Well, 2024 should be interesting for Linux packaging! While many distributions use different packaging formats like deb, rpm and others there's also Flatpak for cross-distro support. But we also have Canonical's Snap - which is going to get improved cross-distro support.
Writing on Mastodon, developer Zygmunt Krynicki mentioned "I will be returning as a snap developer later this month. My main focus will be cross-distribution support. Unlike in the past this will be my full time job. I'm very excited for what is ahead for snaps.". It's interesting to see Canonical paying developers to work on this (and it's a good thing too)!
Pictured - The Snap Store
Packaging is always a real sore spot for Linux, and it leads to a fair amount of confusion. Just like with how many Linux distributions there are there's upsides and downsides to it though of course. You don't get innovation and improvements by always sticking to one single thing, and the power of open source is people can often just work on whatever they want.
Still, it would be nice no matter what distribution of Linux you pick, if we can just tell people to "go here" to get whatever app it is they're after rather than having to do a support-dance to find out their specific distribution and version to see what's available to find out how they can grab something.
Still, it would be nice no matter what distribution of Linux you pick, if we can just tell people to "go here" to get whatever app it is they're after rather than having to do a support-dance to find out their specific distribution and version to see what's available to find out how they can grab something.
We already can. The "app store" interfaces like Discover don't care if you're on a distro that uses debs, rpms, or whatever, or if you're pulling snaps from snapcraft or flatpaks from flathub; they'll just present a list of applications and an install button. Packaging formats are only of interest to distro maintainers and angry people on the Internet - end users have no reason to care.
The store apps do not solve this though. They give a nice interface and a way to grab them, but they're still dependent on whatever packaging system they have linked in behind them. Some distros don't have Flatpak at all, some need it manually enabled, some have Snap, some don't have Snap, some have neither and only use deb/rpm etc. It's not even remotely solved yet.Still, it would be nice no matter what distribution of Linux you pick, if we can just tell people to "go here" to get whatever app it is they're after rather than having to do a support-dance to find out their specific distribution and version to see what's available to find out how they can grab something.
We already can. The "app store" interfaces like Discover don't care if you're on a distro that uses debs, rpms, or whatever, or if you're pulling snaps from snapcraft or flatpaks from flathub; they'll just present a list of applications and an install button. Packaging formats are only of interest to distro maintainers and angry people on the Internet - end users have no reason to care.
They give a nice interface and a way to grab them, but they're still dependent on whatever packaging system they have linked in behind themJust a small side note (and apologies for being a techgrammarnazi):
Snap and flatpack are not just packaging mechanisms, but these are rather app containerization techs. And this makes them a bit different from rpm/deb/aur/whichever older packaging system.
Last edited by Boldos on 9 January 2024 at 1:50 pm UTC
Oh I am aware of how different they are, but this article wasn't a place to dive into the deep mechanics of them :PThey give a nice interface and a way to grab them, but they're still dependent on whatever packaging system they have linked in behind themJust a small side note (and apologies for being a techgrammarnazi):
Snap and flatpack are not just packaging mechanisms, but these are rather app containerization techs. And this makes them a bit different from rpm/deb/aur/whichever older packaging system.
Unless you have a need to sandbox something, just use your distro's packages - they will be compiled with the recommended versions of libraries for the whole ecosystem, instead of storing multiple, slightly different (and potentially way out of date!) versions depending on what you're installing.
Security vulnerability in a shared library? Update it through your distro and you're reasonably well covered across everything on your system. Flatpaks and Snaps? Time to download updates to every single sandboxed app... if they updated at the exact same cadence, if they bother to update it at all. (Yes, it shouldn't mean a *ton* of wasted space as they link and share the same library copy once you've downloaded it once, AFAIK) Almost as bad as all the 'native' apps just using downright ancient, vulnerable versions of Electron for way longer than they should. (*cough* Discord)
It's cool tech, but it should remain specialised, and *definitely* not the first thing you reach for for regular day to day usage, IMO. Heck, snapd was always pretty much the first thing I purged (the Firefox snap was way, *way* underperformant compared to the regular .deb at the time) when I used Ububtu, until I switched distros entirely. You don't *need* to keep five different versions of a library to cover two dozen Flatpaks or Snaps on disk in almost all normal use cases, unless the library update is an API/ABI breaking one.
