
Flatpak 1.0 Released, Ready for Prime Time - alexlarsson
https://flatpak.org/press/2018-08-20-flatpak-1.0/
======
jhack
Flatpak and Snaps are a great step forward for Linux packaging and usability.

I think there's a vocal segment of the Linux community that doesn't understand
what a major roadblock it is for the general user having different
distributions having completely different ways of packaging, distributing, and
updating applications. Don't worry, no one's taking away your apt-get, pacman,
rpm, eopkg, makefiles, etc.

~~~
mediocrejoker
I installed Ubuntu 18.04 the other day and was prompted to install some common
software such as Slack, Discord and Spotify . I installed all of them, and it
mostly worked (navigating to another page in the software centre cancels an
ongoing install with no warning).

When I ran mount, I noticed that every package I'd installed had it's own
entry in the mount list. After I rebooted the machine, these mounts were no
longer listed and the software I'd "installed" was no longer available through
the gnome menu.

I'm not against finding new and better ways to package software but this
experience left me with the expression that the technology is not quite ready
to be rolled out and adopted en masse.

~~~
seiferteric
I've noticed after updates I believe, the calculator app just won't open. It
will sit there with the spinning wheel thing. After a reboot it will be fine.
I noticed that the calc app is installed as a snap, never noticed this
behavior before.

~~~
aorth
Wait, why is the calculator app installed as a snap? As a technology preview
or proof of concept it's not very impressive—especially if it doesn't work!

------
ddevault
Ready to ruin the security of Linux, you mean. The split between package
vendor and package maintainer has classically been the primary reason for
malware being rare on Linux. Getting maintainers out of the loop for auditing
packages, ensuring security updates go out, etc - is an _awful_ idea.
Sandboxing applications is great, but it can be done without subverting the
package manager.

~~~
AnIdiotOnTheNet
> The split between package vendor and package maintainer has classically been
> the primary reason for malware being rare on Linux.

It's also one of the reasons users and proprietary software have been rare on
Linux.

~~~
dec0dedab0de
_> The split between package vendor and package maintainer has classically
been the primary reason for malware being rare on Linux.

It's also one of the reasons users and proprietary software have been rare on
Linux._

It may be why proprietary software is lagging, but I think most users prefer
an OS level package manager. They just didn't know about them until the
Appstore.

~~~
AnIdiotOnTheNet
Which is why everyone loves the Windows Appstore and uses it exclusively.

The Appstore works on phones and tablets because they are primarily
consumption-only devices, and because users are not given any other choice
(also, the installer/uninstaller model has a lot of its own suck). I don't
know about you, but that's not what I want out of personal computing.

~~~
TingPing
Most complaints about the appstore revolve around things like it being slow,
clunky, failing to work, being designed around DRM, forbidding win32 early on,
etc.

Nobody is complaining that applications are in a central location.

------
DCKing
The tone of the comments on news like this never fails to disappoint me. Sigh.

The Snap store so vastly improves my user experience of using common apps I
switched from Arch Linux (where 50% of the programs I had installed came from
the AUR) to Ubuntu, where everything I needed was just _there_. No longer do I
need to run weird scripts from the internet to get simple stuff to run on my
non-standard distro (which could be Arch, Fedora, or whatever I am running at
the time).

You can hold the position that these things are a big security risk.
Distributing monolithic packages with likely old/vulnerable dependencies is
not a great idea. But on the other hand, it prevents asking the user to run
random scripts (which in many cases are _not_ vendor provided) as root to get
their software, and it gives the user integrated automatic updates and other
software center integration (as opposed to downloading random stuff from the
internet). In terms of increased security through sheer usability and
requiring less manual maintenance, the advantages of Snaps and Flatpak add up,
I think. Many things in security are a tradeoff, and I feel that _getting the
user to do the right thing_ is often extremely undervalued. I think it is also
undervalued in these comments.

Flatpak and Snaps still have a lot of problems. Why do we have two competing
standards? Why can't I properly get all Snaps running on Fedora or other
platforms that use SELinux [rhetorical question - I know the technical
reasons]? Why do so many apps not use their sandboxing effectively? Why is it
so hard for these things to respect my computer's theme? The list goes on.

The list of problems is long and valid. But I think it's worthy of some
celebration that advancements are being made in making desktop Linux usable
for users and popular for developers. And I don't think it's clear at all that
this is a regression in terms of security.

