Skip Navigation

Flatpak integration is still not great

Its even worse when you force Firefox to use wayland its icon doesn't even show.

Edit: Oh since everyone now is confused; I only have the flatpak version of Firefox installed yet it doesn't use the pinned icon and doesn't even use the firefox icon under wayland at all.

133

You're viewing part of a thread.

Show Context
133 comments
  • Basically you install the application inside a little OS with dependencies each time you install a flatpak, that OS is rarely updated with security patches and most of the time has full access to the host OS. https://flatkill.org/

    This is a lazy and insecure way of distributing applications with no real benefits.

    • Exactly. The QA of flatpaks is done in “trust me bro” framework. You can just go back to windows at this point.

      If I install a package on my distro I know it went through a shitload of testing and I can be sure I am not installing some crap on my system.

      • I don't know what distro you use, but packages in their repos have "maintainers" that are usually volunteers. Downloading from repos from the distro is trusting whoever the maintainer is there. I don't see how that is any better than a flatpak.. At least with Flatpak many packages are maintained by the developer. I believe that would be more secure.

        • Major distros are usually backed by a compamny which provides enterprise version. Maintainers are actually employees paid for their work. Even if you pick a derivate distro you will inherit that testing process. So please get your facts straight before talking, you obviously need it. Here how it is done: https://openqa.opensuse.org Each package update, distro install process goes through automated testing. This detects bugs, dependency issues, you name it. If something fails package goes back for human review. And as you can see it is an open process which YOU can review any time.

          So… how are the flatpaks tested? Please show me some facts. I am interested in this new “trust me bro” QA framework.

          • You are very confrontational. I love being proven wrong so that I can learn more. But, your language is belittling. I hope my message didn't come across that way.

            Either way, looking at DistroWatch OpenSuse is about the #10 most popular Linux OS. MxLinux, Linux Mint, Debian, and Ubuntu are all debian based and above OpenSuse. Debian is by volunteers according to the Debian Package Maintainers Guide. So, I would think that the most-popular distros (especially in the non-professional world) are maintained by volunteers.

            That comes with nuance though and I understand that. For instance, debian is celebrating 30 years. In that time I am sure many package maintainers have probably done this for very long amounts of time. So they are probably more worthy of trust than some Flatpak maintainers. But, when a flatpak is maintained by the developer (not that common in my experience) I would trust them the most.

            Now, something I wasn't aware of until someone else linked it is how bad Flatpak is as a sandbox. But, I never used it wanting a sandbox. I like it for the isolation of libraries (Dependency Hell). Updating my OS never breaks any packages, because the libraries are separated.

            As for qa testing. It would be on a per-package stand point. I see how helpful that is. But, I'm not installing any command line utilities through Flatpak. Just desktop apps, like browsers, game launchers, etc. So, maybe we are talking about different types of packages..

            I'm not convinced Flatpaks are inherently worse than packages from the OS's repos themselves. But, I will be trying nix package manager as a replacement.

            • You were responding to my reply to someone else... but ok I guess. I am not here to convince you about anything. It's not my problem what you install on your thing. I just don't like misinformation spread based on ones believes and feelings, belittling work of whole teams of maintainters and QA staff which is core of why you can trust Linux ecosystem. Them being paid or not is not being relevant.

              • You belittled the work of Flatpak maintainers.

                Exactly. The QA of flatpaks is done in “trust me bro” framework.

                Then you belittled anyone using Flatpaks.

                You can just go back to windows at this point.

                All I said was that they are not too different. You are right about some OS's having paid staff who have setup some great QA to handle it though. But, at some point you are "trust me bro"ing someone, paid or not.

                • Then you belittled anyone using Flatpaks.

                  Not a single person including you here was able to show any hint of package maintenance process, QA standard any kind of security awareness.

                  All I said was that they are not too different. You are right about some OS’s having paid staff who have setup some great QA to handle it though.

                  And I am saying it's an uneducated statement which fails to back itself miserably.

                  But, at some point you are "trust me bro"ing someone, paid or not.

                  Dude... really? Quite a desperate attempt to make an argument. Yes at some point people are just atoms stuck together ... a human being is not different from rock if you twist the point of view enough. This is just you pushing smoke in the room because you have nothing to back up what you are saying. There is a huge difference in trusting blindly and trusting because you have transparency in processes and standards which are followed.

                  So if flatpak and distro repository is not so different... please show me any published standards or processes that are followed to ensure that flatpak is secure, up to date, without obsolete libraries. Would be cool to see there some transparency. Please show me that I am as secure and stable as while running OpenSuse on my machine at home.

                  • Flathub has verified apps. This means the build either comes directly from the developer of the app itself or someone that they approved to distribute their app through Flathub. That's kinda the ultimate QA to me. If the developer of the app can't be trusted then who can? Other than that, the only checks are the community.

133 comments