All that said, one of the biggest criticisms I've seen of Canonical's behaviour is that it feels like vendor lock in, so if it's being opened up to other distros (and it's easy for communities to host their own Snap repos *not* on Canonical's servers), then it's still interesting tech to watch and potentially keep in your back pocket for those situations where it makes sense, so good on them for at least trying, now.
Yeah, I don't mind stuff like Flatpaks for devices like the Steam Deck, where you don't normally get write access to the entire filesystem, but on desktop?
Unless you have a need to sandbox something, just use your distro's packages - they will be compiled with the recommended versions of libraries for the whole ecosystem, instead of storing multiple, slightly different (and potentially way out of date!) versions depending on what you're installing.
Sorry, but it doesn't work that way and it's not even the main point of these package formats.
Snaps/flatpaks are there to make packaging and distribution easy for software creators and make them independent of distro maintainers who may or may not include a given piece of software, or may be including an ancient version of it.
They are also there for users who now can always have a piece of software available directly from the Snap store or a flatpak repo and have the latest version of it, regardless of whether the distro they use provides it.
Since you use Artix you may think every distro is like Arch where every piece of software ever written is included in the aur, but that is not even remotely the case for the vast majority of distributions. And there are good reasons for that, so there is a space for both.
Last edited by damarrin on 9 January 2024 at 5:28 pm UTC
Snaps/flatpaks are there to make packaging and distribution easy for software creators and make them independent of distro maintainers who may or may not include a given piece of software, or may be including an ancient version of it.
Totally agree - that is 100% a valid use case for this, and a better way of putting what I was trying to get at: if your distro *does* ship an up to date version, you should use that as your first choice, since it may need to have been customized for said distro, it'll be kept up to date with shared libraries, etc., but if it *doesn't* (and you don't want to go down the rabbit hole of compiling it yourself... I've written my own janky PKGBUILDs for that, in fact, and it's not user-friendly), these are a great fallback.
My issue primarily is that Canonical likes to push the snap version of a package as the first choice, regardless if there's a perfectly valid .deb available, and I think that's wrong, because that pulls Ubuntu even further away from upstream Debian and introduces yet another unique distro-ism when trying to troubleshoot. The cynical part of me worries that 'pulling away from upstream Debian' is their big goal.
That said, it's been a few years since I ran Ubuntu on a desktop - does an 'apt install firefox' still pull in the snap by default? If they've walked that back since, then my argument is invalid and out of date.
Unless you have a need to sandbox something,
You have a need to snadbox *everything* already. I'm blown away this mindset exists.
The purpose of sandboxing is zero days. The whole point is you don't know about them until there's a problem.
For example, there was a nasty bug in steam shortly after launch that could essentially rm -rf / and destroy everything the user had access to. It should be sandboxed. There was a really nasty exploit in Zoom allowing for RCE. It should be sandboxed. There was even a really nasty RCE vulnerability in the library most desktops use to thumbnail common files. Just downloading it and executing nothing could run arbitrary code.
*nothing* is immune. Sandboxing is categorically good.
Also, flatpak absolutely uses shared libraries. This notion that you have to hope every single app updates is fundamentally wrong. The runtimes can also be provided by the distro, like on Fedora, especially Silverblue.
These things need to be embraced. They are the best Linux Desktop security improvements we've had in . . . well maybe ever.
You have a need to snadbox *everything* already. I'm blown away this mindset exists.
Ah yes, I'm going to sandbox 'ls' from the filesystem, and then explicitly fiddle to punch holes in to make it useful again...
Facetious and hyperbolic, yes, but let's not get into absolutes here. Sandboxing is great when you want it, but it's most definitely not for *everything*. There is a time and place for it, and I believe there are distros that lean on it extensively. It's great tech, but also *incredibly frustrating* as a user if you're not expecting it. All the Wayland xdg-desktop-portal stuff comes to mind - I love Wayland, but it shouldn't take *three separate popups* to allow OBS or Discord to screenshare a particular app, with no option to 'remember my choice forever please'. We're going to end up with Windows UAC level annoyances again, and then people will just turn it off entirely.
Should apps like Steam be sandboxed from accessing anything outside of ~/.steam (or equivalent)? Sure. Should your browser be sandboxed to not access things outside of your Downloads folder? Sounds like a good starting point. But remember, you may want to preview that PDF from your Documents or a thumb drive, or a static HTML page you're working on off a network drive, so it's got to be easy to do so and yes, explain and understand the implications.
