• pinknoise
    link
    fedilink
    arrow-up
    15
    ·
    edit-2
    3 years ago

    Imo they’re right, but theres some weird (pro proprietary software) claims in there.

    If I ship an app for Windows I don’t have to include the entire Win32 or .NET runtimes with my app. I just use what’s already on the user’s system.

    Those cases are rare on windows, most apps package their own versions of dependencies just like with snap/flatpak/appimage (just not so neatly organized) and it sucks.

    Backwards compatibility is a major part of why Windows is still the dominant desktop OS.

    But thats also a major part in why it sucks and is insecure. Microsoft knows that and has started to break stuff with higher frequency too. You should only freeze interfaces when there is a consensus that there isn’t anything to be improved anymore. You can only build this consensus when you have a clear use case.

    I’d argue, that this is impossible for operating systems with desktop and all. So best you can do for backwards compatibility is to only put breaking changes in major versions and still maintain older ones. Of course that means you can’t have major versions to often and now people will complain that your software sucks because it can’t even do X.

    Microsoft does this too, but they often release a whole new product instead of version bumps. And by that they accumulate even more technical debt.

    Businesses actually care about this! They use ancient proprietary software that is critical to their business whose source code has long been lost to the sands of time.

    This isn’t a case that should be handled by FOSS developers, but by courts fining them for putting their employees, customers and business partners at risk! Running software that isn’t maintained by you or a third party is a liability.

    • marmulak
      link
      fedilink
      arrow-up
      6
      ·
      3 years ago

      I find those points of theirs to be pretty weak.

      1. With Flatpak most of the runtime stuff is packaged separately, so on Flathub for example you have most of the applications using common runtime components. Sometimes you need multiple versions of one of them, but the same goes for a lot of Microsoft’s stuff.
      2. I don’t find Windows to be any more backwards compatible than Linux is. On Linux you get the advantage of having access to the source more often, so source is going to be compatible for longer than binaries will. Source can be updated for compatibility too, giving it infinite life. (Of course, binaries could have infinite life if you take into account all the compatibility methods like virtualization.)
      3. Yeah I’m sure business just love using ancient proprietary software and not being able to upgrade their systems. Oh wait, I thought compatibility was strong on Windows. (Not that all such software runs on Windows, but of course a major chunk of it does.) Businesses will eventually have to replace that old stuff, whether it’s sooner or later. It would have been better if they had the source code in the first place and could use that to help them upgrade or replace it.
      • pinknoise
        link
        fedilink
        arrow-up
        5
        ·
        3 years ago

        With Flatpak most of the runtime stuff is packaged separately

        They mentioned that not all flatpaks use the same separate runtime. Ideally they could just use the one my distro packages.

        I don’t find Windows to be any more backwards compatible than Linux is. On Linux you get the advantage of having access to the source

        You can run (a lot of) really old (late 90s) windows binaries with the modern libraries. You can also probably run really old linux binaries, but only if they use syscalls directly, not if they are (dynamically) linked against e.g. libc or x-stuff. Of course if the source is open, you can make it work.

  • art
    link
    fedilink
    arrow-up
    12
    arrow-down
    2
    ·
    3 years ago

    That’s correct. Flatpak is the present. It’s happening right now.

    • southerntofu
      link
      fedilink
      arrow-up
      2
      ·
      3 years ago

      Is it though? is it integrated by default in your desktop environment? Can you easily add 3rd party repos from GUI? Can you finely edit the sandboxing settings for an app from GUI?

      Hell, i can’t even find how to make flatpak apps respect my keymap for keybindings. Inside a flatpak run’ed app, typing respects AZERTY but pressing Ctrl+A will trigger quit dialog (Ctrl+Q) as if i used QWERTY keymap.

      • pinknoise
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        3 years ago

        is it integrated by default in your desktop environment?

        It creates .desktop files and even sandboxes dbus, what more should it do?

        Can you easily add 3rd party repos from GUI?

        Why would GUI users need to do that?

        Can you finely edit the sandboxing settings for an app from GUI?

        https://flathub.org/apps/details/com.github.tchx84.Flatseal

        • art
          link
          fedilink
          arrow-up
          1
          ·
          3 years ago

          Your response was far more accurate that I could do. 👍

  • brombek
    link
    fedilink
    arrow-up
    10
    ·
    3 years ago

    There are two problems these are “solving”: API incompatibility and isolation. Both of this issues are a real problem when you want to run proprietary software.

    When you have a source code of all applications and libraries you can compile them and otherwise patch them to get things working together most of the time. This way we don’t have to worry about changing libraries that much.

