←back to thread

The Future of Flatpak

(lwn.net)
306 points dxs | 2 comments | 22 May 25 23:51 UTC | HN request time: 0s | source
Show context
nycticorax ◴[23 May 25 03:38 UTC] No.44069656[source]
I don't agree with him 100%, but I always find Drew DeVault to be thoughtful on this topic:

https://news.ycombinator.com/item?id=32936114

https://drewdevault.com/2021/09/27/Let-distros-do-their-job....

Basically, he argues that application distribution outside of the distro (a la flatpak, snap, appimage) is just a bad model. The right model is the one distros have been using for years: You get software through the distro's package manager, and that software is packaged by people working on behalf of the distro. As he says: "Software distributions are often volunteer-run and represent the interests of the users; in a sense they are a kind of union of users."

The other issue, of course, is that in practice flatpaks/snaps/appimages never seem to 100% work as well as distro packages do.

replies(5): >>44069828 #>>44070308 #>>44070592 #>>44070717 #>>44071258 #
arunkant ◴[23 May 25 07:31 UTC] No.44070717[source]
Application developer should be able to package and distribute the app. See how easy it is for casual user to download and install any application on windows. Maintainers cannot scale and depending on them will just hold back Desktop Linux
replies(1): >>44070761 #
LtWorf ◴[23 May 25 07:40 UTC] No.44070761[source]
The best thing about unvetted app stores is that anyone can publish software!

The worst thing about unvetted app stores it that anyone can publish software!

replies(2): >>44070825 #>>44071338 #
tempaccount420 ◴[23 May 25 07:53 UTC] No.44070825[source]
Distro package maintainers are not security researchers, they don't audit the code they maintain.
replies(4): >>44071019 #>>44071063 #>>44071087 #>>44072536 #
1. alkonaut ◴[23 May 25 08:43 UTC] No.44071087[source]
They do to some extent in the larger distros, but for proprietary/binary packages they don't have much chance anyway unless they are willing to do some pretty time-consuming forensics.
replies(1): >>44076458 #
2. tempaccount420 ◴[23 May 25 20:47 UTC] No.44076458[source]
It'd be a gargantuan effort to do it for every package, most times it's just a version + hash update and maybe a test.