←back to thread

The Future of Flatpak

(lwn.net)
306 points dxs | 2 comments | 22 May 25 23:51 UTC | HN request time: 0.473s | source
Show context
nycticorax ◴[23 May 25 03:38 UTC] No.44069656[source]
I don't agree with him 100%, but I always find Drew DeVault to be thoughtful on this topic:

https://news.ycombinator.com/item?id=32936114

https://drewdevault.com/2021/09/27/Let-distros-do-their-job....

Basically, he argues that application distribution outside of the distro (a la flatpak, snap, appimage) is just a bad model. The right model is the one distros have been using for years: You get software through the distro's package manager, and that software is packaged by people working on behalf of the distro. As he says: "Software distributions are often volunteer-run and represent the interests of the users; in a sense they are a kind of union of users."

The other issue, of course, is that in practice flatpaks/snaps/appimages never seem to 100% work as well as distro packages do.

replies(5): >>44069828 #>>44070308 #>>44070592 #>>44070717 #>>44071258 #
jillesvangurp ◴[23 May 25 07:06 UTC] No.44070592[source]
I disagree with that. IMHO the best possible people to create a package for an application are the original developers of that software. If that software is proprietary, that also happens to be the only party that can legally do that anyway. Because it typically requires access to the source code and software redistribution requires permission.

So, the model you mention only works for open source packages. And I would argue that even in the case an app is 100% open source it's a bad idea for somebody not affiliated with the core development team to be second guessing a lot of things about that application.

It results in a lot of issues that aren't necessary. Like needless lag between developers releasing new software and some third party doing whatever uninvited tweaks they think are necessary, or adding their own bugs and new issues.

It's why I always install Firefox in tar ball form straight from Mozilla for example. It updates itself as soon as developers OK some patch. This happens a lot and mostly for security and stability reasons. I want those patches when they release them. The things external distribution maintainers do are redundant. I trust Mozilla to do the right thing and be the most clued in about any issues regarding their own software. With proprietary stuff, I just want stuff to run with a minimum of hassle.

Flatpak is trying to do too many things. It's trying to emulate an appstore. I don't necessarily like app stores. They are gate keepers. What do developers on Windows and Apple do? They put binaries on their own website. You download them. You install them. And then they run. Downloaded apps have the same rights as apps provided via app stores. The app stores don't repackage the app, they merely distribute them. It's an add on service. An optional extra. All the essentials that provide security are baked into the OS and the application package. There are a few mechanisms that windows and mac provide to make things secure. Binaries are signed, the OS has a permission model for things that need that (screen sharing, directory access to certain things, using the webcam, etc). That's the right model. That could work for Linux as well. It shouldn't require taking control of distribution or packaging by some third party.

replies(3): >>44070944 #>>44071021 #>>44072643 #
boudin ◴[23 May 25 08:17 UTC] No.44070944[source]
Flatpak is more of a set of tools and framework. I wouldn't consider it as a store but a distribution system. Flathub is a repository, Fedora has its own repository and anybody can creates its own repo (I wouldn't call it store as there is no concept of monetisation).

I wouldn't consider flatpak as a gatekeeper as there is no "team" going through some arbitrary process to allow/disallow an app.

I also disagree with the fact that macos and windows did the right thing, what I found in my experience managing laptops in a company that is roughly 1/3 windows, 1/3 linux, 1/3 macos is that: - What windows is teaching users is to download random stuff and bypass the warning screens if something is not signed. Unless there is a company policy and a third party software to update what is installed, by default things installed are a mix of up to date and not update to date software. - Macos user do not install operating system and software updates unless a third party software is installed and force them too - Linux users have things up to date, only distribution version updates (e.g. fedora 41 to fedora 42) are inconsistent.

So my take is that, even if things on not perfect with flatpak, rpm/dnf, fwupdmgr and package manager, this is much better than having to pay for third party tools in macos and windows because of the lack of a good way to distribute and maintain apps at the operating system level.

replies(1): >>44072988 #
1. jillesvangurp ◴[23 May 25 14:02 UTC] No.44072988[source]
Only fedora can put stuff in their flatpak repository presumably. That makes them a gatekeeper. Why is a repository needed? If it was the same, Mozilla would be able to put a flatpak file for Firefox on their website and it would be the preferred way to install Firefox.

Of course everybody (including Mozilla) can create their own repository and then you can install from any repository you like. But how is that different than just downloading whatever and installing that? And that's more of a hypothetical. Mozilla doesn't do that and doing such things is not common.

What Apple and MS enforce via signatures is that what you install and run was produced by somebody with a valid certificate that passed their screening.

The problem flatpak hasn't solved is that the likes of Mozilla still have no good way to distribute the most recent version of their application to all Linux users. So they put a tar ball on their website instead.

replies(1): >>44073576 #
2. boudin ◴[23 May 25 15:10 UTC] No.44073576[source]
Mozilla publishes firefox on Flathub and anybody can install it from there. After, I'm not sure why they don't advertise it, most apps distributed this way just have a button that do so.

Fedora has its own repo, they manage it, i don't see the problem there. After it doesn't prevent adding others like flathub and the experience from a user point of view is the same.

You can also provide a flatpak ref file that user can use to install.

Signing app doesn't means much appart that someone paid for that and went through a process IMO, there's not much value to it from the user pov, especially when the first thing a Windows user learns is to ignore signature warnings.

Have you tried using flatpak?