The Future of Flatpak

I don't agree with him 100%, but I always find Drew DeVault to be thoughtful on this topic:

https://news.ycombinator.com/item?id=32936114

https://drewdevault.com/2021/09/27/Let-distros-do-their-job....

Basically, he argues that application distribution outside of the distro (a la flatpak, snap, appimage) is just a bad model. The right model is the one distros have been using for years: You get software through the distro's package manager, and that software is packaged by people working on behalf of the distro. As he says: "Software distributions are often volunteer-run and represent the interests of the users; in a sense they are a kind of union of users."

The other issue, of course, is that in practice flatpaks/snaps/appimages never seem to 100% work as well as distro packages do.

The problem is that now you have to package for N distros. And the people who run the distro may not want to spend time on it, so you have to do it yourself.

It doesn't have to be gated by "the people who run the distro". I started packaging a few pieces of software for a distro I use because I wanted to use that software, and I don't "run" the distros in any capacity. Package maintainers aren't born that way, they become that way by volunteering, just like most everything in Linux.

If you don't have even one user willing to do that for the distro they use, you probably weren't going to have users on that distro anyway.

You're saying the exact opposite of the original point, which is: you should not package for distros, distros should package for themselves. You just distribute your sources.

You are a good candidate to package for your distro, so there's that. And then for a random distro, if nobody feels like packaging for it, then it's just not there. Either there is not enough interest in your project, or there is not enough interest in the distro itself.

I'm glad flaptaks are getting more adoption. Application distribution needs to move from distributions because they suck at it. Due to no fault of their own. Developers should have the option to distribute their apps without middlemen.

> distros should package for themselves. You just distribute your sources.

That's how you ended up with Erlang being split into 20+ packages on Ubuntu/Debian in the past. Because it was packaged by people who know little about erlang, and had too much time on their hands probably.

And that is the main issue: you want distro maintainers to compile and package every single pieces of software under the sun, but they can't possibly know every piece of software, how it works, or how it's supposed to work. Times that by the number of distros.

In fact I’d say they are perfect for distributions to be more stable. E.g. : my issue with Debian have always been that you couldn’t (easily, I know backports existed) have stable system AND fresh software. With Flatpack, you can.

Now I can run my latest user softwares on a stable distribution. That’s pretty cool.

There are still issues of UX. Especially when the app you are using doesn’t have enough permissions to do the job, you have no information about it and when you guess it by yourself, changing this is hard.

I’d expect that Flatpack should allow apps to specifically ask for permissions in real time or when they try to access external resources like in macOS : just expose the APIs but make them wait for user approval.

I disagree with that. IMHO the best possible people to create a package for an application are the original developers of that software. If that software is proprietary, that also happens to be the only party that can legally do that anyway. Because it typically requires access to the source code and software redistribution requires permission.

So, the model you mention only works for open source packages. And I would argue that even in the case an app is 100% open source it's a bad idea for somebody not affiliated with the core development team to be second guessing a lot of things about that application.

It results in a lot of issues that aren't necessary. Like needless lag between developers releasing new software and some third party doing whatever uninvited tweaks they think are necessary, or adding their own bugs and new issues.

It's why I always install Firefox in tar ball form straight from Mozilla for example. It updates itself as soon as developers OK some patch. This happens a lot and mostly for security and stability reasons. I want those patches when they release them. The things external distribution maintainers do are redundant. I trust Mozilla to do the right thing and be the most clued in about any issues regarding their own software. With proprietary stuff, I just want stuff to run with a minimum of hassle.

Flatpak is trying to do too many things. It's trying to emulate an appstore. I don't necessarily like app stores. They are gate keepers. What do developers on Windows and Apple do? They put binaries on their own website. You download them. You install them. And then they run. Downloaded apps have the same rights as apps provided via app stores. The app stores don't repackage the app, they merely distribute them. It's an add on service. An optional extra. All the essentials that provide security are baked into the OS and the application package. There are a few mechanisms that windows and mac provide to make things secure. Binaries are signed, the OS has a permission model for things that need that (screen sharing, directory access to certain things, using the webcam, etc). That's the right model. That could work for Linux as well. It shouldn't require taking control of distribution or packaging by some third party.

