undefined | Better HN

0 pointslawl5y ago0 comments

> but from the User perspective it seems like FlatPaks[1] are much better and address the issues that this article raises

This is interesting, because the last few days I was actually working on packaging an application of mine as a snap/flatpak.

From my PoV, they both have their fair share of issues.

Snaps enforce a sandbox, which I think is actually a good idea, because the desktop security model is somewhat broken. If your application cannot run as a sandboxed app, you need to be granted special permissions by canonical after manual review (my app needs this), where they also discuss if they can make a new permission in a safe way for your usecase that everyone can use afterwards.

On one hand this sucks because I need to ask canonical for permission to publish something, and there's no certainty that I will get these permissions as a nobody for a new app nobody ever heard of before. On the other hand, I think I like that they're doing something about the desktop security model.

The next problem is, if this is denied, how do I ship updates? Provide a self updater? Easy to write, but if everyone does that, we can just go full windows and abandon package managers. Tell people to just curl | bash? That's not more secure than a potentially shady snap.

But I do have to praise canonical for being very helpful in IRC and the forums for helping me debug issues and file bugs against snap stuff.

Now flatpak on the other hand, just feels kinda weird to me.

It sandboxes things, but every application can pretty much grant itself access to everything. This is a completely different philosophy, but if you rely on everyone tightly sandboxing their applications without granting themselves permissions for sandbox escape, I think something like landlock[0] (when it lands) or pledge is much more suited for this, and baked into the application.

Then there is this weird thing where flatpaks force a runtime on you. My application is a statically linked go binary. But flatpaks pretty much want to force me to add an entire freedesktop suite as a dependency, as you simply cannot choose no runtime.

(Community-)Support for building flatpaks? Pretty much non-existant.

So yeah, the entire linux upstream-packaging situation is still quite depressing honestly. And with the time and energy I have invested into this by now, I could have written a simple but sufficient self-updater about 10 times over.

[0]: https://landlock.io/

0 comments

31 comments · 8 top-level

still_grokking5y ago· 16 in thread

As a user I don't like neither Snaps (that for sure as this is Cannonical only) nor FlatPaks (as they seem conceptually a "80% solution" which combines the problems of package systems with the problems of self-contianed apps, but don't improve on anything).

For me the only acceptable solution besides proper .debs are AppImages. AppImage doesn't try to "replace" the package management for desktop apps like the former two candidates. It tries to complement package systems for some special cases (like for example commercial software, or for the cases where the user "just wants to try something out" without "polluting" the whole system with a lot of dependencies).

For my desktop needs AppImage is like "Docker, the good parts". A simple self contained format that runs everywhere without any further dependencies. Compared to that Snap and FlatPak are bloated annoyances.

arminiusreturns5y ago

AppImages are the only thing I run also, as a full time linux user and admin. I just hate the proliferation of questionable services, especially in systemd land. A lot of my focus is on minimization of stack, and snap and flatpak just don't stand up to scrutiny imho.

m4rtink5y ago

Appimage has its own issues though: - no update mechanism - no sandboxing and only basic app isolation - no deduplication (Flatpak automatically deduplicates everything it installs on a machine)

AnIdiotOnTheNet5y ago

AppImages do have an update mechanism:

https://docs.appimage.org/packaging-guide/optional/updates.h...

2 more replies

yellowapple5y ago

On the sandboxing front, it works great with Firejail: https://firejail.wordpress.com/documentation-2/appimage-supp...

lawlOP5y ago

I tend to agree with you, but I really like updating all my software with one click/command.

So out of curiosity:

My application is already self contained and statically linked, so no AppImage needed, but it behaves like one, you can just run download and run it everywhere. And so what you're describing will be for sure an option for those who like it (in fact currently it's the only option in alpha).

How would you like to get updates for something like this? Visit the website yourself occasionally to check for updates? Have the application notify you a new version is available? Have an integrated updater so the binary can update itself?

still_grokking5y ago

That's easy. It should be officially in Debian. ;-)

Stuff like AppImage, static binaries, Docker & Co are for me at least a kind of "last resort". Even I'm using Docker a lot[1] to try things out I first look for an AppImage in those cases. But when I decide that some app should become part of my system I will look for a proper package. One source to rule them all…

[1] Docker is a big problem on it's own. But as I can't avoid to have it installed because of work I decided I could use it at least to "keep experiments under control". Before I was forced to have Docker I've used systemd-nspawn for that use-case.

2 more replies

wahern5y ago

Plenty of software companies provide their own Apt repositories. Adding a repository is usually as simple as copying a single file to /etc/apt/sources.list.d/. Sometimes you may also need to add a GPG key, which can also be as simple as copying a file to /etc/apt/trusted.gpg.d/ (though most instructions seem to favor a manual one-liner that imports the key to the global database[1]). Technically you could automate both with a one-time deb install, though I'm not aware of anybody that actually does this. In any event, after that `apt-get upgrade` will upgrade third-party packages just as well as Debian or Ubuntu packages.