If you want to run a Flatpak or Snap, you should understand that yes, you get sandboxing and the double edge that goes with it in terms of 'why can't this app see my files'. Unless your distro is explicitly designed for it, though, I believe it should not replace your native package manager. If I want to switch, let me make the choice to switch, don't start forcing Snaps on me when I call apt and expect a .deb.
These things need to be embraced. They are the best Linux Desktop security improvements we've had in . . . well maybe ever.I think we can agree they like to believe they are. But that mentality not seldom comes from devs that don't really get the full picture. (I'm looking at you FreeGnomeHat ). They have gotten so hooked on their own kool-aid that they tend to loose sight of if what they are doing is actually doing something.
As Kithop mentioned above, Wayland and xdg-desktop-portal really comes to mind, do note that pretty much all flatpaks you install have permission=all set for hardware devices. There is a system to filter permissions for hardware for sure, but no-one actually do because that breaks things. This has been the case going back years. You can have a lookie in Flatseal for instance to see the state of affairs, it can be a bit depressing...
And as Kithop also alluded to, this whole thing reminds me of UAC. Good in theory. In practice? Everyone clicked "Accept" so the thingie they want to run can do the thing. And suddenly you might as well not have it. Which is why they massively toned it down after its initial release back in Windows XP.
Now I do agree with you that it is a step in the right direction for certain things. I'm much happier running Steam through Flatpak than through native because then I don't have to deal with lib32 packages and all that. I know how to do it, and I know the pros and cons of doing it from my distro. But the Flatpak experience is pretty darn good for that particular use-case.
Snaps/flatpaks are there to make packaging and distribution easy for software creators and make them independent of distro maintainers who may or may not include a given piece of software, or may be including an ancient version of it.
Totally agree - that is 100% a valid use case for this, and a better way of putting what I was trying to get at: if your distro *does* ship an up to date version, you should use that as your first choice, since it may need to have been customized for said distro, it'll be kept up to date with shared libraries, etc., but if it *doesn't* (and you don't want to go down the rabbit hole of compiling it yourself... I've written my own janky PKGBUILDs for that, in fact, and it's not user-friendly), these are a great fallback.
My issue primarily is that Canonical likes to push the snap version of a package as the first choice, regardless if there's a perfectly valid .deb available, and I think that's wrong, because that pulls Ubuntu even further away from upstream Debian and introduces yet another unique distro-ism when trying to troubleshoot. The cynical part of me worries that 'pulling away from upstream Debian' is their big goal.
That said, it's been a few years since I ran Ubuntu on a desktop - does an 'apt install firefox' still pull in the snap by default? If they've walked that back since, then my argument is invalid and out of date.
I generally agree running software from the native packaging system gives a better experience. Install is much faster, it starts faster, takes up less space, etc.
But, from what I've seen a number of distros (Ubuntu!) might ship the current version of a package as a deb/rpm at a certain point, but as time goes on it will fall behind until the user has something much older than is available as flatpak/snap.
If the user knows what they're doing they might then switch to flatpak, and possibly switch back to native packaging when they upgrade to a newer version of their system then switch to flatpak again - which just makes no sense and is a load of extra unnecessary work. Especially as the settings directories are different and have to be copied over.
As for Snaps and Firefox, they've managed to improve the user experience massively so it now runs fine, but if you object to snaps in general there's just no point in running Ubuntu. More and more things are moved to snaps and this will only continue.
I did rip out FF a couple of times and replaced it with the deb, but it's just such a hassle to do every six months, it makes no sense. It reminds me of people caring about privacy but continuing to run Windows and disabling all the data gathering options on every update, feeling like they've somehow beat the system. It's just nonsense, unless you have way too much free time on your hands.
I generally agree running software from the native packaging system gives a better experience. Install is much faster, it starts faster, takes up less space, etc.Which in turn may or may not matter. Nowadays a lot of open source software is pretty mature, and a couple of versions more or less may not be much of an issue.
But, from what I've seen a number of distros (Ubuntu!) might ship the current version of a package as a deb/rpm at a certain point, but as time goes on it will fall behind until the user has something much older than is available as flatpak/snap.
