Flatpak for beginners and why it sucks, IMO
ฝัง
- เผยแพร่เมื่อ 21 ก.ย. 2024
- Here is a short info how you can manage packages with Flatpak. The rest of the video is my annoyance by it's permissions. I cut out bunch of other frustruations, so maybe I will make part 2 :)
Commands used in this video:
github.com/fry...
You're under a huge misconception, flatpak is a distribution platform, meant to solve the environment differences for developers amongst distributions, it supports sandboxing but it isn't the main focus of the platform. If you want sandboxing as your main feature, you use containers. The real complain would be defaults, which I would agree shouldn't be too permissive, if flatpak could warn the user of the permissions given by the manifest.json at install or when executing for the first time, that could improve security.
Only way default could get forced is if flathub enforce it by not allowing such permissions on the manifest files, but I'm certain that would result on flatpak repository fragmentation so that's why they are too permissive.
I know what they are trying to solve with flatpak, but "sandboxing" is something that is promoted so much, but it's complete lie. I don't need sandboxing, I'm well aware that you can't sandbox application if you want to do anything with your files, which I said in the video. Maybe not that clearly. I just don't know why appimage hasn't been chosen, they are much more practical IMO, from user standpoint. I will explain that in my next video about appimages :)
@@friendlyalien379 I wouldn't say that it is a complete lie but a missunderstanding what is actually meant here. IMO is the sandbox that is created for a flatpak app not for security but to provide that said app could run on any distro without inflicting a dependency hell.
Yes there are problems with Flatpaks and the Flathub like downloading speed or that Flatpak doesn't remove older runtimes that aren't relevant to the system anymore and require a manual deletion.
@@gelbphoenix if it was only in the sense of sandboxing because of the libraries, than yes I would I agree you could call it sandboxing, but it's not. I remember long time ago when I tried using freefilesync as a flatpak, there was no permission I could turn on to make it sync to my external disk. Or when I tried to use keepassxc with Firefox, all flatpaks of course, it wouldn't work. In the definition of flatpak you have description where it says that you have to explicitly allow access to user files, which is not the case because it doesn't work. So they clearly meant sandbox more than just including the libraries.
@@friendlyalien379 That happens more in Flatpaks that aren't maintained by the maintainer of the actual project. Because the maintainer of an project can check if their Flatpak version functions like it should and make the needed permissions in the manifest file.
@@gelbphoenix it's more like at that time flatpaks couldn't do "anything" where as now they do whatever they want ;}
You have to restart the app for permission changes to actually do something.
the filesystem=host permission doesn't mean root access/write to /usr or /etc.
The flatpak is run as a regular user and can only read (just like your regular user) system files.
In fact there are no privileged flatpaks (yet afaik) think gparted, timeshift etc.
Hell you can't even make a proper file manager like dolphin in flatpak due to deep system integration/scope of dolphin.
Many permissions are way to generous and the reason is that applications aren't build yet with flatpak/xdg-portals in mind or missing portals for that specific use case the application needs.
Existing applications are shoved into an incomplete packaging format and the generous permissions just bridge the gap.
Just a reminder every "native" distro package can do everything(!) your user can.
A little sandboxing > no sandboxing at all
Flatpak is not Android/not there yet but it is the best we have right now for the linux desktop.
@@renner0395 restarting app doesn't work, nor it should. Because flatpak don't ask flatseal do I have this and that permission. You don't even have to have flatseal installed to run permission commands, you can run them from the terminal. And if you looked at the whole video I deleted the xdg permission and application still had access. And yes flatpak is run as regular user, and permission from that user are applied, not from flatpak. Meaning they can do everything as any other app, so when you say little sandboxing that is not exactly true. And at the statetmant it is the best for Linux that we have right now, I will just say look at my appimages video :)
Flatpaks do not suck. They are the future of packages on Linux. They make it so it doesnt matter what distro you are using, you can have the same version and know the software is going to work. I thought repo packages where better, but after I ran into a few issues I started using flatpak and well THEY JUST WORK. There are still some things I install as a repo package but that is mainly just system apps now. Also flatpaks makes it so the maintainer just has to do one version, not check to see what kernel, libraries, package format (deb, rpm, etc) so they can just work on their app.
