Users who don't want redundant dependencies will probably prefer AUR packages. It can also be nice to manage all the packages with just the helper app. I try to install the binaries of apps from the AUR if they're available to avoid the long build times.
An AUR package has been done for Arch by (supposedly) someone who knows what they are doing and needs it on their Arch Machine
A Flatpak is something done by someone, to (supposedly) work everywhere, untested on Arch, that may or may not work. And crash (Ardour on Asahi). Or waste hours or you life to render files incorrectly (kdenlive on arch and asahi).
Native versions work perfectly.
I thought I was clever in using arch/aur for everything, but pull KDE or QT apps from Flatpak to keep my gnome install a bit more tidy... For this, you'd have to have those Flataks to work, and sometimes they don't.
To be fair, there are a lot of Flatpacks published by the devs themselves (especially in the Gnome/GTK ecosystem).
on my arch-based systems, i use repos first, aur second. appimages third. i do also have a couple minor things (that are self-contained with no dependencies) that were just 'unzipped' into their own directories and links added to menus where appropriate. note that i don't game on these systems. i don't have a lot of aur packages installed, so updates and subsequent recompile time isn't an issue.
i have yet to run into anything i want or need that isn't available in those. so no flatpaks or snaps.
AUR for niche stuff, Flatpak for everything else.
I personally prefer Flatpak because:
- It's simple
- It's the recommended way of installation for most distros, especially image based ones, like Fedora Atomic for example
- It's accessible for everyone more easily
- It works most of the time
I use the AUR in a Distrobox container for software I can't find any other installation method. For me, it's to cumbersome to hop into the terminal and proceed with the installation.
For Flatpaks, it's just one click and it's done.
The AUR is the best thing about Arch. yay -Syu and everything is updated. Painless.
I tend to use binary packages to avoid long compiles. If an update includes something that is going to take a while, I often exclude that package from the update. After everything else is updated, I can run it again to get the last package or two. They can just run in the background while I do other stuff. If it is a program I am going to use right away, I may put off the update of that package until I am done my session. This is pretty common with JetBrains updates for example.
I do not have a single Flatpak.
I am using both of them without any problem.
The main advantage of Flatpaks (and things like AppImage) is that you have a single "executable" with everything you need and sometime that is useful even if the software is Opensource but the building dependencies are a nightmare. Subsurface (a dive log software) is an example.
If the AUR package is a simple build (or a binary which is a converted package) then go for it. If you need to start building a lot of additional package from AUR to meet the dependencie then I would suggest, in order, to look for the Flatpak (or AppImage) package or to install an helper to build the packages
Nonfree software does not have the ability to be rebuilt on each update anyway, since it's distributed as pre-built binaries. So they won't build anyway.
I tend to use AUR packages where possible if the package is not in the official repos. Only if the AUR package is broken do I turn to flatpaks.
Right. So my priority should be like this:
Proprietary: Flatpak
Open Source: Official Repo then AUR
My priority is: Official repo, AUR then Flatpak.
No matter what license it is. Although, if I need microsoft stuff I usually go flatpak there, so it's sealed off.
Alright, got it. Thanks.
This. Flatpak also provides additional privacy and security features to at least somewhat keep that proprietary garbage under control
AppImage !
- Open format? Yes
- Free format? Yes
- Fully Contained Single Executable Support . Like an exe file for Windows systems Yes (the only one)
- App Size** The lowest** !
https://en.wikipedia.org/wiki/AppImage
Matrix
https://www.fosslinux.com/42410/snap-vs-flatpak-vs-appimage-know-the-differences-which-is-better.htm
https://phoenixnap.com/kb/flatpak-vs-snap-vs-appimage \
Why would the app size be the lowest? I could maybe see that for one single AppImage (though I don't expect a significant difference), but as soon as you have two or more apps, sharing dependencies would make Flatpaks smaller than AppImages.
Aren't AppImages still limited to Xorg?
Also there's no centralised update mechanism or dependency deduplication, no?
I use Silverblue and in general I like their philosophy. For other distros, it can be summed up as:
- Flatpaks for GUI applications
- Your choice of package manager for everything else
On Silverblue anything non-Flatpak is best installed inside a container. On a non-atomic distro I'd just install using the system's default package manager.
Flatpak.
I am on Fedora so the equivalent is COPR.
Flatpaks can be built pretty messy, use outdated runtimes or even entirely outdated dependencies.
It is pretty creepy, I digged down the pyramid of dependencies of OnionShare once and that thing is huge, some projects are archived, some had new releases but it still uses the old versions.
Native packages might not bundle all that in, which means more effort but especially more updated packages.
The sandbox is determined by the packagers, and a mix between "dont make it too loose" and "dont break use cases". For example many big projects without portal support have host
permission to access your theoretical SMB shares or external media.
But yes, the bubblewrap sandbox is there, it prevents apps from manipulating the system, the syscalls are a bit restricted via a "badness enumerating" and pretty loose seccomp filter.
This prevents all apps from creating user namespaces, which are like chroots and create a small virtual filesystem for processes. They are used in FF and Chromium for sandboxing. But Firefox also uses seccomp-bpf which works within a flatpak.
If you want a Chromium browser, it should be native. Firefox arguably too, as it gets another layer of sandboxing. But Flatpaks are isolated from the system.
Have a look at bubblejail, which allows to sandbox programs from the OS with bubblewrap, but with a custom filter that can allow user namespaces.
I always use Flatpak over AUR.