What I wonder about Flatpaks, and Snaps outside of Ubuntu, is where are you on maintenance? A Flatpak might be totally up to date the day I install it from Flathub, but my other software updates semi-automatically along with the OS. If I have to remember to update the Flatpak stuff manually, well, either it's gonna get long in the tooth after a while or I'm gonna rip out the Flatpak because it's too much hassle and go back to native packaging.
Last edited by Purple Library Guy on 10 January 2024 at 3:56 pm UTC
Ya know, I find it hard to take this attitude very seriously. I know the computer security people are all authoritative and expert and everything. But I've been using computers since before there was an internet, and in all that time no computer of mine has ever had an attack that I noticed the results of. If it weren't for phishing emails I might think there was no such thing as malicious cyberattacks outside the movies. It's possible that part of the reason my Windows computers of the late 90s/early00s got a bit wonky after a while was viruses, I dunno, but if so their action was indistinguishable from ordinary "Windows installs used to age really badly". So the thing is, after 30 years or so when I could have suffered an attack, during which I never did anything much about security other than "switch to Linux" and "use fairly decent passwords", and nothing ever happening, it gets harder and harder to sustain that panicked "The sky will fall in the next few minutes if I don't do the latest security thing right now!" mentality. Induction says to me "I've never sandboxed everything before and nothing bad ever happened, why would that suddenly change now?"Unless you have a need to sandbox something,
You have a need to snadbox *everything* already. I'm blown away this mindset exists.
If I was running a server or something, sure, I'd take security seriously. But I'm not, I'm just a guy with a computer.
...
What I wonder about Flatpaks, and Snaps outside of Ubuntu, is where are you on maintenance? A Flatpak might be totally up to date the day I install it from Flathub, but my other software updates semi-automatically along with the OS. If I have to remember to update the Flatpak stuff manually, well, either it's gonna get long in the tooth after a while or I'm gonna rip out the Flatpak because it's too much hassle and go back to native packaging.
Can't speak for other distros, but linux mint's software updater includes updates from flathub.
What I wonder about Flatpaks, and Snaps outside of Ubuntu, is where are you on maintenance? A Flatpak might be totally up to date the day I install it from Flathub, but my other software updates semi-automatically along with the OS.and
Can't speak for other distros, but linux mint's software updater includes updates from flathub.Flatpaks *can* be distributed as a large standalone file or as tiny '.flatpakref' files that link to a repository that will download and install the software, but typically it's distributed through an app store and typically that is Flathub.
Ya know, I find it hard to take this attitude very seriously. I know the computer security people are all authoritative and expert and everything. But I've been using computers since before there was an internet, and in all that time no computer of mine has ever had an attack that I noticed the results of.This is because those same security experts are working behind the scenes to keep your computer and your person safe.
[...]
... it gets harder and harder to sustain that panicked "The sky will fall in the next few minutes if I don't do the latest security thing right now!" mentality.
The nature of software and culture of software developers has changed considerably in your 30 years of being a computer user. Once software cpu cycles, ram, disk, network bandwidth - if you even had a network - were precious and a lot of attention was spent in using them efficiently. Updates were expensive and hard to distribute and just so many basic things we take for granted now were laborious or undiscovered. That was *our* 'normal'.
The complete opposite is normal today. All of those things are more than abundant, they're present and so rich they often feel like *infinite* resources. Infinite disk, infinite ram... the generations of software developers brought up in this environment were never deprived of these resources. Seemingly unlimited resources, sophisticated high-level programming languages, abundant free/open source libraries and free/cheap third party services to host, test, deploy that software as well as vastly more developers! Which means vastly more software being produced as quickly as possibly for a society ever more dependent upon it. And a new disturbing trend is ubiquitous telemetry and monitoring (it's no longer an affront to include this, it's expected. It's normal now).
Sandboxing software is only partly about packaging or security, it's also about curbing runaway modern excesses in software by adding friction. You get to deny an app on your phone access to geolocation data. Or limit an app within a Flatpak to which directories it can write to.
If I was running a server or something, sure, I'd take security seriously. But I'm not, I'm just a guy with a computer.This sort of apathy is a blessing and a curse. Even when empowered by and protected by sandboxing tech you still don't give a shit, however this same apathy makes Flathub installation preferable to most than "apt install foo --no-install-recommends -y", following prompts to resolve conflicts, etc.
