this post was submitted on 04 Mar 2025
152 points (98.1% liked)

Linux

53346 readers
628 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
152
Can I ignore flatpak indefinitely? (lemmy.sdf.org)
submitted 1 month ago by krakenfury@lemmy.sdf.org to c/linux@lemmy.ml
92 comments fedilink hide all child comments
 

I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.

I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?

Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?

Is it because developers are often using dependencies that are ahead of release versions?

Also, how is it so much better than images for your applications on Docker Hub?

Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.

you are viewing a single comment's thread
view the rest of the comments
[–] cypherpunks@lemmy.ml 41 points 1 month ago* (last edited 1 month ago) (8 children)

Downsides of distro pacakges:

  • someone needs to package an application for each distro
  • applications often need to maintain support for multiple versions of some of their dependencies to be able to continue to work on multiple distros
  • users of different distros use different versions of the application, creating more support work for upstream
  • users of some distros can't use the application at all because there is no package
  • adding 3rd party package repos is dangerous; every package effectively gets root access, and in many cases every repo has the ability to replace any distro-provided package by including one with a higher version number. 3rd party repos bring the possibility of breaking your system through malice or incompetence.

Downsides of flatpak:

  • application maintainers are responsible for shipping and updating their dependencies, and may be less competent at doing timely security updates than distro security teams
  • more disk space is used by applications potentially bringing their own copies of the same dependencies

🤔

[–] argon 29 points 1 month ago* (last edited 1 month ago) (1 children)

Another upside is the easy permission management.

You can revoke network access from your password manager to reduce attack surface; you can revoke camera access from your chat app to prevent accidentaly enabling it; You can restrict an app's file system access to prevent unwanted changes; etc.

It's not yet fit to protect from malicious apps, but it still finds some use.

[–] cypherpunks@lemmy.ml 6 points 1 month ago

It’s not yet fit to protect from malicious apps, but it still finds some use.

That it is "not yet fit to protect from malicious apps" is an important point which I think many people are not aware of.

This makes sandboxing something of a mixed bag; it is nice that it protects against some types of incompetent packages, and adds another barrier which attackers exploiting vulnerabilities might need to bypass, but on the other hand it creates a dangerous false sense of security today because, despite the fact that it is still relatively easy to circumvent, it it makes people feel safer (and thus more likely to) than they would be otherwise when installing possibly-malicious apps packaged by random people.

I think (and hope) it is much harder to get a malicious program included in most major distros' main package repos than it is to break out of bubblewrap given the permissions of an average package of flathub.

load more comments (6 replies)