I much prefer Debian packages over RPM, and Apt over Yum/DNF, but unfortunately setting up a Debian package repository is more difficult than for RPM. The tools exist, and are more sophisticated and capable--for example, Aptly--but there's a higher learning curve. Also, good luck using them outside Linux. Years ago I published Debian package repositories from OpenBSD, but I had to manually hack the relevant tools to build and work on OpenBSD. For RPM/Yum I could have more easily written (and at a different job later did) an indexing tool from scratch.

The problem with Debian packages and Apt repositories isn't that they're not capable, it's that they have high learning curves due to the slow accretion of features that obscure their potential. A better tooling story would help, particularly for repositories. Better tools for initializing Debian package builds exist; the problem is more a surfeit of choices.

[1] It's more complicated and creates unnecessary headaches than dropping a file into trusted.gpgp.d, but the practice seems to reflect the opacity of the Debian packaging ecosystem. There's a better, simpler way to do it, but everybody cargo cults the same old solutions and then complains that it's too complex or inelegant.

AnIdiotOnTheNet5y ago

Personally, I rarely think about updating my software unless there's a new feature I need or a fix for a bug that's been ruining my life, so just visiting the website when to check for new versions is fine by me.

However, you could also include a facility to manually check for updates and either self-update or just show the changelog. Why manually? "I know you're about to do this thing real quick that needs to get done, but a new version is available! Would you like to twiddle your thumbs for 5 minutes while watching a progress bar?".

2 more replies

dflock5y ago

most AppImages seem to auto-update themselves when you run them, which is convenient, until it isn't.

I'd want it in an apt repo, really.

1 more reply

yellowapple5y ago

> How would you like to get updates for something like this? Visit the website yourself occasionally to check for updates? Have the application notify you a new version is available? Have an integrated updater so the binary can update itself?

I've seen all three approaches with AppImage'd software.

There are also package managers specifically for AppImage'd software, though it doesn't look like any of 'em are particularly mature.

baldfat5y ago

FlatPack was made to address two things focused on security:

1) Application won't need root privileges

2) Without compromising on the systems security

cies5y ago

Some kernels, e.g. Linux, were also made to do just (that amoung other things).

I think fixing what we have in standard kernel/userland, and leaving the containers for specialized developer/devops deployed workloads may well be where this (what will be known as the snap/flatpack saga) started from, and will end as well.

Sir_Substance5y ago

I also prefer appimages as the "least worst" of the three.

However, a quick note: As someone who unofficially maintains a linux port of my companies software, I have considered packaging it as an appimage, but there's one problem with appimages that kills the concept.

Appimages are read-only[1]. I'd love to package my companies product that way, but we already have update-delivery infrastructure that works on windows and mac (and linux), and it assumes it can write to the "install folder". Changing the entire update infrastructure specifically for an OS we don't officially support is a non-starter.

From a developer perspective, I would love the ability to update an appimage's contents in place. However, as a user I'd also like the ability to set it read-only to block updates if I desire. Flatpak's mandatory updates are one of the key reasons I dislike it. Never the less, if the goal is to smooth the path for proprietary software to support linux without making half a dozen different packaging solutions, in place updates need to be supported.

[1] edit: according to comments below, they now have an update mechanism, but it's still a totally appimage-specific process, so my problem remains :/

rezonant5y ago

AppImage is the format I'm using for distributing Linux apps as well, for many of the reasons you mention

saurik5y ago

Is "I just give you a tgz with small folder of files, one of which is a binary; I managed to make it run just about everywhere" worse than AppImage (notably, for a GUI app)?

yellowapple5y ago

That's basically what an AppImage is, except that an AppImage goes one step further and slaps that tarball onto an executable that opens its embedded tarball and runs whatever's inside.

inetknght5y ago· 3 in thread

> The next problem is ... how do I ship updates?

...why not make a new release and ship that? That's the way package managers work. Developer makes a package. User installs the package. Then when developer fixes some bug and releases a new version the user can install the new version when the user decides it's necessary.

The whole point about this is that it's user-centric. That's good.

danielheath5y ago

It’s largely a good thing but it’s unreasonable not to mention the “flood of bug reports about issues that have since been fixed” effect that comes with manual updates.

This has burnt a few projects pretty badly (especially where distros have packaged an old version and never updated it).

catalogia5y ago

Taking power away from users to address that inconvenience may be the status quo in the proprietary software industry, but it's totally over the line for user-respecting FOSS software. Not least because, once a developer acquires that power over users they very frequently succumb to the temptation to abuse their userbase as involuntary beta testers for half-baked bullshit which users struggle to opt-out of.

