Flatpaks should be used for preinstalled programs for better security/updates

[frofrout]

Greetings! With the news that Ubuntu 18.04 will be using Snaps instead of the default non-sandboxed deb programs, I would suggest that Linux Mint looks into using Flatpaks for LibreOffice/Chromium/Firefox and all the other default programs that are also available as Flatpaks.

[BenTrabetere]

No, no, no, 100 times no. I feel the same way about AppImages and Snaps, but maybe not as strongly. Flatpaks, Snaps and AppImages have their place, but not for major core applications.

I can understand running a browser in a sandbox. But why would you want or need to sandbox LibreOffice, and if there is a need, what advantage would Flatpak have over Apparmor and Firejail?


Just for giggles I installed the LO flatpak - it took over a minute to launch. Granted, a lot had to do with my ancient system (Athlon 64 X2 4200+ with 4GB RAM), but I suspect there still would be a performance hit on more capable hardware. The installed version of LO launches in less than 6-seconds.

I tested the component applications I frequently use (Writer, Calc, Draw and Base), and three of the four ran smoothly. Base was the exception. The current flatpak is missing the Java Runtime Environment, and LO-Base is pretty much useless without it.

[mr_raider]

Can anyone explain to me the fetsih for flatpaks and snaps? What's wrong with the .deb system, as I recall it it stands for "Debian package" which is one of the most robust and solid package management systems in all of linuxdom.

If I need a program, I look for a deb first.

[jimallyn]

Can anyone explain to me the fetsih for flatpaks and snaps? What's wrong with the .deb system

The deb system is a good one, but sometimes you might want a newer version of a program than what is in or available for your installed Mint (or other Linux). The advantage of flatpaks is that they contain most of the dependencies within them, so you don't get the problem of "I can't install that because to do that I'd have to install this and this and this and uninstall that and that and that." Also, I guess some of the new packaging systems install the programs so that they run inside a "sandbox" where they can't screw up anything else in your system, and they are harder for anything external to screw them up.

[mr_raider]

Can anyone explain to me the fetsih for flatpaks and snaps? What's wrong with the .deb system

The deb system is a good one, but sometimes you might want a newer version of a program than what is in or available for your installed Mint (or other Linux). The advantage of flatpaks is that they contain most of the dependencies within them, so you don't get the problem of "I can't install that because to do that I'd have to install this and this and this and uninstall that and that and that." Also, I guess some of the new packaging systems install the programs so that they run inside a "sandbox" where they can't screw up anything else in your system, and they are harder for anything external to screw them up.

that sounds suspiciously "windows like" where ever .exe ships with a ton od .dll filles.

[BenTrabetere]

Can anyone explain to me the fetsih for flatpaks and snaps?

I think Flatpak, Snap and AppImage are attempts to solve, or at least address, the 'too many package systems' issue. I do not think they could or should be used to replace an established package management system like .deb, but they can fill a void.

Of the three, I prefer AppImage, and it gives me the opportunity to play with applications that I would never install to my system. I am currently using four AppImages on a regular basis, most of which are development versions. I am playing with two versions of GIMP 2.9.5, a RAW processor that is an early stage of development called Filmulator, a paint program called AZPainter, and two note taking applications, BoostNote and MrWriter.

[frofrout]

No, no, no, 100 times no. I feel the same way about AppImages and Snaps, but maybe not as strongly. Flatpaks, Snaps and AppImages have their place, but not for major core applications.

I can understand running a browser in a sandbox. But why would you want or need to sandbox LibreOffice, and if there is a need, what advantage would Flatpak have over Apparmor and Firejail?

LibreOffice - As a journalist (for example) you open attachments for a living, pretty much. Knowing the .doc can't conquer your computer is a pretty strong argument for using it as a Flatpak instead.

Firejail in the repo is insanely behind on the updates. Meanwhile, Flatpaks are updated automagically and are protected with SELinux. Even if Firejail was actually kept up to date, messing around with Firecfg seems unnecessarily difficult when the alternative is to just use a Flatpak.
Apparmor? Oh please. No one in their right minds want to set that crap up.

that sounds suspiciously "windows like" where ever .exe ships with a ton od .dll filles.

And the current situation in Linux is any better? Lots of dependencies for everything that may, or may not be installed automagically?

With Flatpaks the programs are sandboxed/isolated, which is as far away from Windows as you can get.

[BenTrabetere]

LibreOffice - As a journalist (for example) you open attachments for a living, pretty much. Knowing the .doc can't conquer your computer is a pretty strong argument for using it as a Flatpak instead.

I think there is a place for Flatpak (Snap and AppImage), and I admit there are valid reasons for using one to run mainstream applications like LibreOffice or GIMP. My issue is replacing .deb with Flatpak (Snap and AppImage) as default package manager for mainstream applications.

I understand why the LibreOffice Flatpak might be attractive to a journalist, although I
think running it in a virtual machine will offer much better protection against a rogue .doc conquering your computer. I installed the LO Flatpak, and the default directory was /Home/Documents, so it is accessing the resources outside its pretty sandbox.

[frofrout]

LibreOffice - As a journalist (for example) you open attachments for a living, pretty much. Knowing the .doc can't conquer your computer is a pretty strong argument for using it as a Flatpak instead.

I think there is a place for Flatpak (Snap and AppImage), and I admit there are valid reasons for using one to run mainstream applications like LibreOffice or GIMP. My issue is replacing .deb with Flatpak (Snap and AppImage) as default package manager for mainstream applications.

I understand why the LibreOffice Flatpak might be attractive to a journalist, although I
think running it in a virtual machine will offer much better protection against a rogue .doc conquering your computer. I installed the LO Flatpak, and the default directory was /Home/Documents, so it is accessing the resources outside its pretty sandbox.

Well of course it should be able to access the documents folder. How else is the program supposed to work, at all?

Running a VM is something I doubt most journalists will be interested in doing. I'm a nerd and even I don't want to do it.

I also don't really see why you're so against Flatpaks when they are more secure and unlike the current LM system, they are updated regularly. This means Flatpaks would be beneficial for most people, most of the time. Ubuntu is making the leap into Snap and I feel it would be strange for LM to stick around with .debs when Canonical (rightly) seems to convinced that Snap/Flatpak is the future.

Also I'm not saying every program should be a Flatpak. I've never heard of a 0-day against GIMP in all my life, but Thunderbird/Firefox/Chromium/LibreOffice would all greatly benefit from the sandboxing.