At the Linux Application Summit (LAS) in April, Sebastian Wick said that, by many metrics, Flatpak is doing great. The Flatpak application-packaging format is popular with upstream developers, and with many users. More and more applications are being published in the Flathub application store, and the format is even being adopted by Linux distributions like Fedora. However, he worried that work on the Flatpak project itself had stagnated, and that there were too few developers able to review and merge code beyond basic maintenance.
↫ Joe Brockmeier at LWN
After reading this article and the long list of problems the Flatpak project is facing, I can’t really agree that “Flatpak is doing great”. Apparently, Flatpak is in maintenance mode, while major problems remain untouched, because nobody is working on the big-ticket items anymore. This seems like a big problem for a project that’s still facing a myriad of major issues.
For instance, Flatpak still uses PulseAudio instead of Pipewire, which means that if a Flatpak applications needs permission to play audio, it also automatically gets permission to use the microphone. NVIDIA drivers also pose a big problem, network namespacing in Flatpak is “kind of ugly”, you can’t specify backwards-compatible permissions, and tons more problems. There’s a lot of ideas and proposed solutions, but nobody to implement them, leaving Flatpak stagnated.
Now that Flatpak is adopted by quite a few popular desktop Linux distributions, it doesn’t seem particularly great that it’s having such issues with finding enough manpower to keep improving it. There’s a clear push, especially among developers of end-user focused applications, for everyone to use Flatpak, but is that push really a wise idea if the project has stagnated? Go into any thread where people discuss the use of Flatpaks, and there’s bound to be people experiencing problems, inevitably followed by suggested fixes to use third-party tools to break the already rather porous sandbox.
Flatpak feels like a project that’s far from done or feature-complete, causing normal, every-day users to experience countless problems and issues. Reading straight fromt he horse’s mouth that the project has stagnated and isn’t being actively developed anymore is incredibly worrying.
You can make that same point a different way without being offensive.
This.
I actually disagree. Snap, Flatpak.. these are open source projects backed and funded by large organizations to solve issues in their own ecosystems.
For a similar example, Snap was funded and actively marketed by Ubuntu. Canonical was spamming open source projects with disingenuous “YoU shOulD offEr snaP packages” tickets without disclosing they were being paid to do so by their employer.
In the case of Flatpak, RedHat has been pushing its development for a while. Their tactics were not as aggressive (and distasteful) as Canonical, however organizations not committing resources to the development of technical solutions they themselves made is fair game for constructive concern / criticism.
You can’t demand people doing volunteer open-source work do more open source work… but you sure as hell can criticize large companies which push open-source solutions with self-promoting rationale (which other open-source projects tie up time and energy in), who then let them languish.
This is already a bad situation – the software Redhat is trying to push everything towards is in maintenance mode a la X11? seriously? – but if you dive into it a bit it gets so much worse. Flatpak sandboxing very badly breaks browser internal sandboxing, to a point that I don’t think an up to date Firefox or Chromium based browser running in Flatpak can be called adequately secure. Zypak helps with Chromium based browsers to a point, but the real issue is that breaking namespaces gets rid of a lot of horizontal sandboxing between tabs. What’s more, it looks like this could all be avoided by providing a way to bypass Flatpak sandboxing, as is possible in Snaps… Or by using a normal MAC framework for the external sandbox, again as in Snaps. But those are not things that will happen if Flatpak is in maintenance mode.
It’s extra annoying because Flatpak has become pretty indispensable IMO for apps not in distro repositories, or for e.g. keeping some proprietary app from snarfing up your browser history – things where super high security sandboxing is not really necessary, but a modicum is useful.
Edit: to be clear I would say Flatpak is still a good idea in its essence. But it was absolutely stupid IMO for Red Hat to put all their eggs in this basket as the future of desktop Linux.
If RedHat is pushing it but there’s no real community of organically grown volunteer developers supporting it (Gnome, Flatpak, systemd, etc), might want to be a little bit wary about using it. Once the IBM money for these projects dries up, then you are looking at the soon-to-be-next-dead IBM technology, a la Lotus and many, many other things.
That’s a good perspective I think.
RH/Fedora also aren’t the only corporate Linux trending in a worrying direction. In OpenSUSEland, Tumbleweed has been getting no security updates for over a week, with very little communication from the devs. And in Ubuntu, manual drive setup with LUKS has been broken since 24.04, which is not great – supporting encrypted multi-drive setups out of the box should be an absolute baseline for an “easy” distro IMO, filesystem encryption at rest is not optional in this day and age.
I’m not sure what exactly is happening, and as someone who works in IT I want to be lenient towards other tech people, but the Tumbleweed situation in particular is very bad. A cynical part of me wonders if post-COVID brain damage is causing an outbreak of poor decision making.
>”In OpenSUSEland, Tumbleweed has been getting no security updates for over a week”
A week isn’t overly long to wait. You know those German engineers, they are more likely to shut down the whole production line than let one buggy package get to the end users.
