4d ago

Flatpak is not perfect, but it's getting better

thelibre.news

@linux on Linux.Community @linux.community

Pro @programming.dev

4d ago

Flatpak is not perfect, but it's getting better

thelibre.news /flatpak-is-not-perfect-but-its-getting-better/

42 comments

hey still better than snaps
- Still worse than tar.gz
Article doesn't mention my biggest problem with flatpaks, that the packages are not digitally signed. All major Linux distros sign their packages, and flathub should too. I would prefer to see digital signatures from both flathub and the package's maintainer. I don't believe flathub has either one currently.
- It is possible to sign a flatpak, but yeah distributors need to actually do that and flathub should require published flatpaks to be signed.
- What would they sign it with? How do you verify the signature?
  
  I have no idea why you're being down voted. The whole thing with flatpacks is that they come from a large number of individuals, maybe the author of the software, but often not from a central organization you can trust. That's the fundamental difference to distro repos, who can just have a single anchor for trust.
  Mindlessly signing something doesn't increase security in any way. Then requiring it just means hassle to having to add keys to be trusted every time you want to install anything. Malicious actors can just create a key and sign the package as well. That's the whole reason it isn't required in the first place.
  
  F-Droid seems to manage it just fine. It's even got reproducible builds.
  
  Mozilla, for example, would sign Firefox's flatpak with a PGP key that they would disclose on their website. You verify the signature using the RSA algorithm (or any other algorithm for digital signatures. There are a bunch.) Or, you could just trust that your connection wasn't tampered the first time, then you would have the public key, and it would verify each time that the package came from that same person. Currently, you have to trust every time that your connection isn't tampered.
  Major flatpak providers (Flathub at the very least) would include their PGP public key in the flatpak software repo, and operating system vendors would distribute that key in the flatpak infrastructure for their operating system, which itself is signed by the operating system's key.
I wish it opens a prompt asking a list of permissions when open for the first time. Like, VSCodium always needs local file system access, VPN clients always need network interface permission, etc.
Yeah, we have Flatseal, but it should be automated by the publisher to have a list of prerequisite permissions.
- Android is very underrated
Guess my next GPU will be AMD
- it's been a dream, honestly.
  
  I've had them for a long time and never had problems with any.
Hmm. This hard on the heels of Sebastian Wick's comments that core Flatpak development had largely stalled (2025-05-14).
I wonder what happened here. There seems to be a disconnect. TA does acknowledge Wick's talk; it's hard to reconcile the two messages, though.
i started experimenting in the world of immutable distros. it's very cool stuff going on in this space. but it relies very heavily on Flatpak, and i worry that Flatpak isn't up to the standard it needs to be in order to be this intrinsic to this paradigm.
i hope they can step it up.
- I, too, am experimenting with immutable Doritos.
  I'm running Bluefin, so far I'm quite pleased. Anything needing deeper access or only available in package form, I've been able to run in boxes.
  Edit: I'm leaving it
  
  Thanks for sharing your experiences! As much as I absolutely love and favor 'immutable'/atomic ~~"Doritos"~~ distros over their traditional counterparts, I can't but accept the reality that it's not (prime-time) for everyone (yet). Though, I do wonder what put you off (specifically). Would you mind sharing it?
  Anything needing deeper access or only available in package form, I’ve been able to run in boxes.
  I assume you're referring to distroboxes and not to (GNOME's) Boxes used for running VMs.
Flatpak is quite fucking far from perfect, and will always remain so due to its flawed design and UX approach.
Pretty sure the culprit here is Fedora’s packaging which adds an opaque systemd timer to run auto-updates, but the thread immediately next to this one on my homepage just happened to be a nice case-study in Flatpak fuckery: https://lemmy.world/post/30654407
Of course, the proposed changes in the article do nothing to fix this sorta problem, which happens to be the variety that end users actually care about. Flatpak is an epic noob trap since it pretends to be a plug-n-play beginner friendly tool, but causes all sorts of subtle headaches that newcomers inevitably don’t have diagnostic experience to address.
- The problem of there being a separate runtime for each video driver version was explicitly discussed in the article:
  If you are part of the huge part of the population who happens to own a Nvidia GPU, it's a whole other can of worms. There are Flatpak runtimes that target specific Nvidia driver versions, but they must be matched with a compatible version installed on the host system, and it is not always a process as smooth and painless as one would hope.
  An improvement idea that is floating around is to, basically, just take a step back and load the host drivers directly into the runtime, rather than shipping a specific version of the userspace drivers along with the application. Technically, it is possible: Valve's Linux runtime is pretty similar to Flatpak architecturally, and they solved this problem from its inception by using a library called libcapsule to load the natively installed host drivers into the Steam Runtime. This is the reason why it's significantly rarer that an old Steam game fails to launch on a new GPU, compared to the same scenario on Flatpak!
  
  Ah - I totally missed the Nvidia-related bit! Thanks for flagging that.
  That being said, based on the maintainers’ past stances, I’m pretty pessimistic on them actually implementing a fix like that. They’re very much against the general practice of poking holes in their sandbox security perimeter.
  
  I really think if flatpaks were built upon nix, it would resolve these problems. It would however bring a new problem: people would have to learn forsaken nix 💀
  
  That solution sounds like a no brainer. I assume it's easier said than done (and maintained) ?
- Flatpak doesn't have a UI? It is a packaging format.
  
  Flatpak: a system for building, distributing, and running sandboxed desktop applications on Linux.
  Flatpak application: an application installed via the flatpak command or through a graphical interface, such as GNOME Software or KDE Discover.
  Runtime: also called platform, an integrated environment providing basic utilities needed for a Flatpak application to work.
  Flatpak bundle: a single-file export format containing a Flatpak application or runtime.
  From https://docs.flatpak.org/en/latest/introduction.html#terminology
  You might be thinking of AppImages, which are more of a pure file format.
Pretty fundementale broken IMHO. Its a security nightmare
- Its a security nightmare
  How so? Doesn't its sandbox offer superior security (under most circumstances) over most other solutions? Even in its relative infancy*.
  
  The sand boxing is a distraction and doesn't matter if you downloaded malicious code

42 comments