[QUESTION] Flatpak or AUR?

UnfortunateShort, 25 days ago

I prefer Flatpaks, not only because I support the format, but also because of containerization and the ability to clean up an application completely.

I absolutely hate it when apps randomly place config files everywhere.

chemicalwonka, 23 days ago

don’t forget that the “containerization” is weak and not reliable.

240p, 25 days ago

I use Silverblue and in general I like their philosophy. For other distros, it can be summed up as:

• Flatpaks for GUI applications
• Your choice of package manager for everything else

On Silverblue anything non-Flatpak is best installed inside a container. On a non-atomic distro I’d just install using the system’s default package manager.

D_Air1, 25 days ago

I usually do distro repos, followed by aur, then flatpak if the aur version is too cumbersome (e.g. obs, game emulators). Funnily enough I use steam native because when I was using the flatpak. I had trouble with mods and things of that nature. A lot of that stuff either needs to be moved to different locations, straight up doesn’t work, or requires a bit of permission fiddling and I just didn’t wanna go through that. On the other hand. I believe there was a glibc issue on Arch that broke all games on steam native for a couple of days which the flatpak didn’t suffer from. Just goes to show nothing is perfect either way.

Cyber, 25 days ago

It’s not like the AUR packages need recompiling after every update, so I’m using standard Arch repos + AUR and that’s it.

Everything will be using the same (bleeding edge) dependencies, so if something breaks, I can find what changed and fix it and / or roll-back and / or report it to the dev.

I’ve been down this whole scenario with Windows back in the day… DLL hell, InstallShield packaging, compiled zips, weird %PATH% sets for execution, the lot… and at the end, it’s always simpler to use common libraries and work with the devs to fix bugs - after all, they’re usually developing on a “normally” packaged system anyway.

chemicalwonka, 25 days ago

AUR just for the essentials , I just use AUR for my Epson Utility

CrabAndBroom, 25 days ago (edited 25 days ago)

Personally I tend to go AUR first, then Flatpak and then Appimage if there’s no other choice. Snaps never lol

The reason being, I find that Flatpaks sometimes have issues with not being able to access certain things in the filesystem which can cause problems. That’s presumably by design since they’re sandboxed and you can fix it with Flatseal or whatever, but it’s an extra level of fiddling that I can’t always be bothered with. I do prefer Flatpaks for certain things that are messy with dependencies though (looking at you, Steam.) Appimages I don’t really like because I hate having to go and check manually for updates for each one, it feels too much like Windows to me. But there are a couple of things that only have Appimage versions so I’ll suck it up.

Snaps I just find to be a huge pain in the ass, and I’ve never found an app I need that doesn’t already have a version on the AUR or as Flatpak or an Appimage, so I really have no need for them.

Samueru, 25 days ago

Appimages I don’t really like because I hate having to go and check manually for updates for each one, it feels too much like Windows to me. But there are a couple of things that only have Appimage versions so I’ll suck it up.

github.com/ivan-hc/AM

CrabAndBroom, 24 days ago

Oh that’s handy, thanks! I only have like 3 things as appimages but I already switched them over lol

LeFantome, 26 days ago

The AUR is the best thing about Arch. yay -Syu and everything is updated. Painless.

I tend to use binary packages to avoid long compiles. If an update includes something that is going to take a while, I often exclude that package from the update. After everything else is updated, I can run it again to get the last package or two. They can just run in the background while I do other stuff. If it is a program I am going to use right away, I may put off the update of that package until I am done my session. This is pretty common with JetBrains updates for example.

I do not have a single Flatpak.

delirious_owl, 26 days ago

Flatpaks don’t securely download. Use your native package manager

sweng, 26 days ago

In what way don’t they “securely download” ?

delirious_owl, 25 days ago

No cryptographic signature verification, like most package managers have

sweng, 25 days ago

That doesn’t seem to be true? …readthedocs.io/…/distributing-applications.html#…

delirious_owl, 24 days ago

The link you sent says that its an option that can be turned on or off. Also, that’s for uploading. Doesn’t say anytbify about verification of downloads.

sweng, 24 days ago

From the page:

It is recommended that OSTree repositories are verified using GPG whenever they are used. However, if you want to disable GPG verification, the --no-gpg-verify option can be used when a remote is added.

That is talking about downloading as well. Yes, you can turn it off, but so can you usually do it with native package managers, e.g. pacman: wiki.archlinux.org/title/Pacman/Package_signing

delirious_owl, 24 days ago

where does it say this applies to downloads too?

sweng, 24 days ago (edited 24 days ago)

I’m confused why you think it would be anything else, and why you are so dead set on this. Repos include a signing key. There is an option to skip signature checking. And you think that signature checking is not used during downloads, despite this?

Ok, here are a few issues related to signatures being checked by default, when downloading: github.com/flatpak/flatpak/issues/4836github.com/flatpak/flatpak/issues/5657github.com/flatpak/flatpak/issues/3769github.com/flatpak/flatpak/issues/5246askubuntu.com/…/flatpak-cant-check-signature-publ…stackoverflow.com/…/flatpak-not-working-apparentl…

Flatpak repos are signed and the signature is checked when downloading.