~~~
baybal2
We also have the not-so-dead autopackage (listaller)

~~~
DCKing
Yeah, but it's not just about solving the problem "how do I install package X
on a random Linux distribution". I agree there have been solutions for that
for a long time. In fact, Snap at least does not _even_ fully solve this
problem because its sandboxing depends on AppArmor, which clashes with SELinux
on distros that use this - (e.g. anything from Red Hat).

The real key to Flatpak and Snap is the entire app "experience" \- integration
in the software center as a trusted source, automatic updates, clean installs
and removals without messing up other parts of the system. Before Flatpak and
Snap, this did not exist on Linux, especially not in something that was
compatible with all distros.

------
Aelius
I like to run a pretty lean system, and flatpak gives me the ability to
install some of the bloatier packages without the deep system dependencies
they bring with them in a package manager.

Installing a PDF reader should not forcibly install Udisks2 and upower.

A lot of commenters are upset that maintainers are being removed from the
equation. Can't each distro just set up their own maintained repository? If I
understand correctly, there's nothing about flatpak that actually prevents
traditional maintaining. The only thing distros have to do is integrate
flatpak, set up their own repository as default, and note that user should use
other repositories at their own risk. Which is basically how things already
work.

Is there a valid reason to hate flatpak itself, or are you all just too caught
up in hating change to actually evaluate it?

~~~
TingPing
> Can't each distro just set up their own maintained repository?

Yes Fedora is working on doing so.

------
cmurf
I've been using the Slack, GIMP, and Darktable flatpaks on Fedora Workstation
(which is GNOME based), available on flathub.org, for quite a while, maybe a
year - without problems. I also sometimes use Okular which is a KDE app, and
by installing it, the necessary kde.Platform runtime libraries were also
installed and kept up to date by flatpak - works flawlessly. There's also a
LibreOffice flatpak I have installed, and it seems like the flatpak update
"deltas" are smaller than RPM updates, by quite a bit.

I haven't used the feature yet, but supposedly there's a means of easily
rolling back to a previous version in case an update has a bug the user can't
work around. Rolling back RPM's can be non-trivial when there are many
dependencies - it's way easier for me to do rollbacks of an RPM only based
system by Btrfs snapshots which of course not everyone can depend on just for
undoing an application update.

So I'd say this is definitely an improvement from a user perspective; and it
seems no more painful and perhaps a little less painful for packagers.

------
sandGorgon
I dont know but if i just compare
[https://snapcraft.io/store](https://snapcraft.io/store) and
[https://flathub.org](https://flathub.org) ... I see that snap packages have a
lot more adoption by big name vendors.

~~~
TingPing
Canonical has a marketing team and outreach. Flatpak doesn't.

Also the Snap store allows a larger range of software (WINE repackages, server
apps, duplicates, etc) that Flathub does not. Flathub is also hand reviewed so
it takes a bit longer for new apps to get in.

~~~
sandGorgon
im not talking about niche ones - im talking about REALLY big names.

firefox, vscode, etc. there is also this - [https://www.docker.com/docker-
news-and-press/docker-and-cano...](https://www.docker.com/docker-news-and-
press/docker-and-canonical-partner-cs-docker-engine-millions-ubuntu-users)

~~~
takluyver
vscode at least is there on Flathub:
[https://flathub.org/apps/details/com.visualstudio.code](https://flathub.org/apps/details/com.visualstudio.code)

~~~
gurkendoktor
I found the flatpak version too sandboxed to be useful:
[https://github.com/flathub/com.visualstudio.code/issues/25](https://github.com/flathub/com.visualstudio.code/issues/25)

Snap "solves" this issue by not sandboxing some apps. I'm not sure if there is
a good solution to sandboxing developer tools.

~~~
TingPing
The solution is developer tools to conceptually split the target environment
and their running environment. GNOME-Builder is an example of this.