Application developer should be able to package and distribute the app. See how easy it is for casual user to download and install any application on windows. Maintainers cannot scale and depending on them will just hold back Desktop Linux

The best thing about unvetted app stores is that anyone can publish software!

The worst thing about unvetted app stores it that anyone can publish software!

Distro package maintainers are not security researchers, they don't audit the code they maintain.

Flatpak is more of a set of tools and framework. I wouldn't consider it as a store but a distribution system. Flathub is a repository, Fedora has its own repository and anybody can creates its own repo (I wouldn't call it store as there is no concept of monetisation).

I wouldn't consider flatpak as a gatekeeper as there is no "team" going through some arbitrary process to allow/disallow an app.

I also disagree with the fact that macos and windows did the right thing, what I found in my experience managing laptops in a company that is roughly 1/3 windows, 1/3 linux, 1/3 macos is that: - What windows is teaching users is to download random stuff and bypass the warning screens if something is not signed. Unless there is a company policy and a third party software to update what is installed, by default things installed are a mix of up to date and not update to date software. - Macos user do not install operating system and software updates unless a third party software is installed and force them too - Linux users have things up to date, only distribution version updates (e.g. fedora 41 to fedora 42) are inconsistent.

So my take is that, even if things on not perfect with flatpak, rpm/dnf, fwupdmgr and package manager, this is much better than having to pay for third party tools in macos and windows because of the lack of a good way to distribute and maintain apps at the operating system level.

This is false.

I think that you are right about not depending on one open source OS to provide the proper depencencies, customizaion, and training wheels for every app. I have been running linux on my desktop for about 20 years, about one decade of Mint followed by the same of Fedora so far. Being a curious but fussy guy who installs lots of software to see what works, I find that I need to install a fresh OS about every 18 to 24 months.

There are, I suppose, always a few programs that don't get upated by 'sudo dnf update' but do get bothered by updates to the shared libraries via the same. Perhaps there are some config files that get damaged by software bugs or power outages or system crashes or my own mistakes and carelessness. I also found out that if one loses the dnf program, one will discover just how impossible it is to pull oneself up by oneself's bootstraps.

Mint was a very similar situation. Maybe not so bad for one who follows all the rules, but in those bygone days there were people suggesting that updating Mint programs with newer versions fron the ubuntu or debian repos was a good idea. And because Mint was slow to get updates, I would attempt to update some apps by downloading source and building and installing here.

Last year, when I upgraded Fedora from 39 to 41, was the first time I got any OS upgrade to work instead of wiping the disk, doing a fresh install of the new OS version, and then spending a week or month trying to get my data for the installed apps (eg web browser and email) from backups. But the upgrade took much longer than it should have, because once I started running the upgrade process, I did not know that the computer sitting there dead silent with no action on the screen for about 30 hours was a sign that all was going well. Computers are evil.

Plus the app developers at least have some level of accountability. Like when JWZ got into it with Debian (can't link here). You might think you are running XScreensaver from the great Zawinski, but no you are actually running some weird fork from godknowswho, hopefully not Jia Tan.

They do to some extent in the larger distros, but for proprietary/binary packages they don't have much chance anyway unless they are willing to do some pretty time-consuming forensics.

XScreensaver is supposed to hide your desktop and Jia Tan is an expert at hiding things, so I think they'd be a perfect match.

> that software is packaged by people working on behalf of the distro.

It is totally unreasonable to expect distros to be able to package every software in the world

Flathub is not unvetted. Every submission goes through human review. If a piece of software requires an unnecessary permission (i.e. if someone submits an alarm clock program that requires home folder access and internet access), it will get rejected. If a developer updates their software and changes the required permissions, the update won't get pushed to users until it goes through human review.

