as server. I don't really need many programs outside of the standard repos there since I use them mostly for hosting Docker images. But if I do need to install something like that, I've some self-written LURE install scripts.