1 more reply

michaelmrose5y ago

Make the user report their current version in the reporting dialog. Automatically close all reports for prior versions and inform the user to update and revisit.

dcow5y ago· 3 in thread

`curl | bash` gets a bad wrap. From a security perspective (assuming you trust web pki), it's 100% no different than a) downloading and running a script, b) downloading a package and and installing it, c) downloading a binary blob and executing it, etc. I actually find that piping an install script to an interpreter is the easiest to audit of all the options because I can see exactly the changes that will be made to my system. I don't know where the whole "zomg pipe to bash is so insecure" vibe came from, but it's effectively developer urban myth. The only improvement is if you somehow directly exchange keys with the vendor out of band with no web pki intermediate step and then verify the signature on the software you're installing... yeah.

sergeykish5y ago

You fail to see how piping to bash worse than other awful choices? It is not.

It is bashed by those who value reproduction and discoverability:

* every person receives same script, confirmed by signature

* multiple mirrors, no single point of failure, no pull out by author (left-pad)

* no silent update (browser addons)

* tested to work on your system

* clean remove of installed files

* search in packages not in web (anti fishing)

* hosted in secure environment

* watched by many eyes

lmm5y ago

> The only improvement is if you somehow directly exchange keys with the vendor out of band with no web pki intermediate step and then verify the signature on the software you're installing... yeah.

Which is what Apt has done for 20+ years - packages are gpg-signed, developers sign with their individual keys (and have to have their identity verified by at least one other developer) and even someone who controls a root CA (which is most national governments and many large corporations, let's be fair) would have to mount a dedicated attack to subvert that process.

shock5y ago

> Which is what Apt has done for 20+ years - packages are gpg-signed, developers sign with their individual keys

AFAICT,debian packages themselves are not signed, just the repository release files are gpg-signed.

d1plo1d5y ago· 1 in thread

I'm in a similar boat with regards to launching a new, unknown product in the snap store. As an interim solution I'm planning to ask users to do use the beta flag: `snap install my-app --beta` which gets me around the secure sandbox requirements.

galgalesh5y ago

Did you mean devmode instead of beta?

Just wanted to easy one worry of you: the age, popularity and maturity of your application has no influence on whether or not these permission requests are granted. The approval process is formally defined and mostly depends on what your application does exactly.

You can find the specific processes in the docs at the bottom of this page: https://snapcraft.io/docs/permission-requests

m4rtink5y ago

Flatpaks deduplicate everything - all flatpak apps and all flatpak runtimes installed on a machine agains each other. So if you specify the basic freedesktop.org runtime, it is effectively a no-op as pretty much everyone will have it already installed, due to most of the other runtimes being based on it and most flatpak apps needing a runtime.

As for sandboxing with Flatpal - AFAIK this is all intentional for the time being. The authors have ckearly statet their initial effort targets app dependency isolation and app portability, not security just now. That is much harder to do without severely limitting useful applications in what they can do.

I have encountered incomplete sandboxing systems that strived for security in past and it has not been a good experience.

For example I had the onr and only official Ubuntu Touch tablet, which used a predecessor of the Snap technology. One day I wanted to show my friends a couple photos from a micro SD card. I put it in to the tablet, bit no photo viewing app could show photos from the card.

Why ? Because back then you could only open files from outside of the apps sandbox one by one using a special system controlled dialog. Not really usable for hundreds of photos and forget about a text editor or an IDE.

This is where I like Flatpak - it gives you all the goodies of app separation and portability without all the hassle of a strict but unfinished secure sandbox. You only need to make sure you are getting the software from thrusted sources.

A I think that's something one should be doiny anyway, even with a strct sandbox - if it can't support basic app use cases, who knows what security holes have the authors left in it...

1_player5y ago

> Then there is this weird thing where flatpaks force a runtime on you. My application is a statically linked go binary. But flatpaks pretty much want to force me to add an entire freedesktop suite as a dependency, as you simply cannot choose no runtime.

That's a weird criticism to have of Flatpak. The FreeDesktop dependency is the base set of libraries all flatpaks have access to. You don't have to use it. In fact Freedesktop is a great idea, to provide a base framework applications can use that goes further than just libc. If we want Linux on the desktop, we need a common desktop framework interface.

It would be like being unhappy a static go binary on Windows COULD access all of the win32 libraries.

Also, Flatpak currently is best suited to GUI apps. If your go binary is a GUI app using either GTK or KDE, these will need the freedesktop facilities (such as D-Bus) to actually run properly.

kevincox5y ago

For sandboxing the user is supposed to decide if they will give you access to the permissions that you requested. Now in practice most FlatPak apps don't use sandboxing but hopefully that will change and permissions are treated with scrutiny.

galgalesh5y ago

In case this eases your worries: the approval process for permissions is formalised and does not depend on how mature or well-known the app is.