Besides this, for open source packages, the code gets built on Flathub's build servers without internet access. The source code associated with a given Flathub package version must be either a specific Git commit (verified with a commit hash) or a release tarball (verified with a sha256 hash). This means that it's always possible to verify that the code a developer publishes corresponds to the binaries being shipped to users. Closed source packages get a big warning on their Flathub pages saying that the program's code is proprietary and not auditable.

With the traditional distro packaging model, the requirements to become a maintainer are stringent and there's human review when a package is added, but there's typically no review after that point. If you'd like a recent example of the drawbacks of this system, see here: https://security.opensuse.org/2025/05/07/deepin-desktop-remo... . After the OpenSUSE security team rejected certain components of the Deepin DE for containing major security problems (including multiple root privilege escalation vulnerabilities), the Deepin maintainer smuggled them in anyway through an innocuous looking package called "deepin-feature-enable" and nobody in the security team noticed for several years. I'm not trying to call out the OpenSUSE security team here, I'm sure they don't have the resources to vet random packages. I'm saying that expecting maintainers to never ship malicious code because they went through the process to become a maintainer is a weakness of the traditional distro packaging model.

> distros should package for themselves. You just distribute your sources.

Is Devault basically saying that the application developer should just throw their source code over the wall and hope that other parties notice and figure out how to build it correctly? I would find that model of software distribution unsatisfying as a developer because merely distributing a source tarball and leaving the rest to middlemen makes it difficult for me to predict how my users will experience the final product. Even if my product is fully open source and free to fork, it's my reputation on the line when things don't work as intended. I would prefer to establish a more direct relationship with my users; to personally build and test my software in all environments that I support; and to hear directly from users whenever they experience problems.

> Now I can run my latest user softwares on a stable distribution. That’s pretty cool.

I'm at a bit of a loss. Isn't the entire point of a stable distribution _not_ having cutting edge userspace? It's an inherently double edged sword.

If you just wanted to mix and match you were always able to run (for example) a debian testing chroot under debian stable. Something like Nix is the more extreme version of that. The point of something like Flatpak then is either sandboxing or the distribution model (ie getting software from the original author).

I do, and I work at a security company. But thanks for knowing more about my life than myself, random internet person.

You van havê other repos in flatpak than flathub, so in theory the devs can package their app on their repo and tell the user to install it

Only fedora can put stuff in their flatpak repository presumably. That makes them a gatekeeper. Why is a repository needed? If it was the same, Mozilla would be able to put a flatpak file for Firefox on their website and it would be the preferred way to install Firefox.

Of course everybody (including Mozilla) can create their own repository and then you can install from any repository you like. But how is that different than just downloading whatever and installing that? And that's more of a hypothetical. Mozilla doesn't do that and doing such things is not common.

What Apple and MS enforce via signatures is that what you install and run was produced by somebody with a valid certificate that passed their screening.

The problem flatpak hasn't solved is that the likes of Mozilla still have no good way to distribute the most recent version of their application to all Linux users. So they put a tar ball on their website instead.

> Package maintainers aren't born that way, they become that way by volunteering, just like most everything in Linux.

I feel like there's a constant tug of war on this issue. If you leave it up to app developers then they have to package their app for N distros. If you leave it up to the distro maintainers then they have to compile N apps for their distro. I don't envy either group given how different distros are and how varied apps are in quality, methodology, etc.

I look at Podman. In my opinion it could be (could have been?) a huge disruptor, but its RedHat (or Fedora or CentOS or whatever the hell those guys do now) versions are way higher than versions for other distributions, which creates for me (just a home user) an interoperability problem between all my different Linux boxes. RedHat if anybody has the resources to fix this but I guess they'd rather try to use it as a way to force adoption of their distro? I don't even know.

