this post was submitted on 20 Aug 2023
250 points (88.6% liked)
linuxmemes
21281 readers
282 users here now
Hint: :q!
Sister communities:
Community rules (click to expand)
1. Follow the site-wide rules
- Instance-wide TOS: https://legal.lemmy.world/tos/
- Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
- Understand the difference between a joke and an insult.
- Do not harrass or attack members of the community for any reason.
- Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
- Bigotry will not be tolerated.
- These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
3. Post Linux-related content
- Including Unix and BSD.
- Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of
sudo
in Windows.
- No porn. Even if you watch it on a Linux machine.
4. No recent reposts
- Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
Please report posts and comments that break these rules!
Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't fork-bomb your computer.
founded 1 year ago
MODERATORS
That's the whole problem, don't use flatpak. It's the worst way of solving a problem that's already solved.
This comment chain feels like talking to a brick wall. It's just "don't use flatpak" over and over again but with different words.
The problem with dependencies, that's the only reason for people to look at flatpak.
See my other comment, and see https://flatkill.org/
So if I checked the permissions with flatseal and that statement isn’t true for any of my flatpacks…where do we go from here?
You can uninstall your package since you are not able to use it anymore. lol
Hey it's your pc you can fill it with whatever you want, as long as it makes you happy!
The point is still that you distribute a OS with your application, that's just silly and lazy.
Aside from the kernel you still need most libs, including glibc so it's a OS without the kernel.
Next evolution will then be to use flatpak from within flatpak or what?
Using the word OS puts across my point, because when you start packaging your toolchain with glibc and whatever libs you need for your application, you end up with a good part of the Linux file system. Yes there's missing services and so on but they could run if needed.
It's not a virtualization joke, it's more of a "we put flatpak in your flatpak so you can flatpak while you flatpak" recursion joke.
Most system libraries are included in runtimes that are shared among applications.
Sounds more and more like flatpak is a distribution atop of a distribution.
Good you can share libs, although I can't see sense in sharing more than the absolute basic libs, and even then some applications will need different versions of the basic libs.
What is your opinion on Nix?
From what I gather nix is more of a next generation package manager than a application container/sandbox which means potential security problems with old libs could be less, or rather they are probably at the same level as rpm/deb.
I don't see any problems with rpm/deb/etc. ending up getting the boot by nix or another package manager just because they are better, that's just evolution.
As someone said about flatpak/snap that their 'hidden' strength is distribution of proprietary software, that's fine by me if that's the main usage of them.
The sandbox feature can be solved by SELinux/docker/and several other ways depending on usecase.
Sandboxing is not the main feature of Flatpak/Snap, being able to ship an app for various distributions without having to configure them separately is. Docker/Podman can do that, but then you would actually be shipping an entire distro.
Regarding docker/podman that's why I wrote depending on usecase, for servers it makes sense to distribute because of scalability, on a single user OS it does not.
From what you write I guess that nix does the distribution part of flatpak, so that seems fine, there's probably a catch/limitation somewhere, there usually is, but it could be an acceptable one.
This is Docker's whole shtick, and look how popular that is 🤷♂️
Docker is made for servers, it's totally a different usecase.
I am not anti VM and docker, I just don't think we need more levels of indirection in the OS, I also don't think a distro based heavily on flatpak will be any good, one thing is sure it will be using a lot of diskspace and memory, as there's no sharing of libs. And if flatpak starts sharing libs it just re-invented the GNU linker.
I mostly agree with those points.
Flatpak does support sharing 'libraries' (although not in the way you mean), however from my perspective the main problem is developers referencing
Kde-Framework-420.69.1
, and others referencingKde-Framework-420.69.1-rc1
or various other variations of very similar dependencies, which tends to eat up additional disk space. I'm personally not too bothered by it, but that's only because I have the storage space for that.With flatpak's shtick being isolation and a consistent runtime environment, I doubt there'll be true sharing of linked libraries and the associated memory space, so excess RAM usage and disk space as you've mentioned.
The distros based on Flatpak (can't remember the names right now sadly) are mostly immutable ones, where the base system remains untouched, and in that scenario I think it makes the most sense, particularly in education.
The instances I use flatpak are slightly similar to that, with the difference being the libraries available in the base system may be too old to run the application natively
I believe the immutable distros you're referring to are Fedora Silverblue and Fedora Kinoite.
I just feel like you could have provided alternatives? How is it solved? Genuine question..
Package managers like apt or rpmn(or whatever for your distro) are the standard way to install software. If there's a good reason to avoid them, OK, but no good reason was stated here.
@orcrist @lambda
There definitely is a problem that flatpak is trying to solve. That problem is dependency hell.
This most often (or rather most famously) occurs with python packaging. Sometimes you can have one package that requires a version that is incompatible with another version that another package requires. That's why people use python venv these days (or just use pipx).
IMO a better way of solving this is with nix. With nix, it doesn't require a container, it just builds in isolation.
Thing is, this will probably end up a VHS vs Beta Max.
I am very impressed by nix. I have tried nixOS and it was very nice. But, I might have to try the package manager as a standalone to see how I like that.
@lambda a lot of people do nix-env -ia nameOfPackage. I would recommend doing it properly with a file, and you just direct that command to the file (I would probably setup an alias). It gives you that declarative nature that nix is known for.
I'll try that for sure. I need to lookup if nix packages work on Steam Deck..