By all means continue being blasé about it, just don't publicly denigrate it. The sky isn't falling for you because others are holding it up.
I did try Ubuntu on a laptop a few weeks back - just to see what the hoo-hah was with Snaps... and... they're fine. reasonably unobtrusive. (Though apt-update did then somehow remove the system icon theme, so I gave up with the install at that point!)
A packaging/distribution system should be simple to use for any user - and not require post install fidding to achieve full functionality of the installed package. If sandboxing means this goal can't be achieved, then the system is a fail. It's up to the user to use common sense to know what they're installing - and the distributor to make this information available. My PC, My Problem.
(I also disagree about the whole "infinite hardware" thing. That's just an excuse for lazy development - and the reason we see such stupid file sizes for things these days with no tangible benefit.)
You have a need to snadbox *everything* already. I'm blown away this mindset exists.
Ah yes, I'm going to sandbox 'ls' from the filesystem, and then explicitly fiddle to punch holes in to make it useful again...
Facetious and hyperbolic, yes, but let's not get into absolutes here. Sandboxing is great when you want it, but it's most definitely not for *everything*. There is a time and place for it, and I believe there are distros that lean on it extensively. It's great tech, but also *incredibly frustrating* as a user if you're not expecting it. All the Wayland xdg-desktop-portal stuff comes to mind - I love Wayland, but it shouldn't take *three separate popups* to allow OBS or Discord to screenshare a particular app, with no option to 'remember my choice forever please'. We're going to end up with Windows UAC level annoyances again, and then people will just turn it off entirely.
Should apps like Steam be sandboxed from accessing anything outside of ~/.steam (or equivalent)? Sure. Should your browser be sandboxed to not access things outside of your Downloads folder? Sounds like a good starting point. But remember, you may want to preview that PDF from your Documents or a thumb drive, or a static HTML page you're working on off a network drive, so it's got to be easy to do so and yes, explain and understand the implications.
If you want to run a Flatpak or Snap, you should understand that yes, you get sandboxing and the double edge that goes with it in terms of 'why can't this app see my files'. Unless your distro is explicitly designed for it, though, I believe it should not replace your native package manager. If I want to switch, let me make the choice to switch, don't start forcing Snaps on me when I call apt and expect a .deb.
Sorry this is so old, but I don't think you're responding to what I said so much as complaining about specific implementations you were already annoyed with.
The point isn't everyone should sandbox everything with existing tech right now, it's that everyone *has a need to* already. I didn't say "I don't understand the mindset of not wanting to use flatpak" the person above specifically said they don't see what problem sandboxing solves, that certainly patching is good enough. That mindset, is fundamentally misinformed. It does not solve the same problems something like flatpak solves. Saying so fundamentally misunderstands the problem.
Similarly, nothing you said addresses the cases I mentioned. That need still exists, for sure, for basically everything anyone runs. Whether or not that means you should run everything in flatpak today, is moving goalposts and missing the point.
Ya know, I find it hard to take this attitude very seriously. I know the computer security people are all authoritative and expert and everything. But I've been using computers since before there was an internet, and in all that time no computer of mine has ever had an attack that I noticed the results of. If it weren't for phishing emails I might think there was no such thing as malicious cyberattacks outside the movies. It's possible that part of the reason my Windows computers of the late 90s/early00s got a bit wonky after a while was viruses, I dunno, but if so their action was indistinguishable from ordinary "Windows installs used to age really badly". So the thing is, after 30 years or so when I could have suffered an attack, during which I never did anything much about security other than "switch to Linux" and "use fairly decent passwords", and nothing ever happening, it gets harder and harder to sustain that panicked "The sky will fall in the next few minutes if I don't do the latest security thing right now!" mentality. Induction says to me "I've never sandboxed everything before and nothing bad ever happened, why would that suddenly change now?"Unless you have a need to sandbox something,
You have a need to snadbox *everything* already. I'm blown away this mindset exists.
If I was running a server or something, sure, I'd take security seriously. But I'm not, I'm just a guy with a computer.
Sorry this is very late, but worth responding to.
That's just missing the point.
I rode a motorcycle for years and never needed my helmet. I was still glad to wear one, and would now if I ever went back to it. Induction didn't mean riders don't have a need for helmets.
Last edited by mattaraxia on 18 January 2024 at 3:52 am UTC
See more from me