Originally posted by Britoid
View Post
Announcement
Collapse
No announcement yet.
Flatpak 1.5 Released With Version Pinning, Self-Updates In Portals
Collapse
X
-
-
Originally posted by Oddsocks View Post
At the expense of having other run times, which means more disk space consumption but these days I think that's less of an issue due to the size and cost of storage. I do wonder more about the security side of things. You're still 'bundling', even if you're leveraging someone else's bundles. Personally I don't think flatpaks come even close to being as good as RPM or DEB but I also think the use case is different.
Because of how the runtime system works, when the runtime get updated your application gets the updated library and Flatpaks serve a more specific purpose than rpms/debs and I think they're always going to stick around for system software, which Flatpak isn't designed to handle.
Originally posted by Oddsocks View PostHonestly, is that really an advantage? These days, for the end user, launching of applications is abstracted away through the UI. It's not like you go trawling your file system to launch Firefox. For me a package manager is exactly what I want, tracking everything as it's far more powerful that just installing and uninstalling. Lack of good package management on other OS's like Windows and MacOS is what I miss.
Originally posted by Oddsocks View Post
I'm struggling to make the connection there with roaming profiles.
Originally posted by Oddsocks View PostDepends if you like JSON and YAML I guess. I actually find SPEC files easier to read but I guess it's mostly preference.
Originally posted by Oddsocks View PostI'm not sure how that doesn't hold true for native package management?
Originally posted by Oddsocks View PostThis has not been my experience with flatpaks, almost the exact opposite - probably due to the sandboxing and isolation.
- Likes 2
Comment
-
Originally posted by tildearrow View PostBecause in most cases, native package managers install the dependencies in a monolithic way, causing apps to break completely on API breaks.
I couldn't run KDevelop anymore after updating it due to a missing newer version of libevent.
Originally posted by tildearrow View PostThis is my number one complaint with Flatpak. What if I don't want sandboxing?
Comment
-
Originally posted by Britoid View PostBecause of how the runtime system works, when the runtime get updated your application gets the updated library and Flatpaks serve a more specific purpose than rpms/debs and I think they're always going to stick around for system software, which Flatpak isn't designed to handle.
Originally posted by Britoid View PostYes, it is being able to see how much storage an applications files and data are using. It's also a security thing, rpms/debs get root on install and can potentially install something malicious, not a flatpak. This is fine for system software, not for third-party desktop applications.
Comment
-
Originally posted by Oddsocks View PostBut you don't have to use flatpak to know that, but even so it's not a feature I find particularly compelling. Well firstly modern package managers use signed packages signed by your distro, so even if they install as root it really isn't a big deal. At some point you have to trust. That is no different for flatpaks. Secondly, let's be honest, root access is not required to install something malicious. Root access just provides more opportunity. It's perfectly possible for a flatpak to install something that runs as "you" and does something malicious.
As for installing malicious things, that's what the sandboxing is the basis for combatting. Bear in mind that Flatpak is being implemented incrementally, with each phase increasing the sphere of viable use cases. "GUI where the user can see which permissions are requested and refuse the package" is a later-stage feature because the first stage was to stabilize the standard, the second was to stabilize the command-line tooling and core libraries, and the third is to build out the GUIs.
(In fact, it'd probably be more accurate to say that the third stage is to build out the portal hosts and the fourth stage is to build out the GUIs surrounding installation.)
The purpose of the sandboxing is to make it possible to trust that the package can only do what it says on the can, as necessarily vague as that may be when generated from a sandbox manifest. (It also acts as an incentive for upstream developers to design to sandbox nicely, since it'll result in a friendlier-looking manifest readout.)Last edited by ssokolow; 05 October 2019, 08:03 AM.
Comment
-
Originally posted by Oddsocks View Post
That sentence just doesn't compute. That's exactly what good package managers prevent and for the most part is entirely their point. The problems start when you use stuff outside the knowledge of the package manager..
Comment
-
Originally posted by tildearrow View Post
...which is why in my opinion the package manager should be used only to install "system" libraries. The rest can be done through Flatpak, AppImage, Snap or a custom bundling solution.
Comment
-
Originally posted by ssokolow View PostThe problem is that you see a lot of people using third-party package sources (eg. PPAs) because the official repositories don't have what they want. Flatpak is designed to address that user behaviour.
Originally posted by ssokolow View PostAs for installing malicious things, that's what the sandboxing is the basis for combatting.
The purpose of the sandboxing is to make it possible to trust that the package can only do what it says on the can, as necessarily vague as that may be when generated from a sandbox manifest. (It also acts as an incentive for upstream developers to design to sandbox nicely, since it'll result in a friendlier-looking manifest readout.)
Comment
-
Originally posted by Oddsocks View PostOK, so we're solving the issue of using 3rd party repositories by using a 3rd party repository? You don't see the irony? Secondly, unless all possible software is available as a Flatpak, it does not solve that "issue" either.
Each package installed via Flatpak is one less package installed through a system without native sandboxing.
- Likes 1
Comment
Comment