[Tomte]

But it's the present. And a godsend.

I'm using it for current Firefox, Zotero, Joplin and two or three more programs, none of which are packaged in Debian (except Firefox, but only the LTS version that doesn't work with all my extensions).

Unless you can offer something better, I'll keep using it.

[paddim8]

Or just use Arch and have almost everything in official repos (and the rest in the AUR). I have had less issues with arch than with debian, because Arch is so simple. If you want to install something, you install it, and the it's installed. One command. Always. I found that debian would break more easily because I had to mess around with unofficial repos and things like flatpak just to get basic programs. More complexity, more that can break, more reliance on 3rd parties. Arch has been rock solid.

[chronogram]

I've been using Arch for over a decade and never liked using the AUR. Too much vetting and building. So I use flatpak for the non-DE graphical applications now.

[5-]

> Firefox

should be able to just use the mozilla's official build which comes with an auto-updater (and it implements the sandbox itself, so no need for another one on top).

> Zotero

> Joplin

both electron shells. also come with their sandbox already. most rolling release distributions would just package these with a system-provided electron build.

[smashed]

> both electron shells. also come with their sandbox already.

Not sure about the 2 specific apps posted, but web applications packaged as electron apps often do so in order to easily escape the normal browser sandbox without having to prompt for permissions? Or even call into native code which would be impossible from a web app.

I would not think that because an app is electron based, it is sandboxed from your system.

Ideally if you can run the same app under your normal web browser, you'd be fine. I see many people install the Slack app for example, but the web version works just as well within the full browser sandbox.

[c-hendricks]

You're correct. In fact, they can even let webpages break out of the sandbox. So, some random JS loaded from the web can now compromise your system.

The person you're replying to is quite mistaken.

[teruakohatu]

> Zotero

> both electron shells

Zotero is a XUL application, not Electron. The soon to be released version 7 is a major rewrite and is based on Firefox.

Zotero is one of those cruitual applications where Flatpak is nice. I want it to be self contained. I don't want anything messing it which could lose me weeks of research.

[pengaru]

> (it implements the sandbox itself, so no need for another one on top).

"An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape." [0]

Defense in depth applies here, you definitely want to sandbox any network application as complex as a modern web browser.

[0] https://nvd.nist.gov/vuln/detail/CVE-2022-26486

[Hamcha]

I always assume Electron apps are going to be more vulnerable than your average app. They tend to have the same vulnerabilities as web browsers (who are a big target for exploits given the reach) but have 2 additional layers of "bureaucracy" (the App's own update schedule and Electron's) before the underlying vulnerable engine is patched.

[tombert]

I always get a little annoyed at "X is not the future" post because we don't live in the future, we live now.

Much as we like to personalize them, computers are tools that we use to get things done, and Flatpak is among the better things we have right now for dealing with the awfulness of Linux packages. If a better thing comes in the future I'll use that.

[regularjack]

> Flatpak calls itself “the future of application distribution”.

The post is making the author's case against this claim, so I think the title makes sense.

[phalf]

But this is Hacker News where people who build things hang out. If you are fine with the state of the world and are not involved in advancing it, good for you, you can close this discussion. But many people around here are building the next things. And in that context it makes sense to think about what's the future and what's not.

[delfinom]

You sound like every other person responsible for the rampant NIHism in Linux and the reason why the "year of the Linux desktop" is in the year 6002 at this rate.

[biasedestimate]

If "the year of the linux desktop" requires turning linux into a windows/macos clone, I am happy to postpone it.

[mid-kid]

I swear the only people going on about the "year of the linux desktop" are its detractors.

[phalf]

Sorry, I don't see how my post relates to NIHism. Could you elaborate?

[banthar]

Zotero Flatpak comes with 4 year old Firefox binary and full access to your home directory.

The compromise currently being made here is your security.

[kaba0]

Nix, NixOS. It has firefox LTS and nightly, and the other two packaged as well. You can in fact freely go back and install any combination of versions/configurations for each of these, even multiple times.

Flatpak mixes up packaging and sandboxing, these two imo should not be that close coupled. Especially that it doesn’t even solve the former properly (not sure about the latter).

[Dwedit]

If you want a more recent Firefox, try backports?

[prmoustache]

Isn't that just because you aren't using a decent distro? I mean I am surprised that firefox or librewolf or whatever fork is not packaged by Debian in a current version.

[jdiff]

That's kinda Debian's shtick. Its ethos is to be rock-solid stable no matter what. No changes but bug fixes, and it gets those in a very timely manner. It's an amazing distro for what it is, but in a desktop or workstation sometimes you just need up-to-date software and for that, Flatpak makes a whole lotta sense. Stable OS core with the latest applications shipped on top. It may not fit your own use case but it's one of the leading distros that exist, it far exceeds just "decent."

[JohnFen]

Yep. That "solid, not cutting edge" philosophy is one of the main reasons why Debian is my favorite distro.