I hope to see these turn out to be (for the end user) like .exe and .msi packages are on Windows in the sense that installing something is easy. No more dependency hell please!
Announcement
Collapse
No announcement yet.
Snappy Packaging Happenings In The Fedora, Arch Space
Collapse
X
-
Originally posted by profoundWHALE View PostI hope to see these turn out to be (for the end user) like .exe and .msi packages are on Windows in the sense that installing something is easy. No more dependency hell please!
With Snaps containing the whole kitchen sink of every lasr single .so dynamic library that a piece of software might cal into (hence the giant GB-sized LibreOffice snap)
(This is somewhat reminiscent of the good old dos-gamimg days, where every gmaes came packaged with all its things included together)
And Flatpak defining a set of basic libraries and versions that should be available on any Flatpak-compliant distro and installed together with the flatpak support, and can be targetted by the software developers. (Thats similar to how Steam for Linux comes with a set of libraries, that can be targeted by the port,no matter which distro it is running on).
(Its also distantly reminiscent of how Windows and Mac OS X work by giving a fixed and known list of deps to work with)
Now whether this idea is good is an altogether different question.
My opinion is that this gives some solution for the developers of closed-source software (with Steam having set a nice precedent).
But for anything else where the source is available, 3rd party packge repositories like Suse's Openbuildsys, or Ubuntu's PPA are the superior approach.
My main complain about this paks approach is that this results in increased vulnerabilities due to duplicated dynamic libraries everywhere.
Compare a vulnerability in Linux: openssl was crappy, but it got fixed. You just upgrade your systems' main copy in /usr/lib(64) and you're good to go. It gets fixed once for all.
Compare a vulnerability in Windows: WMF handler has proven to be exploitable for arbitrary execution (or the tiff handler is exploitable for out-of-band access). Now the copy of .DLL that every single needs to be upgraded to patched version. Some developers haven't provided any upgrade. Some developers don't exist anymore. You might have patched all microsoft software (e.g.: ms office), but there is still an obscure old tool that is vulnerable.
Comment
-
Originally posted by Cerberus View Post
They will certainly enable it, there is no reason not to, I believe all distributions will support both snaps and flatpaks, everyone will benefit from them.
there is no reason for distros that don't bet on any solution, Fedora is making bet on flatpak. enabling it by default without ubuntu doing the same for flatpak would practically spell the flatpak being downgraded as secondary choice since it doesn't work everywhere.
Comment
-
Originally posted by DrYak View Post
That's the purpose of both, with subtle details in the implementation
With Snaps containing the whole kitchen sink of every lasr single .so dynamic library that a piece of software might cal into (hence the giant GB-sized LibreOffice snap)
(This is somewhat reminiscent of the good old dos-gamimg days, where every gmaes came packaged with all its things included together)
...
My main complain about this paks approach is that this results in increased vulnerabilities due to duplicated dynamic libraries everywhere.
Compare a vulnerability in Linux: openssl was crappy, but it got fixed. You just upgrade your systems' main copy in /usr/lib(64) and you're good to go. It gets fixed once for all.
Compare a vulnerability in Windows: WMF handler has proven to be exploitable for arbitrary execution (or the tiff handler is exploitable for out-of-band access). Now the copy of .DLL that every single needs to be upgraded to patched version. Some developers haven't provided any upgrade. Some developers don't exist anymore. You might have patched all microsoft software (e.g.: ms office), but there is still an obscure old tool that is vulnerable.
Comment
-
Originally posted by Mystro256 View Postbut I completely agree with you when it comes to security concerns. I feel like flatpak has a better solution here, as it reduces the duplication a bit, which is better for size and security patching.
- update 'flatpak-base.rpm' (or whatever is the equivalent of steam.rpm in the flatpak world)
vs.
- update every single last snap (which might not by 1Gig, but is still very big) affected by the bug
The former is definitely both simpler and a much smaller attack surface than the later.
(And either is beaten by "simply update '{buggy-package}.rpm' and all package referencing it will be secure (don't forget to restart software already running)".
But that requires availibilty of the code, so that the software referencing it is simply an RPM which is part of your base distro or automatically built by a 3rd party repo maintainer, instead of a binary monster released by the developer)
- Likes 1
Comment
-
Originally posted by DrYak View Post
Yup, it's
- update 'flatpak-base.rpm' (or whatever is the equivalent of steam.rpm in the flatpak world)
vs.
- update every single last snap (which might not by 1Gig, but is still very big) affected by the bug
Comment
-
Originally posted by mhall119 View Post
Both flatpak and snaps have a shared "base" that all the apps use. If the software that needs updating is in that base, then for both flatpak and snaps all you have to update is the base. If the software that needs updating is not in the base, then for both flatpak and snaps you need to update each app that includes it. There is no difference between the two solutions when it comes to this.
I was under the impression that snap had minimal runtime while flatpak provided quite a few libraries to be shared by the flatpak apps (GTK for example). A runtime like this means smaller package sizes and easier to patch for security issues, as less static libraries are required.
Comment
-
Originally posted by Mystro256 View Post
I'm pretty sure he/she's talking about the flatpak runtime. Does snap have a runtime? Because this is the first I've heard of this.
I was under the impression that snap had minimal runtime while flatpak provided quite a few libraries to be shared by the flatpak apps (GTK for example). A runtime like this means smaller package sizes and easier to patch for security issues, as less static libraries are required.
Runtimes are supported in snaps. While technically there's no specific "type" of snap, it's possible to build a snap that contains common libraries and services that can be connected to other snaps. This is done through the "plugs" and "slots" that can be used to create interfaces among them. This is a true superset of the capability provided by Flatpak through Portals, since it can be used to export non-DBus oriented communications mechanisms. This is described on the Snapcraft documentation[0].
Comment
-
Originally posted by telemachuszero View Post
Apparently it does have features that enable runtime-like snaps, and KDE and ElementaryOS plan on releasing their apps + 'runtime' snap for them - from the linked mailing list post:
Comment
Comment