Linux

8394 readers

261 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of [email protected] and The GIMP

founded 2 years ago

MODERATORS

[email protected]

Flatpak is not perfect, but it's getting better (thelibre.news)

submitted 1 month ago by [email protected] to c/[email protected]

7 comments fedilink hide all child comments

top 7 comments

sorted by: hot top controversial new old

[–] [email protected] 0 points 1 month ago* (last edited 1 month ago) (1 children)

Flatpak is quite fucking far from perfect, and will always remain so due to its flawed design and UX approach.

Pretty sure the culprit here is Fedora’s packaging which adds an opaque systemd timer to run auto-updates, but the thread immediately next to this one on my homepage just happened to be a nice case-study in Flatpak fuckery: https://lemmy.world/post/30654407

Of course, the proposed changes in the article do nothing to fix this sorta problem, which happens to be the variety that end users actually care about. Flatpak is an epic noob trap since it pretends to be a plug-n-play beginner friendly tool, but causes all sorts of subtle headaches that newcomers inevitably don’t have diagnostic experience to address.

[–] [email protected] 0 points 1 month ago

The problem of there being a separate runtime for each video driver version was explicitly discussed in the article:

If you are part of the huge part of the population who happens to own a Nvidia GPU, it's a whole other can of worms. There are Flatpak runtimes that target specific Nvidia driver versions, but they must be matched with a compatible version installed on the host system, and it is not always a process as smooth and painless as one would hope.

An improvement idea that is floating around is to, basically, just take a step back and load the host drivers directly into the runtime, rather than shipping a specific version of the userspace drivers along with the application. Technically, it is possible: Valve's Linux runtime is pretty similar to Flatpak architecturally, and they solved this problem from its inception by using a library called libcapsule to load the natively installed host drivers into the Steam Runtime. This is the reason why it's significantly rarer that an old Steam game fails to launch on a new GPU, compared to the same scenario on Flatpak!

[–] [email protected] 0 points 1 month ago (2 children)

Article doesn't mention my biggest problem with flatpaks, that the packages are not digitally signed. All major Linux distros sign their packages, and flathub should too. I would prefer to see digital signatures from both flathub and the package's maintainer. I don't believe flathub has either one currently.

[–] [email protected] 0 points 1 month ago (1 children)

What would they sign it with? How do you verify the signature?

[–] [email protected] 0 points 1 month ago

I have no idea why you're being down voted. The whole thing with flatpacks is that they come from a large number of individuals, maybe the author of the software, but often not from a central organization you can trust. That's the fundamental difference to distro repos, who can just have a single anchor for trust.

Mindlessly signing something doesn't increase security in any way. Then requiring it just means hassle to having to add keys to be trusted every time you want to install anything. Malicious actors can just create a key and sign the package as well. That's the whole reason it isn't required in the first place.

[–] [email protected] 0 points 1 month ago

It is possible to sign a flatpak, but yeah distributors need to actually do that and flathub should require published flatpaks to be signed.

[–] [email protected] 0 points 1 month ago* (last edited 1 month ago)

Hmm. This hard on the heels of Sebastian Wick's comments that core Flatpak development had largely stalled (2025-05-14).

I wonder what happened here. There seems to be a disconnect. TA does acknowledge Wick's talk; it's hard to reconcile the two messages, though.