It's like you didn't watch the video at all...
Permissions are exactly why I despise flatpak, when I started to use Linux I needed a couple of packages to do what I needed and they wouldn't talk to each other or the system properly. I get WHY the idea of isolating the software is in high regard as well as easily updated and maintained, but my deity ASK ME TO GIVE ACCESS instead of requiring the use of the terminal - ASK, even iOS and Android do this effortless thing. Can't use Blender properly through Flatpak because it's isolated and can't talk to the GPU for more efficient rendering, i HAVE TO use the terminal to force permissions, and no Flatseal doesn't help. (This isn't the only software I've had issues with, just a good example).
"The program requests read and write permissions, do you want to give permission? Press Yes - No"
"The program requests access to the following hardware, do you want to give permission? Press Yes - No"
That's it, not that hard. Linux already has password protection for kernel/system-level installs.
I shouldn't have to use the terminal for such a small thing.
@@Ohem1 I know what you are talking about. I remeber using flameshot as flatpak at the begining and not being able to paste anything in other application installed by flatpak. But I didin't go to terminal for solution, I just deleted every app that I had installed as flatpak, and took the appimages instead :)
When you are using open/save from a program that program is using xdg desktop portal for showing the dialog to user to pick the file. The program is not directly accessing the file hence it still works as the user choose the file and not the program and then the program reads write the file using the portal API. But if you try something like flatpka run progname filename and the flatpak doesnt have file access permission, it will fail.
@@ankur-dhama well that xdg portal has to be defined as xdg-download or something else, but if you look at the video even with that permission gone it still doesn't respect what I can do or not. For firofox if I'm downloading something I can't really go from terminal can I? I didn't check how a flatpak is respecting permissions from terminal, because that beats the whole purpose of running apps installed from flatpak.
"I never understood why the Linux Community couldn't agree on one package manager"
Because of those "technical details" you said were boring. Arch, Debian, NixOS, Fedora... they're *different* systems and they bundle completely different versions of dependencies in different ways because the systems are built differently. They have different goals, different reasons for existing, and fundamentally different solutions.
BSD has different reasons for existing and purposes and yet they have that figured out. I would say many egos thinking their ways is better than others.
@@friendlyalien379 It's not really an ego thing. It is not possible to have a package manager on Linux that is extremely lightweight and has upstream support on every distribution. Either you make it lightweight and have support on only one system, or you make it robust and heavy and give support to every system. Each system's package manager opts for the former, while flathub opts for the latter.
@@mathgeniuszach Define lightweight. Do you really think I care about few mb more if it would mean that all the developers would need to put only one package for every distro? Still, appimage is light years aways from every other package manager. Flapacks are gonna be nightmare of bloated mess with their runtimes, just wait :)
@@friendlyalien379 I don't mean lightweight as just filesize (though that is part of it, packaging in extra libraries costs more than a few mb, especially expensive ones). Lightweight means it interacts directly with your system and the way it's set up with little to no overhead. It also means that it is simple. Packaging for all systems doesn't just require you to include more libraries in - it requires dealing with distro-specific oddities such as differences in FHS, development cycles, low-level programs, etc.
As a very simple example, what do you want? The most up-to-date software, or older and more likely stable software. Some systems choose the former, others choose the latter. But to choose both means hosting both, maintaining both, and fixing both. This is called "overhead". To get the best of both worlds, you must sacrifice the lightweight simplicity of one and account for both. Thus, you cannot have both a "lightweight" system and support everyone.
I think that while it's good practice to have decent security on apps you don't really trust you can never be 100% secure - at least not if you ever want to get anything done on your computer. Worrying about what every single piece of software on your system can access is a rabbit hole with no bottom. Are you going to go look at the entire source code of every non-flatpak program on your system to check if someone slipped in some malware? It can and does happen as we saw with XZ recently.
The only true way to protect your user files is a robust backup system preferably with both local and off-site backups.
Great overview! Very informative.
@@marcmulzer Thank you.
Good info. Thank you.
@@carlocorderotv4676 Thank you