~~~
gurkendoktor
I was wondering how Builder handles this when I wrote my reply, but I assumed
it'd do the same thing. Thanks, I'll take a look.

------
AdmiralAsshat
My first impressions of Flatpak have been positive, with a few caveats.

As an end-user, I want my apps to be getting regular, automatic updates, which
means it's vital to get them from some kind of official repo. I sympathize
with the one-man developer who just wrote some cool little Electron app that
he designed to be cross-platform and promptly gets bombarded by requests from
his 10% Linux userbase that wants the app to be packaged for
Debian/Ubuntu/Fedora/SuSE/Arch repos. I get it, I've _been_ that annoying
guy[0].

So to that end, packaging once as a Flatpak and working everywhere has been
great. A handful of those pesky apps I used to have to regularly check for new
RPM releases are now on flathub and I can update them automatically.

With that said, flatpak support is still spotty. DNF doesn't support flatpak
yet, so I had to install GNOME Software on my Cinnamon DE just to be able to
easily support and update them. There's also the issue of the greatly inflated
installation sizes. I'm hopeful that support will get better soon now that
it's finally at 1.0.

[0][https://github.com/MarshallOfSound/Google-Play-Music-
Desktop...](https://github.com/MarshallOfSound/Google-Play-Music-Desktop-
Player-UNOFFICIAL-/issues/2567)

~~~
deadbunny
> With that said, flatpak support is still spotty. DNF doesn't support flatpak
> yet, so I had to install GNOME Software on my Cinnamon DE just to be able to
> easily support and update them. There's also the issue of the greatly
> inflated installation sizes. I'm hopeful that support will get better soon
> now that it's finally at 1.0.

Could you not just use the cli?

(Not trying to start a holy war, just a question)

~~~
AdmiralAsshat
The CLI wasn't terribly intuitive for app discovery, and to be honest until I
googled around I couldn't even find the flatpak command to update already-
installed apps.

~~~
vetinari
update installed apps: "flatpak update"

list whatever is available in repository: "flatpak remote-ls repo-name", i.e.
"flatpak remote-ls flathub".

list installed packages: "flatpak list"

~~~
TingPing
Searching is easy too: `flatpak search $foo`.

------
dajonker
Flatpak works much better for me on Ubuntu 18.04 with vanilla Gnome on
Wayland: the Snap packages don't appear in the Gnome menu (until you launch an
X session) and some Snap packages don't work at all on Wayland. Also, Spotify
is updated much more often on Flatpak hub than on Snap.

------
safgasCVS
I dont understand the point of this - why is this any better than apt? Based
off the top comment here this is meant to be much more user-friendly, but
already installing on Ubuntu didnt work properly despite following Flatpak's
own guide. And the install process for apps is then basically the same as apt.
I dont get it

~~~
digi_owl
User friendliness is a smokescreen, it is about being upstream friendly. This
in that now you get the kitchen sink of dependencies on each install rather
than them actually having to care about API stability (not that they did much
in the past).

This because they do not want to admit that distros being slow with rolling
out new releases of their software, is because of the dependency tangles that
they have created for distro maintainers.

------
privateSFacct
They might want to take a look at snaps - it does something similar and has a
good software mix.

~~~
AnIdiotOnTheNet
Snaps are Canonical's NIH take on Flatpak (previously known as xdg-app).
Fragmentation for fragmentations sake.

~~~
thibran
Sure it's Canonical's NIH and not Red Hat NIH, since both got released in
December 2014?

~~~
jhasse
Yes, because Snap doesn't support different repositories easily and everything
atm is based on Ubuntu base-images. Also the license is GPL+CLA allowing
Canonical to relicense it under a proprietary license. Furthermore they
require AppArmore for some features which some distros can't use (it isn't
part of the mainline kernel AFAIK).

~~~
jhasse
Okay I was wrong: AppArmor is part of the mainline Linux kernel. I think it
were some Ubuntu-specific patches then which were required for some of the
sandbox features. I will try to find where I read it again.

------
sam0x17
I would be curious to know what the differences between snap and flatpak are?
Is this just a "flatpak is for RHEL, snap is for debian" situation, or is
there something more to it? Just curious.

