this post was submitted on 17 Feb 2024
173 points (93.9% liked)

Linux

48356 readers
493 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Basically title.

I’m wondering if a package manager like flatpak comes with any drawback or negatives. Since it just works on basically any distro. Why isn’t this just the default? It seems very convenient.

you are viewing a single comment's thread
view the rest of the comments
[–] TCB13@lemmy.world 53 points 9 months ago* (last edited 9 months ago) (4 children)

Yes, I love it and don't get me wrong but there are many downsides and they all result from poor planning and/or bad decisions around how flatpak was built. Here are a few:

  • Poor integration with the system: sometimes works against you and completely bypasses your system instead of integrating with it / using its features better. To me it seems more like the higher levels are missing pieces to facilitate communication between applications (be it protocols, code or documentation) and sometimes it is as simple as configuration;
  • Overhead, you'll obviously end up with a bunch of copies of the same libraries and whatnot for different applications;
  • No reasonable way to use it / install applications offline. This can become a serious pain point if you're required to work in air gapped systems or you simply want to level of conservation for the future - it doesn't seem reasonable at all to have to depend on some repository system that might gone at some point. Note that they don't provide effective ways to mirror the entire repository / host it locally nor to download some kind of installable package for what you're looking for;
  • A community that is usually more interested in beating around the bush than actually fixing what's wrong. Eg. a password manager (KeePassXC) and a browser (Firefox/Ungoogled) both installed via flatpak can’t communicate with each other because developers seem to be more interested in pointing fingers on GitHub than fixing the issue.

Flatpak acts as a restrictive sandbox experience that is mostly about "let's block things and we don't care about anything else". I don't think it's reasonable to have situations like applications that aren't picking the system theme / font without the user doing a bunch of links or installing more copies of whatever you already have. Flatpak in general was a good ideia, but the system integration execution is a shame.

[–] beejjorgensen@lemmy.sdf.org 16 points 9 months ago (1 children)

The double-edged sword of isolation.

On the one hand, poor communication between apps and waste of storage.

On the other, relative safety from malicious applications, or from otherwise-safe applications built on top of a thousand libraries none of which have been audited by the dev.

I don't know how it's going to go down, but I suspect something will come along to address these issues and snatch the market away from Flatpak.

[–] TCB13@lemmy.world 10 points 9 months ago* (last edited 9 months ago) (1 children)

but I suspect something will come along to address these issues and snatch the market away from Flatpak.

I believe it could only be fixed by a team from GNOME or KDE, they're the one in a position to develop something like Flatpak but deeply integrated with the system instead of trying to get around it.

For what's worth Apple did a very good job when it came to the isolation and containerization of desktop applications, but again only possible because they control both sides.

Apple enforces a LOT of isolaton, they call it sandboxed apps and it is all based on capabilities, you may enjoy reading this. Applications get their isolated space at ~/Library/Containers and are not allowed to just write to any file system path they want.

A sandboxed app may even think it is writing into a system folder for preference storage for example - but the system rewrites the path so that it ends up in the Container folder instead. For example under macOS apps typically write their data to ~/Library/Application Support. A sandboxed app cannot do that - and the data is instead written beneath the ~/Library/Containers/app-id path for that app.

And here's how good Apple is, any application, including 3rd party tools running inside Terminal will be restricted:

I bet most people weren't expecting that a simple ls would trigger the sandbox restrictions applied to the Terminal application. The best part is that instead of doing what Flatpak does (just blocking things and leaving the user unable to to anything) the system will prompt you for a decision.

I believe this was the best way to go about things but it would require to get a DE team to make it in a cohesive and deeply integrated with the system. Canonical could do it... but we all know how Canonical is.

[–] Zamundaaa@discuss.tchncs.de 3 points 9 months ago (1 children)

The best part is that instead of doing what Flatpak does (just blocking things and leaving the user unable to to anything) the system will prompt you for a decision.

No, Flatpak isn't the problem here, portals for these things exist. The problem is that apps would have to use them, and unlike Apple, there's noone restricting the old / unrestricted ways of doing things... So apps usually don't port over to the portals.

Even where the unrestricted APIs stop working, like with screen capture and Wayland, apps are excruciatingly slow to port over, because they don't get kicked from app stores for it, and because many users can still fall back to using the old system.

[–] TCB13@lemmy.world 1 points 9 months ago* (last edited 9 months ago) (1 children)

While what you say is true, the "portals" were an afterthought, an imposition to developers and a cumbersome and poorly documented solution. Just like the theming and most other things.

Instead of bluntly blocking things why can't Flatpak just simulate a full environment and just prompt the user whenever some application wants to read/write to file / unix socket at some path? A GUI capable of automatically enumerating those resources and a bunch of checkboxes like "app X and Y both have access to socket at /var/run/socketY would also solve most of the issues.

[–] Zamundaaa@discuss.tchncs.de 2 points 9 months ago (1 children)

Instead of bluntly blocking things why can't Flatpak just simulate a full environment and just prompt the user whenever some application wants to read/write to file / unix socket at some path?

Because the user getting a hundred popups on app start for various files the app needs isn't exactly a usable experience. Also, blocking the app's main thread (which is the only way you could do this) is likely to break it and cause tons of user complaints too.

Aside from apps using the APIs meant for the purpose of permission systems, there's no good way to make it work.

[–] TCB13@lemmy.world 1 points 9 months ago (1 children)

Because the user getting a hundred popups on app start for various files the app needs isn’t exactly a usable experience

It doesn't but until apps can declare on a simple config file what paths they require that's the way things should work. I guess that would motivate the developers who are packing into Flatpaks to properly list whatever files the application requires. If they don't, then the application will still work fine but be a bit annoying.

Also, blocking the app’s main thread (which is the only way you could do this) is likely to break it and cause tons of user complaints too. Aside from apps using the APIs meant for the purpose of permission systems, there’s no good way to make it work.

Yet, macOS does and things don't go that bad, on the example how do you think they do it for command line tools? The system intercepts the request, show the popup and wait for the user input. I've seen the same happening with older macOS applications that aren't aware it could happen and yes, the main thread is blocked and the application seems to crash.

I thinks it's way better doing it this way and still have a somewhat productive container and isolation experience than just bluntly blocking everything - something that also breaks apps sometimes.

[–] Zamundaaa@discuss.tchncs.de 1 points 9 months ago* (last edited 9 months ago)

until apps can declare on a simple config file what paths they require

They can, and always could. Apps aren't doing it, most Flatpaks have just blanket "allow ~/Downloads" or "allow all of home" permissions by default - or no file permissions, and you have to go grant them manually yourself.

Again, unless apps actually support it, no matter how good the security system is, it won't work out.

[–] 0485919158191@lemmy.world 4 points 9 months ago

Thanks for your comment! Both positive and negative for sure.

[–] Pantherina@feddit.de 3 points 9 months ago (1 children)
[–] okamiueru@lemmy.world 2 points 9 months ago (1 children)

Do you know if flatpak leverages the memory side of this? With shared libs, you only keep one copy in memory, regardless of how many applications use it. Makes application launch faster, and memory usage lower.

For flatpak, it of course will load whatever it needs to load, but does it manage to avoid loading stuff across other flatpaks?

[–] Pantherina@feddit.de 1 points 9 months ago

Thats a good question that came to my mind too, idk

[–] melroy@kbin.melroy.org 2 points 9 months ago

The reason I don't wanna use flatpack