It’s OK to be wrong. Dying on this hill seems pretty weird to me.

delirious_owl, 23 days ago

If its not documented, we shouldn’t assume it has a security feature.

sweng, 23 days ago

You know what else we shouldn’t assume? That that it doesn’t have a security feature. And we additionally then shouldn’t go around posting that incorrect assumption as if it were a fact.

delirious_owl, 23 days ago

Oh, we should absolutely assume that software does not have security features unless those features are clearly documented (and audited)…

sweng, 23 days ago

Feel free to assume that, but don’t claim an assumption as a fact.

You recommended using native package managers. How many of them have been audited?

SpongeB0B, 27 days ago

AppImage !

• Open format? Yes
• Free format? Yes
• Fully Contained Single Executable Support . Like an exe file for Windows systems Yes (the only one)
• App Size** The lowest** !

en.wikipedia.org/wiki/AppImage

Matrix
fosslinux.com/…/snap-vs-flatpak-vs-appimage-know-…
phoenixnap.com/kb/flatpak-vs-snap-vs-appimage \

FooBarrington, 27 days ago

Why would the app size be the lowest? I could maybe see that for one single AppImage (though I don’t expect a significant difference), but as soon as you have two or more apps, sharing dependencies would make Flatpaks smaller than AppImages.

Gecko, 27 days ago

Aren’t AppImages still limited to Xorg?

Also there’s no centralised update mechanism or dependency deduplication, no?

ares35, 27 days ago

on my arch-based systems, i use repos first, aur second. appimages third. i do also have a couple minor things (that are self-contained with no dependencies) that were just 'unzipped' into their own directories and links added to menus where appropriate. note that i don't game on these systems. i don't have a lot of aur packages installed, so updates and subsequent recompile time isn't an issue.

i have yet to run into anything i want or need that isn't available in those. so no flatpaks or snaps.

mactan, 27 days ago

both is good

BaalInvoker, 27 days ago

I always use Flatpak over AUR.

AUR is my last resort

lemmyvore, 27 days ago

people prefer AUR over Flatpaks. Why?

Some stuff doesn’t work as Flatpak, or I actually prefer for it to be compiled against what’s actually on my system rather than a generic one-size-fits-all binary, or simply isn’t in Flatpak.

Flathub is tiny (under 3k packages), AUR has over 85k – and yes I know that many of those are abandoned or maintained very loosely but even if you only count the packages updated in the last year that’s still over 10x bigger than Flathub.

Examples: kernel modules, CLI tools, libraries, versions of apps compiled against old UI frameworks (like Claws-Mail with GTK2), obscure apps, drivers for obscure hardware, stuff with dubious legal standing like file sharing apps etc.

how do y’all cope with waiting for all the AUR installed packages to rebuild after every update?

I don’t. I disabled AUR updates and only update AUR packages when they break. Sometimes if I’m bored I’ll run a pamac checkupdates --aur and do a pamac build <package> on anything I see there that might be interesting to have a new version of. But most of the time like I said I wait for them to break, which happens surprisingly seldom.

Alacritty takes ages to build for me.

Yeah some apps are ridiculous. Pika Backup is another example, RPCS3, and so on. For some of those I actually resort to Flatpak.

The choice is not always so clear cut because Flatpak stuff will tend to have random features present or missing. For example a while ago the Flatpak Handbrake could do accelerated encoding on the GPU, now it can’t. So I was forced to go back to native Handbrake.

ParetoOptimalDev, 27 days ago

I use flatpak steam and flatseal to remove user home permissions so games don’t see my files.

I’d prefer to use Nix derivations and firejail but I couldn’t get it working last time I tried.

My preference for nix expressions to flatpaks is for better reproducibility guarantees, easier introspection, easier debugging, and less duplication.

boredsquirrel, 27 days ago

I am on Fedora so the equivalent is COPR.

Flatpaks can be built pretty messy, use outdated runtimes or even entirely outdated dependencies.

It is pretty creepy, I digged down the pyramid of dependencies of OnionShare once and that thing is huge, some projects are archived, some had new releases but it still uses the old versions.

Native packages might not bundle all that in, which means more effort but especially more updated packages.

The sandbox is determined by the packagers, and a mix between “dont make it too loose” and “dont break use cases”. For example many big projects without portal support have host permission to access your theoretical SMB shares or external media.

But yes, the bubblewrap sandbox is there, it prevents apps from manipulating the system, the syscalls are a bit restricted via a “badness enumerating” and pretty loose seccomp filter.

This prevents all apps from creating user namespaces, which are like chroots and create a small virtual filesystem for processes. They are used in FF and Chromium for sandboxing. But Firefox also uses seccomp-bpf which works within a flatpak.

If you want a Chromium browser, it should be native. Firefox arguably too, as it gets another layer of sandboxing. But Flatpaks are isolated from the system.

Have a look at bubblejail, which allows to sandbox programs from the OS with bubblewrap, but with a custom filter that can allow user namespaces.