I’m wondering if a package manager like flatpak comes with any drawback or negatives. Since it just works on basically any distro. Why isn’t this just the default? It seems very convenient.
Flatpak has runtimes, which is where most shared libraries are. There's a common base one called Freedesktop, a GNOME runtime, a KDE runtime , an Elementary runtime, and more. (The GNOME and KDE ones are built on top and inherit from the Freedesktop base runtime.)
Additionally, at least for Flathub, they have shared modules for commonly used libraries that aren't in runtimes. (Many are related to games or legacy support like GTK2.)
Lastly, some distributions are building their own runtimes and apps on top, so the packages they build are available as flatpaks as well. This is the case for Fedora, Elementary, Endless, and others.
That's exactly how flatpaks work if the library you need is not in the runtime. Which is very often the case.
I know because I made one for my personal use and the package was not available elsewhere.
Additionally, at least for Flathub, they have shared modules for commonly used libraries that aren't in runtimes. (Many are related to games or legacy support like GTK2.)
So we're just reinventing the wheel with more bloat? Brilliant.
Yeah, that's a big, weird if though. Most modern apps can rely on the runtimes for their dependencies and not have to ship their own custom dependencies.
It's different from something like AppImage, where everything is bundled (or Snap, where a lot more needs to be bundled than a typical Flatpak, but not as much as with an AppImage).
Additionally, there's always some level of sandboxing in Flatpaks (and Snap packages) and none at all for RPMs, Debs, or AppImages.
Also, Flatpak dedupicates common files shared across flatpak apps and runtimes, so there isn't "bloat" like what you're talking about.
I think bringing in an entire operating system, which may well include libraries and other files that I already have installed, to run something small can be considered bloat.
I currently have multiple versions of Nvidia's libraries installed for some reason on my system through flatpak. I have no idea why that's necessary but if I don't allow this to happen I get dropped down to software rendering.
It sells security through isolation, but packages are not cryptographically verified after download. This is done in package managers like apt, but not flatpak