Both the apps and the distros are volunteer-heavy. App packaging is a big job for either side. I'm still hopeful that Flatpak can help that job

> you want distro maintainers to compile and package every single pieces of software under the sun

No. I want people who will actually use the package to package the software they need, and distro maintainer to supervise that.

> Because it was packaged by people who know little about erlang

Yep, people who won't use Erlang shouldn't package Erlang. But on the other hand, developers who won't use Erlang on platform X shouldn't package Erlang on platform X.

The "we absolutely need flatpak because otherwise it fundamentally doesn't work" philosophy is, to me, very close to saying "we must consolidate everything under one single OS. Everybody should use the exact same thing otherwise it doesn't work". That's not what I want. I want to have freedom, and the cost of it is that I may have to package stuff from time to time.

If you don't want to contribute to your distro, choose a super popular distro where everything is already packaged (and used!). Or use macOS. Or use Windows. You don't get to complain about Alpine Linux not having a package you want: you chose Alpine, that was part of the deal.

I don't know what Devault says, but here is my opinion: do not ship something you don't understand/test/use yourself.

Distros should not package random open source projects they don't use/understand, and developers should not package their project for distros they don't use/understand. For both, it's like shipping untested code and the conclusion is always going to be "you should all run the same system I do" or "we should all have the exact same system, let's implement Flatpak".

Developers should package their project for the distros they support (often that's just Ubuntu). Random people should package the open source projects they want to use in their distro of choice (the more popular the distro, the higher the chance that someone else has done it already). All that under the supervision of distro maintainers.

> Even if my product is fully open source and free to fork, it's my reputation on the line when things don't work as intended

I think that everyone who is worrying about that wants to apply corporate thinking on the open source model. Meaning they want to be a special thing where everything is supposed to be interchangeable. Just yesterday, I was compiling a program that hard depends on the GNU C library for just 2 functions and not even critical one. To be fair, the author said that they only test on Debian.

While the linux world may be fragmented, the true differences are mostly minimal (systemd vs other init system, glibc vs musl, networking manager,…) So it’s possible to decouple yourself from these concerns if you want to. But often the developer hard depends on decision made by their preferred distro team, and create a complicated build script that only works there.

Alpine is a great litmus test for programs that unnecessarily depends on glibc and systemd. More often than not, it’s easy to take the arch build script, and create a package for alpine. When that fails, it’s usually for the above reason.

These days, I’m tempted with Debian stable because of people playing cowboys with software updates, breaking workflows right and left. There’s always VMs for bleeding edge.

Mozilla publishes firefox on Flathub and anybody can install it from there. After, I'm not sure why they don't advertise it, most apps distributed this way just have a button that do so.

Fedora has its own repo, they manage it, i don't see the problem there. After it doesn't prevent adding others like flathub and the experience from a user point of view is the same.

You can also provide a flatpak ref file that user can use to install.

Signing app doesn't means much appart that someone paid for that and went through a process IMO, there's not much value to it from the user pov, especially when the first thing a Windows user learns is to ignore signature warnings.

Have you tried using flatpak?

That's a massive waste of resources and time.

If you are unwilling to use tools like Flatpak, then that limits what distros you can make. e.g., in a world without Flatpak, only distros with X users can exist. In a world with Flatpak, distros with X/10 users can exist.

Another way to think about it: if you want to make/use your own distro, then using Flatpak will cut down the amount of work you have to do by some large multiple. You're free to not use it, just like you're free to install custom electrical sockets in your house and make custom adaptors for every single appliance you buy.

Standardization/centralization exists for a reason.

Reading about all the crashes and stuff that generally doesn't work… doesn't seem too vetted to me.

> I want people who will actually use the package to package the software they need, and distro maintainer to supervise that.

Erm... Your original comment said "you should not package for distros, distros should package for themselves. You just distribute your sources."

> Yep, people who won't use Erlang shouldn't package Erlang. But on the other hand, developers who won't use Erlang on platform X shouldn't package Erlang on platform X.

So... Who's gonna package it if you say that distros should package it?

