I'm always surprised to see discussions about desktop Linux software place such a heavy emphasis on the security aspect. In practice, malicious software (which is ubiquitous on other platforms in the form of adware and apps stealing personal information) is almost a non-issue on the Linux desktop platform. And I don't see it becoming a bigger issue in the future either. The desktop Linux market is too small and too fragmented, and its clientele are too tech-savvy and privacy-aware on average, to be of interest to Big Ads and co.
The elephant-in-the-room issue, and the one that any debate about the Linux desktop as a platform must necessarily focus on, is: How do I get my application to my users? For historical reasons, there hasn't been a good answer to this question for a long, long time, and anything that improves on the status quo (Flatpak, Snap, AppImage) is indeed (part of) "the future".
Of course, this being Linux, "the future" won't consist of "this one thing that everybody uses". If that's the goal, it was unattainable from the beginning. I love that Flatpak is repository-agnostic. I love that Snap applications update automatically. But most importantly, I love that I have a choice between the two.
Pretty much anyone can avoid at least 90% of malware really easily these days.
You just don't install things from media sharing sites with full page ads, and if it doesn't have it's own subreddit and nobody blogs about it... never mind you're going to install cleanmyram.exe.deb anyway aren't you?
NPM supply chain attacks are slightly scary, but for now it seems to happen a lot less in popular apps than it does in the smaller stuff.
I think Linux probably will eventually pick a "Thing everyone uses", it will just have a significant minority that reject it, like with systemd or NetworkManager.
Another factors is that most of the software used by an average linux user is curated by the distro repository maintainers. Moreover, free software is almost always privacy-respecting, so you don't really need much in the way of security to use them, unlike on other systems.
I think these new packaging solutions are only really meant to push proprietary software onto linux.
You just bundle all libraries except glibc in the tarball. You build against the oldest glibc you're willing to call "supported". Firefox and Blender (among many others) have been doing this for as long as I can remember, and as long as I can remember their tarballs have never failed to work for me, on any distro.
The problem seems to me to be that there's some kind of cultural imperative to attempt to dynamically link against whatever the system version of a library is, which is clearly insanity.
You can't statically link glibc and you shouldn't statically link openssl or libcrypto, and Linux distributions make it extremely difficult to do reliably without compiling everything from source.
You don't have to statically link everything. You should choose based on (a) if the lib has to be dynamic (eg. portability layers, crypto) (b) if the lib is widespread and has stable ABI.
I was concerned about that but I just thought of it. For example I want to install VSC on a new device, I go to their website and download binary or .deb file.
It is nice to be trusted/be sudo apt installable say... But also requires being vetted I believe.
I'm case of KDE they have their software "marketplace" which to my surprise had a lot of options. (Context was Pinephone)
> Regardless, I personally believe that it is unfair to blame the backend utility (Flatpak) for an issue caused by the frontend (GNOME Software).
There is no good Flatpak fronted to compare it to. The Flatpak project seems to believe it is Somebody Else's Problem, and consequently when everyone else poorly integrates Flatpak support into their traditional package manager frontend the Flatpak project gets to wipe their hands of it and say it isn't their fault. As a user, I don't really care who is at fault for a bad user experience if there is no good user experience alternative, and the lack of one reflects poorly on Flatpak regardless of who they believe is at fault.
That said, I'll take Flatpak over the traditional package manager with its limited and out of date software collection that requires an army of volunteer middle men to prop up.
I haven't read the specs or anything, but a packing format where anyone can upload their application, and we cannot verify the installation script isn't a good idea IMO.
> Distributions that heavily push Flatpak, like Fedora Silverblue/Kinoite, Endless OS and elementaryOS, strictly push Flatpak for applications. As a side effect, these distributions have a really small base install as well. As an example, an Endless OS install takes roughly 4.2 GB
4.2gb is a "really small base install" ????? WHAT
the windows users are infecting linux, and it shows
The default install of Ubuntu is in the neighborhood of 15GB. When comparing full on general purpose desktop environment distros, 4.2GB is pretty reasonable. Obviously if you're using a hand-tuned Arch or something you can get a much smaller base install size for your needs.
The elephant-in-the-room issue, and the one that any debate about the Linux desktop as a platform must necessarily focus on, is: How do I get my application to my users? For historical reasons, there hasn't been a good answer to this question for a long, long time, and anything that improves on the status quo (Flatpak, Snap, AppImage) is indeed (part of) "the future".
Of course, this being Linux, "the future" won't consist of "this one thing that everybody uses". If that's the goal, it was unattainable from the beginning. I love that Flatpak is repository-agnostic. I love that Snap applications update automatically. But most importantly, I love that I have a choice between the two.