AUR is my last resort
Personally I tend to go AUR first, then Flatpak and then Appimage if there's no other choice. Snaps never lol
The reason being, I find that Flatpaks sometimes have issues with not being able to access certain things in the filesystem which can cause problems. That's presumably by design since they're sandboxed and you can fix it with Flatseal or whatever, but it's an extra level of fiddling that I can't always be bothered with. I do prefer Flatpaks for certain things that are messy with dependencies though (looking at you, Steam.) Appimages I don't really like because I hate having to go and check manually for updates for each one, it feels too much like Windows to me. But there are a couple of things that only have Appimage versions so I'll suck it up.
Snaps I just find to be a huge pain in the ass, and I've never found an app I need that doesn't already have a version on the AUR or as Flatpak or an Appimage, so I really have no need for them.
Appimages I don’t really like because I hate having to go and check manually for updates for each one, it feels too much like Windows to me. But there are a couple of things that only have Appimage versions so I’ll suck it up.
Oh that's handy, thanks! I only have like 3 things as appimages but I already switched them over lol
It's not like the AUR packages need recompiling after every update, so I'm using standard Arch repos + AUR and that's it.
Everything will be using the same (bleeding edge) dependencies, so if something breaks, I can find what changed and fix it and / or roll-back and / or report it to the dev.
I've been down this whole scenario with Windows back in the day... DLL hell, InstallShield packaging, compiled zips, weird %PATH% sets for execution, the lot... and at the end, it's always simpler to use common libraries and work with the devs to fix bugs - after all, they're usually developing on a "normally" packaged system anyway.
I usually do distro repos, followed by aur, then flatpak if the aur version is too cumbersome (e.g. obs, game emulators). Funnily enough I use steam native because when I was using the flatpak. I had trouble with mods and things of that nature. A lot of that stuff either needs to be moved to different locations, straight up doesn't work, or requires a bit of permission fiddling and I just didn't wanna go through that. On the other hand. I believe there was a glibc issue on Arch that broke all games on steam native for a couple of days which the flatpak didn't suffer from. Just goes to show nothing is perfect either way.
both is good
Flatpaks don't securely download. Use your native package manager
In what way don't they "securely download" ?
No cryptographic signature verification, like most package managers have
That doesn't seem to be true? https://flatpak-testing.readthedocs.io/en/latest/distributing-applications.html#gpg-signatures
The link you sent says that its an option that can be turned on or off. Also, that's for uploading. Doesn't say anytbify about verification of downloads.
From the page:
It is recommended that OSTree repositories are verified using GPG whenever they are used. However, if you want to disable GPG verification, the --no-gpg-verify option can be used when a remote is added.
That is talking about downloading as well. Yes, you can turn it off, but so can you usually do it with native package managers, e.g. pacman: https://wiki.archlinux.org/title/Pacman/Package_signing
where does it say this applies to downloads too?
I'm confused why you think it would be anything else, and why you are so dead set on this. Repos include a signing key. There is an option to skip signature checking. And you think that signature checking is not used during downloads, despite this?
Ok, here are a few issues related to signatures being checked by default, when downloading: https://github.com/flatpak/flatpak/issues/4836 https://github.com/flatpak/flatpak/issues/5657 https://github.com/flatpak/flatpak/issues/3769 https://github.com/flatpak/flatpak/issues/5246 https://askubuntu.com/questions/1433512/flatpak-cant-check-signature-public-key-not-found https://stackoverflow.com/questions/70839691/flatpak-not-working-apparently-gpg-issue
Flatpak repos are signed and the signature is checked when downloading.
It's OK to be wrong. Dying on this hill seems pretty weird to me.
If its not documented, we shouldn't assume it has a security feature.
You know what else we shouldn't assume? That that it doesn't have a security feature. And we additionally then shouldn't go around posting that incorrect assumption as if it were a fact. You know, like you did.
Oh, we should absolutely assume that software does not have security features unless those features are clearly documented (and audited)...
Feel free to assume that, but don't claim an assumption as a fact.
You recommended using native package managers. How many of them have been audited?
people prefer AUR over Flatpaks. Why?
Some stuff doesn't work as Flatpak, or I actually prefer for it to be compiled against what's actually on my system rather than a generic one-size-fits-all binary, or simply isn't in Flatpak.
Flathub is tiny (under 3k packages), AUR has over 85k – and yes I know that many of those are abandoned or maintained very loosely but even if you only count the packages updated in the last year that's still over 10x bigger than Flathub.
Examples: kernel modules, CLI tools, libraries, versions of apps compiled against old UI frameworks (like Claws-Mail with GTK2), obscure apps, drivers for obscure hardware, stuff with dubious legal standing like file sharing apps etc.
how do y'all cope with waiting for all the AUR installed packages to rebuild after every update?
I don't. I disabled AUR updates and only update AUR packages when they break. Sometimes if I'm bored I'll run a pamac checkupdates --aur
and do a pamac build <package>
on anything I see there that might be interesting to have a new version of. But most of the time like I said I wait for them to break, which happens surprisingly seldom.
Alacritty takes ages to build for me.
Yeah some apps are ridiculous. Pika Backup is another example, RPCS3, and so on. For some of those I actually resort to Flatpak.
The choice is not always so clear cut because Flatpak stuff will tend to have random features present or missing. For example a while ago the Flatpak Handbrake could do accelerated encoding on the GPU, now it can't. So I was forced to go back to native Handbrake.
AUR just for the essentials , I just use AUR for my Epson Utility
Linux
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0