> The "we absolutely need flatpak because otherwise it fundamentally doesn't work" philosophy is, to me, very close to saying "we must consolidate everything under one single OS.

Bullshit.

What you advocate for is "why bother with ease of use and convenience, everyone should learn how to compile and package everything from scratch"

> If you don't want to contribute to your distro

The user of a package doesn't necessarily know how to package something, and shouldn't need to.

You got downvoted but yes, it's quite sad when distros release a package under the same name as the original but with their own set of patches. I think they should rename the package when they do that, even just a prefix/suffix with the distro name would be nice.

It'd be a gargantuan effort to do it for every package, most times it's just a version + hash update and maybe a test.

> Erm... Your original comment said "you should not package for distros, distros should package for themselves. You just distribute your sources."

Yes. I said "distros", not "the distro maintainers". The distro is the maintainers + the packagers, and packagers can be random contributors (I package stuff for my distro when needed, but I am not a distro maintainer).

> So... Who's gonna package it if you say that distros should package it?

People who will use Erlang on that particular distro. Under the supervision of the distro maintainers. There is typically some kind of hierarchy where there are the "community" packages that are just "untested" (sometimes they can get promoted to a more trusted level), and the "core" packages that are handled by the distro maintainers.

> What you advocate for is "why bother with ease of use and convenience, everyone should learn how to compile and package everything from scratch"

Not at all, but it seems like you don't know how it currently works in traditional distros, and you don't understand what I'm saying (probably I'm not being clear, that's on me).

What I advocate seems absolute common sense: "the package maintainer(s) should understand and use the package on the distro for which is is packaged".

The vast majority (probably almost the totality of) users of Ubuntu or Arch have never had a need to package anything, because everything is already there. Because those distros are very popular. Depending on your choice of distro, it may happen that a package hasn't been contributed or even that it doesn't compile (e.g. if you use musl). In that case, if you want it, you need to contribute it. But if you use musl, you implicitly accept this and are supposed to know what you are doing.

> The user of a package doesn't necessarily know how to package something, and shouldn't need to.

That's your opinion. I would say that a Gentoo user is expected to have some idea about compiling packages, otherwise they should not use Gentoo. Ubuntu is targetting people who don't want to know how it works, that's fine too. Diversity is good.

What I don't like, is Windows-minded people ("I shouldn't have to understand how my computer works") who come to Linux and push for everybody to become like them. "We should all use systemd and Flatpak, and pay one team of 50 people who know how that works, and the rest of us should just use it and not know about it" -> I disagree with that. Those who think that should just use Ubuntu/Windows/macOS and leave me alone. And for those who use Ubuntu, they should remember that they don't pay for it next time they say "it's shit because it doesn't do exactly what I want".

No user cares. If they cared they would be building everything from scratch :)

> and packagers can be random contributors

So who's going to maintain the packages? Who's going to test them against other packages? Against distro upgrades? Who's going to fix issues?

> Not at all, but it seems like you don't know how it currently works in traditional distros

I do. A small number of people are doing the thankless job of packaging, maintaining, fixing, testing a multitude of packages.

And their efforts are needlessly duplicated across several packaging systems.

> What I don't like, is Windows-minded people ("I shouldn't have to understand how my computer works") who come to Linux and push for everybody to become like them

What I don't like is people assuming ill intent behind "you know what would be great? If we didn't assume that every user has to package their own packages across 15 different incompatible packaging systems".

> So who's going to maintain the packages? Who's going to test them against other packages? Against distro upgrades? Who's going to fix issues?

I feel like you're not reading what I'm writing. The community.

That's how open source works: if you use an open source project and it has a bug, you can fix it and open an MR. If the upstream project doesn't want your fix, you can fork. Nothing forces the upstream project to accept your contributions. When they do, they take the responsibility for them (to some extent, as in: it is now part of their codebase).