This would be less of an issue if they hadn’t missed three critical vulnerability updates for Firefox.
I’m pretty sure those three critical updates were from a recent pwn2own gathering rather than exploits in the wild, and a number of distros probably weren’t overly concerned about pushing that update at lightning speed.
The mic problem in audio is not due to pulseaudio, but to a design flaw in flatpak. Snap doesn’t have that problem, having two different interfaces, one for playing audio (not privileged) and another for recording (privileged).
Aaaaand now… let the big rant begin!!!!!! In this corner, pro-snap people!!!! In that corner, pro-flatpak people!!!! 😀
Technologically I think Snap is probably better in a lot of ways, just from what I’ve gathered in my informal experience. It also can be used for command line and server packages, which IMHO is a huge oversight in Flatpak. But politically, the fact that Snap is so closely tied to Canonical, including the one and only app repository being controlled by them, is clearly an issue for the wider community.
Maybe it’s time to take a second look at Snap and see if it can’t be opened up more to the community, in a similar way to how so many other pieces of the stack originated at Red Hat but are now used across a wide range of distros.
Just adding the capability to Snap to be able to use external or alternative repositories would be a huge boon.
Moochman,
I agree, I believe this is holding back snap’s acceptance for many people. And there is good reason for that, but it’s still a shame.
But you can host your own Snap repo… Just google it… Why are people spread things without checking?
Does that alternative Snap repo still require you to hard fork Snap and put in your own hard-coded repo URL? If yes, that is almost useless. Who is going to install a Snap fork just to be able to use a different but also singular (only one URL possible) Snap repo?
You can also host your own dmg or exe file. Flatpak is only as secure as the source. so with the flaws pointed out in the article i am going to stay with debian. Packages might be old, but everyone else builds for it. (yeah noone builds for SID or experimental any more for general purpose, i do like they have the laterst version of amiwm in exp and the latest version of unp (universal unpackager) the best cli too lever invented. just install all packages for unpackagers, and unp. Ut will unpack it or at least say you lack the lha, rar or ace packages. If you have p7zip-full of the debian kind and unp installed you can extract just about everything.
Big surprise, volunteers never get to finish anything, and it appears Flatpack never had any proper corporate backing to ensure stuff gets finished by paid developers.
Steam will soon be the defacto package manager for Desktop Linux, image the reactions of the freedomite crowd when this happens.
I had a job/gig that also required me to have a video conference. I asked why? Yeah i was the guy implementing the features whislt they were speaking. no the CEO did never see my face, and i refused the company phone.
The solution? Package `flatpak` as a Snap, then deliver `snapd` as an AppImage. AppImage requires `libfuse2` but that can simply be delivered as a Nix or Guix or Docker or Brew or Pkgsrc or DEB or RPM or Tarball. It just werks.
Seriously though, I do find it weird that the Mac people have agreed to a common package manager for open-source software (Brew) despite not having first-party support from Apple, but Desktop Linux has a myriad of them. It’s as if Desktop Linux tends to attract people with massive egos and a “my way or the highway” personality.
No all apple users retired and now there is hipsters that thing dragging and dropping a .app folder is installing.
Well that has been for most of the mac’s history, but since Lisa there has been other things QuickTime needed an install. And just about anything in classic after 96,
Huh? While Brew is big/main sure it’s hardly the only one for Mac. folks forget about MacPorts and Fink?
The only reason why Snap exists and is propped-up so hard is due to Canonical and their massive financial backing. If they weren’t diverting folk’s energy and attention then certainly the remainder would flock to Flatpak instead.
That and you’re comparing apples to oranges. No isolation here.
No, the solution is to stop reinventing the wheel
HOW? As it is one of the easiest things about a working chariot. You cant reinvent the horse, as that would take housands of years of breeding. There is no major fault in the carriage, just MAKE IT LIGHTER!
egyptus vs miranni huranni and the hetteitanni.
The bronze age collapse AND I CAN NOT STATE THIS ENOUGH, was NOT due to the rise if the use of iron, the mitanni used lots of iron and so did the aesti and scandinavians. The great collapse was a disaster for some, just as the fall of the western roman empire was for others. So be kind and thoughful and consider history.
This was an unsuccessful hit piece against Flatpak. Resources right now are being focused on getting Gnome fully Wayland-only. Flatpak fulfills its promise. I couldn’t tell you the last time I tried to install a Flatpak and it did not install. People here are crying because it’s not perfect but it will never be. Neither will the Linux kernel ever be perfect. Flatpak is certainly good enough to take its place as the future of desktop applications on Linux, and later on Android and the PC in general. I have been able to install some Flatpak apps on Android with the Linux emulator installed. I have also used Flatpak apps on WSL. The future is bright for Flatpak. When the Flathub becomes a commercial entity, we will start to see a lot more Flatpak development.