this post was submitted on 23 Aug 2023
468 points (98.1% liked)
Linux
48372 readers
2087 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
and better than snaps in experience..
@bear
Thank you for the very clean and clear explanation. I'll have to give them another chance.
All of that is good but you are overlooking the small detail that installing flatpack implies using up a lot more disk space than just pulling a distro package.
I can point one specific example with libre office: 3.9GB for the pack vs 785MB for the .deb.
We can argue disk space nowadays is cheap but overloading a machine with duplicated packages also goes against the main goal of running a Linux.
When I first started using it, one of the talking points was that Linux kept the system clean of clutter and that improved longevity for the hardware and delivered stability by not having unnecessary and unused or orphaned and redundant libraries and dependencies.
With flatpacks we get the latest and greatest - I'm a debian fan and I hurt for not getting more up to date software - but we are carting in a ton of junk that should not be necessary.
And the container/sandbox part is not that great, apparently. Debian wiki links to this to further educate/alert on the down sides of flatpacks. Debian is not the ultimate bearer of truth but they do move a lot of respect.
The 3.9GB is not just libreoffice, that number also includes runtimes. At most you would only install maybe around half of your host systems’s packages in runtimes for all the apps you use. There shouldn’t be any more usage than that. And even less if you stick to apps that fit your DE. Like if I just stuck to apps that used the gnome runtimes, I would have a pretty minimal installation.
Unfortunately, the dependency problem is really hard to solve, and at least they deduplicate what they can. Everything else works perfectly as well besides some minor issues with the sandbox connecting to the host system in certain edge cases.
Also please don’t link flatkill, it’s woefully outdated and every point on there has been addressed for years; it should be taken down.
You already have most of the major dependencies installed natively as they are depended on for many other packages, and you're not including the space they take up as part of installing the native package, but you are including them as part of the flatpak.
Flatpaks literally improve this. The core system itself remains extremely minimal and lean when you use containers, in both the server and desktop space. This greatly improves stability and longevity. We all know how much of a pain it is to do a point release upgrade on a system with tons of installed software. Flatpaks do not have this problem because they are independent of the system and each other.
It is necessary, and it's not junk.
Much like Debian packages, the Debian wiki is stale and outdated.
I'm learning as I go. Having imput on my talking points is always a good thing.
I remember dipping my feet into the Linux pool, through Debian, searching online for a given tool/program, just to get disappointed as I wouldn't have it or the version available from the repositories was extremely outdated or some library required to run it would be as well.
And back then I remember thinking it would be great to have some way to get access to more recent software versions with all the necessary dependencies to run it from a realiable source.
But one thing I always thought should be obligatory was that during installation of such programs, only the resources absent from the system would be added to the installation/system and any other resource bundled would be automatically discarded, thus saving disk space and avoiding redundant libraries present on the system.
Do flatpaks have such working structure?
I am not a programmer of any sort and up until now, everything single information I've read states these sources throw every necessary resource it require for running into the system storage, regardless if some/all are already available per the system or other programs.
For me, this implies if I run 12 different programs that share, let's say 2 libraries, for the sake of this conversation, and such libraries already exist in the base system, by using flatpaks to install each program I'll be adding 24 redundant files to my hard drive.
For someone that usually runs entry level hardware, as I do, the storage getting full(er) translates into an heavier, sluggish system. Not to mention that only this year, I'll be finnally running a machine with more than 500GB of storage. Storage space is a concern for me.
When I read on my distro "app store" that installing Libre Office from a flatpak would require 3.9GB after installed versus less than 1/4 of that if opting for the repo pack, the math wasn't hard to make.
Where am I missing here? What am I failling to understand regarding flatpacks?
Easier system maintenance is a plus, per your words. I'm sold on that point.
It's possible, but rarely allowed because that would produce instability. Linux programs are built to rely on a specific version of a library. Depending on how much actually changes, you can sometimes get away with using a different version than the one it expects, but the more it changes the riskier it gets.
One of the major goals of flatpaks was to create a way for developers to ship one build that was guaranteed to run the same regardless of distro or environment. The isolation is very much the point. It does use more storage space, but in most cases it's not enough to matter. When storage space is at a premium, yeah, you generally want to avoid containers. They trade space for stability.
Pretty much everything in the Linux space is converging on this concept. Desktop is moving to immutability with flatpak apps. The server space has been entirely taken over by containers. Even Valve has shipped a separate Linux runtime for as long as they've officially supported it, and they're progressing on deeper containerization. You can direct it to run against your native packages instead of the runtime, but it's rarely a good idea.
The point is that it gives developers a single target that they can all rely on, instead of having to account for 20 distros with multiple still-supported versions each. And believe me, these efforts have made Linux so much easier as a user as well. It used to be that lots developers only targeted Ubuntu. Trying to get anything to run on another system was off like pulling teeth. Now, you can almost always expect to find a flatpak instead which runs on any distro.
You mind if I poke the subject for a little more? It is opening a new understanding for me.
Please keep in mind I'm not a programmer, to any degree.
As per what you are explaining, flatpaks working remembers me of a flower blooming on a tree: it uses resources provided by it, adds functions to it but doesn't alter it in a significant fashion.
But again on the space saving and version controlling.
Let's take a given flatpak, where 50 libraries are shipped with it to ensure it works properly, on any given distro.
As you already said, library versions between distros can vary wildly but would it be that difficult to have a script running pre installation (I think "connection" is more adequate to describe the process at this point) to check for what already available required resources exist on the system to avoid redundancies?
I can understand that by having this sort of an homeostatic environment aids in assuring a given program will be capable of running on any machine but I can't shake the intuition that at some point this will backfire. It's not hard to imagine software to be kept relying on older, perhaps unsafe or not as streamlined versions of given libraries just because the developer is not that motivated to make whatever changes necessary to keep up to date with the new versions, as their software already runs as expected.
I'll risk it and try it.
What does known-good mean? What if a security vulnerability is found in one of the dependencies. With an old-style distribution there is a security team that monitors security reports and they will provide a fixed package. With flatpaks it's not clear to me if those developers will monitor each dependency for security vulnerabilities and how they will handle that. Will users even be informed about a security issue, will a fix be backported or will it only be available in the latest version?
Known-good meaning a tested and working configuration approved by the developers/maintainers.
Flatpak is just another model of distribution. There isn't really anything that needs to change here. The bugs are fixed upstream and they get pushed via the method of distribution, which is Flathub in this case.
The security team in a given distribution is charged with getting upstream fixes backported and shipped. There's no need for this role because they're just shipped directly in most cases.
The developers are usually the ones doing the fixes in the first place.
Well, fixes don't normally need to be backported because flatpaks are usually fresh. They're just built normally in most cases.
For notifications, you'd have to follow the relevant projects directly.
There are a few assumptions in here in order for that to work: the known-good version needs to be the latest upstream version (otherwise you might not have the latest security fixes) and users need to be comfortable always using the latest flatpak version. Some users might be more comfortable staying on a known stable version for some time.
Right, and each project will have its own way of handling security issues (particularly when it comes to older versions). Will they point out that versions x - y of their flatpak are affected by a security issue in component z?