~~~
russdpale
You can use them side by side. They are just different options :). If its not
on snap, it could be on flathub or the other way around.

------
deadbunny
Packaging was a solved issue in Linux, congrats on the 3 steps back.

The rush towards containers because they're "easy" strikes yet again.

My fear is that the handful of companies that build packages for their desktop
apps with abandon them and move to Flatpak/Snap. From the Flatpak docs it
looks like anyone and everyone can just get access, even if you don't own the
thing you're packaging. So if you pack $newpopularsoftware first you can now
install malware on everyone's computers with a single push.

It's like they looked at everything bad about Chocolatey/NPM/pip/AUR and just
ran with it.

~~~
scrollaway
> _Packaging was a solved issue in Linux, congrats on the 3 steps back._

Dude, seriously. Flatpak has issues, but saying "Packaging was a solved issue"
when every distro rolls out its own packaging system is the reason we can't
have nice things.

Ignoring the problems won't make them go away.

~~~
dec0dedab0de
_Dude, seriously. Flatpak has issues, but saying "Packaging was a solved
issue" when every distro rolls out its own packaging system is the reason we
can't have nice things._

If every distribution was using the same packaging system, would they still be
separate distributions?

EDIT: By packaging _system_ I assumed we meant the same repositories, and
packages. Since that is how Flatpak seems to work.

~~~
oblio
> If every distribution was using the same packaging system, would they still
> be separate distributions?

Do we even need that many distributions? What's the value proposition for all
those hundreds of Linux distros?

My impression is that for many of them its:

A. we want to make my own distro, to learn, get visibility or maybe even make
money

B. we want to make our own distro because of an already existing user base
from point A.

C. we want to make our own distro because we can't get along with distro X
makers

I wish that the barrier to entry to making a Linux distro was higher. People
would have to put more thought and effort into it and the overall quality
would be higher.

~~~
dec0dedab0de
_Do we even need that many distributions? What 's the value proposition for
all those hundreds of Linux distros?_

That is a valid point, and why I usually tell people to just use Ubuntu if
they're not sure. The value proposition is that different people are doing
different things, and even people doing the same thing sometimes like to do it
different ways.

 _I wish that the barrier to entry to making a Linux distro was higher. People
would have to put more thought and effort into it and the overall quality
would be higher._

I believe that less competition equals lower quality.

~~~
oblio
> I believe that less competition equals lower quality.

While I generally believe in competition leading to better results for
users/customers, the real life experience of Linux distros vs Windows or Mac
OS doesn't seem to bode well for the free market :p (i.e. Linux distros should
be the pinnacle of software quality and they aren't).

------
lousken
I know snap makes it hard if I want to modify something inside the package
even as root (so it's close to the UWP nightmare). Is flatpack any different?

------
blattimwind
Interestingly flatpak doesn't really support drag-and-drop.

~~~
alexlarsson
It should support it as well as deb or rpm does. I.e. it is completely
uninvolved in drag-and-drop.

~~~
alexlarsson
Well, if you drag-and-drop a _file_ things might be somewhat problematic due
to the sandboxing. An app with no access to the file can't read the dropped
filename.

~~~
takluyver
From a technical perspective, I understand what you mean. But from a user
perspective, 'except for files' is a pretty big caveat. Files are the main
thing I drag and drop!

------
mahesh_rm
What is the position of Linus and Linux Kernel Development crew regarding
this?

~~~
AnIdiotOnTheNet
Linus himself distributes Subsurface using AppImage.

~~~
feborges
Also available in flathub.org

------
v_lisivka
In Linux, you need to download, compile, and install viruses and trojans by
yourself. With Flatpack, trojans can be installed in one click.

~~~
v_lisivka
OMG. I got 2 downvotes before my page with response loaded after submitting.
Never saw that. :-[ ] Instant karma.

~~~
DoofusOfDeath
Jokes on HN always run a risk of downvoting, even if really funny.

~~~
ynniv
People seem particularly downvote happy this morning, or this story. Is this
project close to YC?

~~~
nickik
Anything related to RedHead developers doing anything that is 'disrupting' or
'different' can unleash a shitstrom and lots of trolling.