    When you can trust your software you don’t need isolation. For programs like Firefox things are a bit different since it is, by default, running untrusted software and it’s sandbox will never be perfect. You can get isolation without duplicating all dependencies using process isolation (what Android does) or even using namespaces where you share your root files system but not your home directories.

    So for open source software these systems are creating more problems then solving. For running potentially malicious system on Linux I don’t think we have a good solution yet, or if we even should waste time solving it. There are better OS designs that would make this easy (Plan9, object-capability bases security, etc.)

    As for Windows the business model that MS is trying to support is vendor locking combined with licensed closed source binaries. In such case the long term backward compatibility is a must. And consequences of such models we are all aware of.

    • ganymede
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      3 years ago

      if needed, whats wrong with static linking?

      • brombek
        link
        fedilink
        arrow-up
        3
        ·
        3 years ago

        You can statically link binaries. Plan9 does only that, Rust and Go only support static linking (by default). The problem is that you need a good meta-data system that will allow you to track what was linked into each binary, so that if there is a security issue you know exactly what needs to be rebuilt. I don’t think we have such a system yet. If I have a bug in OpenSSL I just update that, restart servers using TLS and it is patched.

        • ganymede
          link
          fedilink
          arrow-up
          2
          ·
          3 years ago

          The problem is that you need a good meta-data system that will allow you to track what was linked into each binary

          Fantastic idea! This would be a really important project to see developed!

  • jokeyrhyme
    link
    fedilink
    arrow-up
    7
    ·
    3 years ago

    Meh, I’ve been using the official Firefox flatpak, and I love that my web browser has no access whatsoever to my ~/.ssh private keys, or anything else I don’t want it to be able to read

    • CHEF-KOCHOP
      link
      fedilink
      arrow-up
      2
      arrow-down
      3
      ·
      3 years ago

      You could store it via KeePass and ~/.ssh can only read out by your Browser if you are using the same user account to run both, so I would recommend storing ssh-keys in the home directory of another user account. Another way would be to encrypt ~/.ssh if you store your keys there.

      • jokeyrhyme
        link
        fedilink
        arrow-up
        3
        ·
        3 years ago

        I was sort of cheeky with my ~/.ssh example, because I’m actually 100% on Yubikeys for my SSH private keys, so there’s only public keys in that directory now

        But, with my setup ( https://gitlab.com/jokeyrhyme/dotfiles/-/blob/main/packages/flatpak-update.sh#L66 ) I run flatpak override --user --nofilesystem=home ... for a few things like flatpak web browsers (really, I should run this for everything)

        It’s all about defense-in-depth: putting up as many barriers as I can before the getting inconvenienced more than I’d like, and flatpak is so easy for me to use that there isn’t any inconvenience at all

        • southerntofu
          link
          fedilink
          arrow-up
          1
          ·
          3 years ago

          Note that you could do that with any program without flatpak. For example with firejail

  • mogoh
    link
    fedilink
    arrow-up
    6
    ·
    3 years ago

    There has never been a better time to ship a binary app that targets the Linux desktop. And I don’t mean targets its own bundled runtime; I mean truly targets the user’s runtime environment. The time is now.

    I have my doubts. If I compile something for Linux today, I don’t believe the chances are great, that this binary will run on an arbitrary Linux.

    If that is true, am I able to download some binaries from any distributing package repository unpack it, and run it? Can I just run an Arch-Linux KCalc and run it on an Ubuntu 20.04? Will it be able to run in 25 years?

    I think this is the one thing that those package managers will be able to solve.

    I understand the critics, but I do not see an alternative as of now.

    • southerntofu
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      3 years ago

      The distro packages are not distro-agnostic. But a linux release tarball is distro-agnostic, although some system settings can affect it.

      We’ve been doing release tarballs for literally decades now and there’s nothing wrong with them, but package managers help with updates, GUI, and dependency management. AppImage in particular supports PGP signatures and differential upgrades, which is pretty cool. Flatpak has interesting approach about “portals” for sandboxing, although it’s far from user-friendly or secure so far. Snap has really nothing going on for it and there’s absolutely 0 reason to use it. [0]

      [0] Yes there’s one reason, as always, it’s pushed by a big corp. So leap.se project for example packages bitmask only for snap because that’s where their userbase is. Such a shame.

  • DessalinesA
    link
    fedilink
    arrow-up
    4
    ·
    3 years ago

    As a user of arch btw for many years, does anyone have any link to anything that fully goes into why a lot of distros such as arch don’t have this problem? Packages, runtimes, and dependencies have been a non-issue on arch (and I’m sure other distros with proper package managers) for a long time.

    • pingveno
      link
      fedilink
      arrow-up
      6
      ·
      3 years ago

      Dependencies can absolutely be a problem. Let’s say you have a Python program that relies on an older version of a package due to a breaking change. With Arch those packages are installed in a per-Python interpreter global namespace. So if two applications have conflicting version requirements for a package, you’re kind of screwed. Yes, there are ways around the issue, but it’s not customarily used in Arch.

