Most active commenters
  • LtWorf(4)
  • tempaccount420(3)

←back to thread

The Future of Flatpak

(lwn.net)
306 points dxs | 12 comments | 22 May 25 23:51 UTC | HN request time: 1.022s | source | bottom
Show context
nycticorax ◴[23 May 25 03:38 UTC] No.44069656[source]
I don't agree with him 100%, but I always find Drew DeVault to be thoughtful on this topic:

https://news.ycombinator.com/item?id=32936114

https://drewdevault.com/2021/09/27/Let-distros-do-their-job....

Basically, he argues that application distribution outside of the distro (a la flatpak, snap, appimage) is just a bad model. The right model is the one distros have been using for years: You get software through the distro's package manager, and that software is packaged by people working on behalf of the distro. As he says: "Software distributions are often volunteer-run and represent the interests of the users; in a sense they are a kind of union of users."

The other issue, of course, is that in practice flatpaks/snaps/appimages never seem to 100% work as well as distro packages do.

replies(5): >>44069828 #>>44070308 #>>44070592 #>>44070717 #>>44071258 #
arunkant ◴[23 May 25 07:31 UTC] No.44070717[source]
Application developer should be able to package and distribute the app. See how easy it is for casual user to download and install any application on windows. Maintainers cannot scale and depending on them will just hold back Desktop Linux
replies(1): >>44070761 #
1. LtWorf ◴[23 May 25 07:40 UTC] No.44070761[source]
The best thing about unvetted app stores is that anyone can publish software!

The worst thing about unvetted app stores it that anyone can publish software!

replies(2): >>44070825 #>>44071338 #
2. tempaccount420 ◴[23 May 25 07:53 UTC] No.44070825[source]
Distro package maintainers are not security researchers, they don't audit the code they maintain.
replies(4): >>44071019 #>>44071063 #>>44071087 #>>44072536 #
3. goodpoint ◴[23 May 25 08:29 UTC] No.44071019[source]
This is false.
4. flomo ◴[23 May 25 08:39 UTC] No.44071063[source]
Plus the app developers at least have some level of accountability. Like when JWZ got into it with Debian (can't link here). You might think you are running XScreensaver from the great Zawinski, but no you are actually running some weird fork from godknowswho, hopefully not Jia Tan.
replies(2): >>44071194 #>>44076428 #
5. alkonaut ◴[23 May 25 08:43 UTC] No.44071087[source]
They do to some extent in the larger distros, but for proprietary/binary packages they don't have much chance anyway unless they are willing to do some pretty time-consuming forensics.
replies(1): >>44076458 #
6. ChocolateGod ◴[23 May 25 09:01 UTC] No.44071194{3}[source]
XScreensaver is supposed to hide your desktop and Jia Tan is an expert at hiding things, so I think they'd be a perfect match.
7. ndiddy ◴[23 May 25 09:37 UTC] No.44071338[source]
Flathub is not unvetted. Every submission goes through human review. If a piece of software requires an unnecessary permission (i.e. if someone submits an alarm clock program that requires home folder access and internet access), it will get rejected. If a developer updates their software and changes the required permissions, the update won't get pushed to users until it goes through human review.

Besides this, for open source packages, the code gets built on Flathub's build servers without internet access. The source code associated with a given Flathub package version must be either a specific Git commit (verified with a commit hash) or a release tarball (verified with a sha256 hash). This means that it's always possible to verify that the code a developer publishes corresponds to the binaries being shipped to users. Closed source packages get a big warning on their Flathub pages saying that the program's code is proprietary and not auditable.

With the traditional distro packaging model, the requirements to become a maintainer are stringent and there's human review when a package is added, but there's typically no review after that point. If you'd like a recent example of the drawbacks of this system, see here: https://security.opensuse.org/2025/05/07/deepin-desktop-remo... . After the OpenSUSE security team rejected certain components of the Deepin DE for containing major security problems (including multiple root privilege escalation vulnerabilities), the Deepin maintainer smuggled them in anyway through an innocuous looking package called "deepin-feature-enable" and nobody in the security team noticed for several years. I'm not trying to call out the OpenSUSE security team here, I'm sure they don't have the resources to vet random packages. I'm saying that expecting maintainers to never ship malicious code because they went through the process to become a maintainer is a weakness of the traditional distro packaging model.

replies(1): >>44074533 #
8. LtWorf ◴[23 May 25 13:08 UTC] No.44072536[source]
I do, and I work at a security company. But thanks for knowing more about my life than myself, random internet person.
9. LtWorf ◴[23 May 25 17:03 UTC] No.44074533[source]
Reading about all the crashes and stuff that generally doesn't work… doesn't seem too vetted to me.
10. tempaccount420 ◴[23 May 25 20:43 UTC] No.44076428{3}[source]
You got downvoted but yes, it's quite sad when distros release a package under the same name as the original but with their own set of patches. I think they should rename the package when they do that, even just a prefix/suffix with the distro name would be nice.
replies(1): >>44078084 #
11. tempaccount420 ◴[23 May 25 20:47 UTC] No.44076458{3}[source]
It'd be a gargantuan effort to do it for every package, most times it's just a version + hash update and maybe a test.
12. LtWorf ◴[24 May 25 01:22 UTC] No.44078084{4}[source]
No user cares. If they cared they would be building everything from scratch :)