If your distribution doesn't have a package you want, you can make it for yourself, locally. You can contribute it to a community repo (most distros have that). Maybe at some point, the distro maintainers will decide to take over your package in a more official repo, maybe not. Even if you are not the official maintainer of a package, if you use it and see a problem, you can contribute a fix.

In the open source world, most people are freeriders. A (big) subset of those feel entitled and are simply jerks. And a minority of people are not freeriders and actually contribute. That's the deal.

> And their efforts are needlessly duplicated across several packaging systems.

No! No no no no! If they don't want to put efforts into that, they don't have to. They could use Ubuntu, or Windows, or macOS. If they contribute to, say, Alpine or Gentoo, that's because they want to. I am not on Gentoo in the hope that it will become Ubuntu, that would be weird. But you sound like you want to solve "my Gentoo problems" by making it look more like Ubuntu (in the idea). Don't use Gentoo if you don't want to, and leave me alone! Don't try to solve my problems, you're not even a Gentoo user.

> That's how open source works:

Funny how in reality it's not how open source works. Packages are en masse packaged and maintained by a very small number of maintainers doing a thankless job. Not by some "community" where "a person who uses the package" suddenly wakes up nad says "you know, I'm going to package this piece of software"

This is literally the reason for my exmaple with Erlang in my original comment.

> n the open source world, most people are freeriders.

I'm getting tired of your rants and tangents

> No! No no no no! If they don't want to put efforts into that, they don't have to. They could use Ubuntu

You're deliberately missing and/or ignoring the point.

Ho many package managers and package format are there? Packaging some code for each of them is wasted/duplicated effort because it's doing the same thing (packaging) for the same code (for example, Erlang) for literally the same operating system (Linux) just because someone has a very subjective view of "the one true correct way".

So now you have someone packaging, say, Erlang, for dpkg, flatpack, nix, pacman, rpm, snap and probably a few others because "people are not freeloaders" or "non-windows-minded people" or some other stream of consciousness.

> Don't use Gentoo if you don't want to, and leave me alone! Don't try to solve my problems, you're not even a Gentoo user.

I've said all I had to say. You deliberately chose to talk only to the voices in your head. Sorry, I'm not privy to those voices.

So, adieu.

> Funny how in reality it's not how open source works.

Let me copy the full sentence, with the part that you conveniently truncated: "That's how open source works: if you use an open source project and it has a bug, you can fix it and open an MR. If the upstream project doesn't want your fix, you can fork. Nothing forces the upstream project to accept your contributions. When they do, they take the responsibility for them (to some extent, as in: it is now part of their codebase)."

Can you explain to me how this is wrong?

> I'm getting tired of your rants and tangents

How is that a rant? That's almost by design: I make my code open source so that people can benefit from it for free under some conditions. Take the billions of computers running Linux. Which proportion of those are run by people who actually contribute to Linux, do you think? As a good approximation, it's ~0%. Almost all users of Linux don't contribute to Linux. It's a fact, not a rant.

Nowhere did I say that people should contribute.

> Ho many package managers and package format are there?

Who cares? If I want to create a new package manager with a new package format, why would you forbid me from doing it? That's my whole point: people are free to do whatever they want. Are you saying that I must use Flatpak instead of my favourite package manager because you have decided that it was better for everybody?

Why do you stop at package managers? In your view, isn't having different OSes is wasted/duplicated effort? Should we all just use Windows because it's your favourite and you don't understand why other people may have other preferences?

> Sorry, I'm not privy to those voices.

My point is that whenever somebody says "it's stupid, we should all use X", my answer is always "If Y, Z, A, B, C, ... exist, it's because other people, for some reasons, don't want X. Because you like X doesn't mean that everybody should like X. I see how it would be convenient for you if everybody used exactly your favourite system, but the reality is that we can't all love exactly the same things. Hence there are alternatives. Diversity is good".

Diversity is good. I don't say that Flatpak should not exist. I just say that whoever wants me to use Flatpak is fundamentally missing something.