      This is just not a problem with Flatpak. The dependencies can be installed directly with no fears about causing a conflict. Even if the Flatpak itself uses a runtime, that runtime allows the Flatpak to add its Python dependencies as a simple layer on top. This happens independently of any other Flatpaks.

    • pinknoise
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      3 years ago

      If you use your distro’s up-to-date built and packaged from source applications it’s unlikely you’ll have a problem. Those start when you want to use old packages or packages from a different distro (with different or patched libs) with your system.

      Flatpak, AppImage etc. packaged apps will run on (almost) any system and you only need to build them for different processor architectures. So it’s the ovious choice for lazy or profit oriented developers.

    • southerntofu
      link
      fedilink
      arrow-up
      3
      ·
      3 years ago

      No distribution has problems on its own: the problem is interop. From a user perspective, all is fine as long as you use only distro packages or release tarballs, but the latter is not really user-friendly (no desktop menu integration). From a developer’s perspective who maintains software that hasn’t reached critical mass, it’s inconceivable to maintain themself packages for all distros in existence, and asking users to extract an archive to double click a program is not the most user-friendly experience.

      Flatpak/Snap is really dev-oriented, not user-oriented. I don’t think there’s anything wrong with that, although i find some arguments from 0install/AppImage very compelling.

  • M500
    link
    fedilink
    arrow-up
    4
    ·
    3 years ago

    Just in case you are not a native English speaker, the correct way to write your title is, “Flatpak and Snap are not the future”

    This is because the subject of the sentence, Flatpak and Snap, is plural. I have some students who get confused with this since the subject is made of two singular nouns.

    • pinknoise
      link
      fedilink
      arrow-up
      8
      arrow-down
      1
      ·
      3 years ago

      They are even worse, since they don’t come with an update mechanism builtin.

      • M500
        link
        fedilink
        arrow-up
        10
        arrow-down
        2
        ·
        3 years ago

        That’s the main thing I don’t like about app images. It is just like windows where everything needs to be updated independently.

        • southerntofu
          link
          fedilink
          arrow-up
          1
          ·
          3 years ago

          That’s not true and a bit harsh. AppImage supports repos with PGP signatures and differential upgrades, neither of which is supported by Flatpak/snap or any distro repo i know of. I especially love differential upgrades, as someone who regularly has bad connection.

        • daojones
          link
          fedilink
          arrow-up
          4
          ·
          edit-2
          3 years ago

          AppImages don’t integrate into the system at all and AppImageUpdate sucks.

          Also flatpak update go brrrr

            • daojones
              link
              fedilink
              arrow-up
              1
              ·
              3 years ago

              AH really? What DE? I guess everyone should use Manjaro. For me, I have to right click, run as executable. Firefox doesn’t work, Pling icon looks like shit, can’t update them without using a poorly made updater program. No thanks!

              • poVoq
                link
                fedilink
                arrow-up
                3
                arrow-down
                1
                ·
                edit-2
                2 years ago

                deleted by creator

      • M500
        link
        fedilink
        arrow-up
        3
        ·
        3 years ago

        That’s the main thing I don’t like about app images. It is just like windows where everything needs to be updated independently.

  • SudoDnfDashY
    link
    fedilink
    arrow-up
    1
    ·
    3 years ago

    On it’s own, no. But with an immutible OS, it allows you to have all of your apps seperate from the OS.

  • daojones
    link
    fedilink
    arrow-up
    4
    arrow-down
    4
    ·
    3 years ago

    Mass containerization and alternate runtimes cannot possibly be the future of desktop apps on Linux. If this is really the direction it’s going, the future will be so shitty that we’ll all end up back on macOS or Windows.

    This posts features great complaints but really shitty reasoning. Very immature perspective on things.

    If you are so upset about it, name the perfect alternative, contribute to one, or go make one. This post barely approaches solutions and spends all of it’s time whining about the outcome of technology choices without even touching on what they would change.

    • southerntofu
      link
      fedilink
      arrow-up
      1
      ·
      3 years ago

      There’s more precise criticism in the article. For example, that the “portals” system tries to be transparent to applications instead of exposing an explicit API. Or that maintaining multiple huge runtimes makes it likely you’ll need a lot of storage just to run new apps (contrary to a system like guix/nix where only specific deps would have to be duplicated). Or that the drivers/graphics stack should be part of the OS for consistency, not be bundled with applications. Or that layering many forms of containerization is not sustainable/debuggable.

      There’s an entire “Is Flatpak Fixable?” section full of recommendations.