Basically title.

I’m wondering if a package manager like flatpak comes with any drawback or negatives. Since it just works on basically any distro. Why isn’t this just the default? It seems very convenient.

      • sugartits@lemmy.world
        link
        fedilink
        arrow-up
        11
        arrow-down
        4
        ·
        9 months ago

        libxyz has security vulnerability:

        Your distro updates libxyz. Fixed and every piece of software gets the fix for free.

        Every single flatpak that uses libxyz has to update to include the fix. Let’s hope all those package maintainers are on the their game.

        • garrett@lemm.ee
          link
          fedilink
          arrow-up
          12
          arrow-down
          1
          ·
          9 months ago

          That’s not how Flatpak works.

          Flatpak has runtimes, which is where most shared libraries are. There’s a common base one called Freedesktop, a GNOME runtime, a KDE runtime , an Elementary runtime, and more. (The GNOME and KDE ones are built on top and inherit from the Freedesktop base runtime.)

          https://docs.flatpak.org/en/latest/available-runtimes.html

          Additionally, at least for Flathub, they have shared modules for commonly used libraries that aren’t in runtimes. (Many are related to games or legacy support like GTK2.)

          https://github.com/flathub/shared-modules

          Lastly, some distributions are building their own runtimes and apps on top, so the packages they build are available as flatpaks as well. This is the case for Fedora, Elementary, Endless, and others.

          https://fedoraproject.org/wiki/Flatpak

          • sugartits@lemmy.world
            link
            fedilink
            arrow-up
            9
            arrow-down
            4
            ·
            edit-2
            9 months ago

            That’s not how Flatpak works.

            That’s exactly how flatpaks work if the library you need is not in the runtime. Which is very often the case.

            I know because I made one for my personal use and the package was not available elsewhere.

            Additionally, at least for Flathub, they have shared modules for commonly used libraries that aren’t in runtimes. (Many are related to games or legacy support like GTK2.)

            So we’re just reinventing the wheel with more bloat? Brilliant.

            • garrett@lemm.ee
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              9 months ago

              Yeah, that’s a big, weird if though. Most modern apps can rely on the runtimes for their dependencies and not have to ship their own custom dependencies.

              It’s different from something like AppImage, where everything is bundled (or Snap, where a lot more needs to be bundled than a typical Flatpak, but not as much as with an AppImage).

              Additionally, there’s always some level of sandboxing in Flatpaks (and Snap packages) and none at all for RPMs, Debs, or AppImages.

              Also, Flatpak dedupicates common files shared across flatpak apps and runtimes, so there isn’t “bloat” like what you’re talking about.

              https://blogs.gnome.org/wjjt/2021/11/24/on-flatpak-disk-usage-and-deduplication/

              • sugartits@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                9 months ago

                I think bringing in an entire operating system, which may well include libraries and other files that I already have installed, to run something small can be considered bloat.

                I currently have multiple versions of Nvidia’s libraries installed for some reason on my system through flatpak. I have no idea why that’s necessary but if I don’t allow this to happen I get dropped down to software rendering.

      • delirious_owl
        link
        fedilink
        arrow-up
        5
        ·
        9 months ago

        It sells security through isolation, but packages are not cryptographically verified after download. This is done in package managers like apt, but not flatpak