@lambda they should if you use the single user command. The command that does it for the whole system requires root access, something you don't have on the deck.
You can get root very easily. But, updates wipe out all but your home directory. So, I think you'd do the single user that you are referencing for that reason.
@lambda
Oh I didn't know, I just remembered reading that it utilizes an immutable filesystem and thought that it also doesn't give root access as well. That's good to hear though.
Yeah, it's immutable until you run the command
steamos-readonly disable
IIRC.@lambda
Oh, good on valve for making that easy to undo, albeit until you update.
Basically you install the application inside a little OS with dependencies each time you install a flatpak, that OS is rarely updated with security patches and most of the time has full access to the host OS. https://flatkill.org/
This is a lazy and insecure way of distributing applications with no real benefits.
Exactly. The QA of flatpaks is done in “trust me bro” framework. You can just go back to windows at this point.
If I install a package on my distro I know it went through a shitload of testing and I can be sure I am not installing some crap on my system.
I don't know what distro you use, but packages in their repos have "maintainers" that are usually volunteers. Downloading from repos from the distro is trusting whoever the maintainer is there. I don't see how that is any better than a flatpak.. At least with Flatpak many packages are maintained by the developer. I believe that would be more secure.
Major distros are usually backed by a compamny which provides enterprise version. Maintainers are actually employees paid for their work. Even if you pick a derivate distro you will inherit that testing process. So please get your facts straight before talking, you obviously need it. Here how it is done: https://openqa.opensuse.org Each package update, distro install process goes through automated testing. This detects bugs, dependency issues, you name it. If something fails package goes back for human review. And as you can see it is an open process which YOU can review any time.
So… how are the flatpaks tested? Please show me some facts. I am interested in this new “trust me bro” QA framework.
You are very confrontational. I love being proven wrong so that I can learn more. But, your language is belittling. I hope my message didn't come across that way.
Either way, looking at DistroWatch OpenSuse is about the #10 most popular Linux OS. MxLinux, Linux Mint, Debian, and Ubuntu are all debian based and above OpenSuse. Debian is by volunteers according to the Debian Package Maintainers Guide. So, I would think that the most-popular distros (especially in the non-professional world) are maintained by volunteers.
That comes with nuance though and I understand that. For instance, debian is celebrating 30 years. In that time I am sure many package maintainers have probably done this for very long amounts of time. So they are probably more worthy of trust than some Flatpak maintainers. But, when a flatpak is maintained by the developer (not that common in my experience) I would trust them the most.
Now, something I wasn't aware of until someone else linked it is how bad Flatpak is as a sandbox. But, I never used it wanting a sandbox. I like it for the isolation of libraries (Dependency Hell). Updating my OS never breaks any packages, because the libraries are separated.
As for qa testing. It would be on a per-package stand point. I see how helpful that is. But, I'm not installing any command line utilities through Flatpak. Just desktop apps, like browsers, game launchers, etc. So, maybe we are talking about different types of packages..
I'm not convinced Flatpaks are inherently worse than packages from the OS's repos themselves. But, I will be trying nix package manager as a replacement.
You were responding to my reply to someone else... but ok I guess. I am not here to convince you about anything. It's not my problem what you install on your thing. I just don't like misinformation spread based on ones believes and feelings, belittling work of whole teams of maintainters and QA staff which is core of why you can trust Linux ecosystem. Them being paid or not is not being relevant.
You belittled the work of Flatpak maintainers.
Then you belittled anyone using Flatpaks.
All I said was that they are not too different. You are right about some OS's having paid staff who have setup some great QA to handle it though. But, at some point you are "trust me bro"ing someone, paid or not.
Not a single person including you here was able to show any hint of package maintenance process, QA standard any kind of security awareness.
And I am saying it's an uneducated statement which fails to back itself miserably.
Dude... really? Quite a desperate attempt to make an argument. Yes at some point people are just atoms stuck together ... a human being is not different from rock if you twist the point of view enough. This is just you pushing smoke in the room because you have nothing to back up what you are saying. There is a huge difference in trusting blindly and trusting because you have transparency in processes and standards which are followed.
So if flatpak and distro repository is not so different... please show me any published standards or processes that are followed to ensure that flatpak is secure, up to date, without obsolete libraries. Would be cool to see there some transparency. Please show me that I am as secure and stable as while running OpenSuse on my machine at home.
Flathub has verified apps. This means the build either comes directly from the developer of the app itself or someone that they approved to distribute their app through Flathub. That's kinda the ultimate QA to me. If the developer of the app can't be trusted then who can? Other than that, the only checks are the community.
@lambda @BeigeAgenda
Imo a better alternative to flatpak is the nix package manager, but as I said to the other guy this'll most likely end up a VHS/betamax situation.
Both things are trying to solve dependency hell in different ways. Flatpak just builds and runs everything in a container, where as nix sets up virtual environments and builds things in isolation with per package dependency trees in an effort to make builds entirely reproducible (to the point that no matter what system you compile on, you will get the same hash).
Edit: as the other guy said, just use your systems package manager unless it doesn't exist in the repo and you can't be bothered to package it yourself. It's the standard recommended method.
How does your server instance here on Lemmy show as "null" it's not even a URL??
@lambda it's not a Lemmy server, it's a mastodon server. I assume it has something to do with that.
Oh, I didn't know they are intercompatible..