Package with ribbon

The modern Linux package formats

By ProngsDark | The Linux Monitor | 6 Mar 2020


Taking a look at modern Linux package formats

In this article we will be discussing the benefits and drawbacks of modern package formats in Linux and we will take Flatpak as a particular case due to its popularity among desktop Linux users.

The main three popular formats right now are:

  • Flatpak 📦
  • Snap 🐦
  • AppImage ⬇️

The logo of each format


General characteristics and features of modern formats 📝

I think that the biggest feature that all these new formats bring to the table is security which is by no means a small thing. They try to achieve security by a method called sandboxing which in theory should isolate apps from other programs and from accessing critical system resources. While on paper it seems nice, a desktop application can't live without certain rights like accessing the filesystem to write and read files. Flatpaks achieve security by heavily restricting what an app can or can't do, for example by default an app cannot access anything on your computer except its own runtime environment.

However, as I've mentioned earlier, this type of constraint is unrealistic and even more, it makes apps useless. This type of restrictions are fine only in theory. Any developer can extend the reach of their app into your filesystem by passing a few command line arguments like:

  • --filesystem=host

  • --filesystem=/{path}/{path}

When paired with other permissions like --device=all, which gives an app access to a whole range of devices connected to your computer like sound devices(ex. microphone), or devices like webcams you can clearly see the major flaws of those sandboxed apps. The rely on the benevolence of developers and we need to trust that their code doesn't do anything malicious or unethical.

But if the app is open source then I can see that it doesn't do anything wrong ⚖️

In theory yes you can. In practice, everyone who is in the business of programming might have noticed how over the last decade apps have become incredibly big and complex. I am talking about those really great big apps that do lots of things (I will give you examples later when I will talk about some apps). Realistically you can't review a whole app like that as an individual and expect to use it in the next year or two since there is a huge amount of code to review and also those apps are always changing.

Besides, there are a lot of apps that are proprietary but are packaged using flatpak, like Spotify which is one of the most popular apps on Flathub, the central place for getting flatpaks.

Flathub

As we are about to see in the next pictures there is a major flaw in the design of Flathub that weakens the security of flatpaks in return.

Spotify on Flathub Spotify info on Flathub

 

It becomes clear I think that the licensing model, while present is hardly visible and distinguishable from the rest of the information that is displayed. Also since you will need to scroll in order to see this piece of info is again another flaw of the design of Flathub. The install button that is up in the top of the page is integrated with at least gnome store which is the default app store in major Linux distributions like Fedora which I guess is one of the distributions that heavily uses flatpaks, so all a user needs to do is click that button and install the app. Most certainly there are people that run apps like these and don't know they are proprietary. Even if they are educated on how licensing works, a lot of people probably just think that since the app is in a store like Flathub it must be open source software, especially if said software is less known to the user.

If Flatpaks are no better than legacy packages then why use them?👨🏼‍💻

Let's consider the following scenario: you have an app that is used by thousands of people which has an undiscovered vulnerability. With proper confinement, even if an attacker would find a way to exploit said vulnerability it would be useless. Let's say that the vulnerability would make anyone able to turn your microphone on and send everything that it records to the attacker. A flatpak with the right permissions will make it impossible for anyone to exploit this vulnerability if the package was configured without access to your microphone. While the problem is still there, the app still has an active attack vector, for the user this is irrelevant since the packaging method isolates the app from his system and therefore his peripheral devices. 


How does Flatpak compare to the other two formats (from user's perspective)

AppImage ⬇️

From the user's perspective, the easiest to operate is the AppImage format. You download your AppImage and you have an app. You don't like the app, you drag the AppImage to the recycle bin, it's that simple. This format bundles everything the app needs into one file so you don't have to worry about installing things or downloading components, or not having God knows what dependency installed; everything is there. In practice however, AppImages are not well integrated into every linux distro out there. For example on my Laptop running Manjaro 19 with KDE Plasma, I couldn't get most AppImages to show in the navigation menu. To start them I would have to open the file browser and go to folder where I've put them. It felt more like operating with files instead of apps which is slow and unintuitive.

Snaps 🐦

Snaps are more like traditional packages, you download them from a store and then they install to your machine. I will be honest with you and say that I haven't used snaps in a long time so maybe the folks over at Canonical fixed that by now, but snaps really lacked integration with the desktop environments. Maybe they looked good on Ubuntu, I can't be sure since I also haven't used Ubuntu in a long time, but I remember trying to use snaps in other distros was hurting my eyes. The fonts were different from my system's, the app theme was different, even the cursor theme was changed. Snap seemed to me like a more server oriented package format, an environment where people might not exactly care about how the app looks, but how it behaves, plus the benefit of confinement.

Flatpaks 📦🚛

Last but not least, let's talk about Flatpaks. The integration with the rest of the environment is great. I had no problems with them in that regard. The flatpak system is actually so smart that it will detect you theme and download a flatpaked version if that theme to be used by your apps. The community is clearly more passionate about flatpaks and the people involved are more desktop oriented and you can see that in the Flathub repository where there are a lot of apps that cater to the desktop user, like Spotify, LibreOffice, GIMP, in other words GUI apps. While you can find some apps in the snap store, there you will also find programs that are made for the command line like npm or docker. You won't find a Docker flatpak version

Flatpak drawbacks 

The main problem with flatpaks in terms of them being a viable alternative to traditional means of software distribution has to be their size. Developers make their apps using different SDKs and more importantly, different versions of the same SDK. The way that flatpaks are made means that along with the app, which by no means are light these days, you will also have to install other runtimes that the app depends on. If other apps depend on runtimes that you already have, then you are in luck, you don't have to re-download them, however if another app depends on a different version of the same runtimes that you have then you have to download those versions. This results in an increased effective size of a flatpak application.

But, this is not always bad. Since you have the runtimes downloaded along with the app this ensures a greater degree of compatibility. If you want to run older apps in modern environments then in theory flatpaks should work flawlessly.


A conclusion, pro or against flatpaks? 🔐

I guess a better question would have been pro or against then new methods of sandbox packaging. The answer is definitely pro. I have to be honest, with you, the reader, I don't use any of the three formats at the moment. I have used them in the past and I use them in Linux distros where the software selection might be lacking in any way, but right now using Manjaro I feel like the disadvantage of not having my apps isolated from my system is outweighed  by things like ease of installation, large software selection, reduced size, etc.

I closely watch the development of those new methods of software packaging and I do have high hopes for them. I think they are the future. and the world of computing is evolving into a much more secure and safe environment for everyone.

How do you rate this article?


2

0

ProngsDark
ProngsDark

Happily married to a wonderful woman. Linux enthusiast, software developer and hacker of all things.


The Linux Monitor
The Linux Monitor

The Linux Monitor is a publication about everything desktop Linux. This blog is highly opinionated and where I feel it is necessary I will indulge in copious critique of different aspects of Linux distributions or F.O.S.S. programs.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.