In addition: users always have the option to override permissions. The approval process is for automatic (default) permission grants. Even if these are not granted, users can grant them manually.

The specific processes for approval are listed at the bottom of this page: https://snapcraft.io/docs/permission-requests

j / k navigate · click thread line to collapse

0 comments

31 comments · 8 top-level

still_grokking5y ago· 16 in thread

arminiusreturns5y ago

m4rtink5y ago

Appimage has its own issues though: - no update mechanism - no sandboxing and only basic app isolation - no deduplication (Flatpak automatically deduplicates everything it installs on a machine)

AnIdiotOnTheNet5y ago

AppImages do have an update mechanism:

https://docs.appimage.org/packaging-guide/optional/updates.h...

2 more replies

yellowapple5y ago

On the sandboxing front, it works great with Firejail: https://firejail.wordpress.com/documentation-2/appimage-supp...

lawlOP5y ago

I tend to agree with you, but I really like updating all my software with one click/command.

So out of curiosity:

still_grokking5y ago

That's easy. It should be officially in Debian. ;-)

2 more replies

wahern5y ago

AnIdiotOnTheNet5y ago

2 more replies

dflock5y ago

most AppImages seem to auto-update themselves when you run them, which is convenient, until it isn't.

I'd want it in an apt repo, really.

1 more reply

yellowapple5y ago

I've seen all three approaches with AppImage'd software.

There are also package managers specifically for AppImage'd software, though it doesn't look like any of 'em are particularly mature.

baldfat5y ago

FlatPack was made to address two things focused on security:

1) Application won't need root privileges

2) Without compromising on the systems security

cies5y ago

Some kernels, e.g. Linux, were also made to do just (that amoung other things).

Sir_Substance5y ago

I also prefer appimages as the "least worst" of the three.

[1] edit: according to comments below, they now have an update mechanism, but it's still a totally appimage-specific process, so my problem remains :/

rezonant5y ago

AppImage is the format I'm using for distributing Linux apps as well, for many of the reasons you mention

saurik5y ago

Is "I just give you a tgz with small folder of files, one of which is a binary; I managed to make it run just about everywhere" worse than AppImage (notably, for a GUI app)?

yellowapple5y ago

That's basically what an AppImage is, except that an AppImage goes one step further and slaps that tarball onto an executable that opens its embedded tarball and runs whatever's inside.

inetknght5y ago· 3 in thread

> The next problem is ... how do I ship updates?

The whole point about this is that it's user-centric. That's good.

danielheath5y ago

It’s largely a good thing but it’s unreasonable not to mention the “flood of bug reports about issues that have since been fixed” effect that comes with manual updates.

This has burnt a few projects pretty badly (especially where distros have packaged an old version and never updated it).

catalogia5y ago

1 more reply

michaelmrose5y ago

Make the user report their current version in the reporting dialog. Automatically close all reports for prior versions and inform the user to update and revisit.

dcow5y ago· 3 in thread

sergeykish5y ago

You fail to see how piping to bash worse than other awful choices? It is not.

It is bashed by those who value reproduction and discoverability:

* every person receives same script, confirmed by signature

* multiple mirrors, no single point of failure, no pull out by author (left-pad)

* no silent update (browser addons)

* tested to work on your system

* clean remove of installed files

* search in packages not in web (anti fishing)

* hosted in secure environment

* watched by many eyes

lmm5y ago

> The only improvement is if you somehow directly exchange keys with the vendor out of band with no web pki intermediate step and then verify the signature on the software you're installing... yeah.

shock5y ago

> Which is what Apt has done for 20+ years - packages are gpg-signed, developers sign with their individual keys

AFAICT,debian packages themselves are not signed, just the repository release files are gpg-signed.

d1plo1d5y ago· 1 in thread

galgalesh5y ago

Did you mean devmode instead of beta?

You can find the specific processes in the docs at the bottom of this page: https://snapcraft.io/docs/permission-requests

m4rtink5y ago

I have encountered incomplete sandboxing systems that strived for security in past and it has not been a good experience.

A I think that's something one should be doiny anyway, even with a strct sandbox - if it can't support basic app use cases, who knows what security holes have the authors left in it...

1_player5y ago

It would be like being unhappy a static go binary on Windows COULD access all of the win32 libraries.

Also, Flatpak currently is best suited to GUI apps. If your go binary is a GUI app using either GTK or KDE, these will need the freedesktop facilities (such as D-Bus) to actually run properly.

kevincox5y ago

galgalesh5y ago

In case this eases your worries: the approval process for permissions is formalised and does not depend on how mature or well-known the app is.

In addition: users always have the option to override permissions. The approval process is for automatic (default) permission grants. Even if these are not granted, users can grant them manually.

The specific processes for approval are listed at the bottom of this page: https://snapcraft.io/docs/permission-requests

j / k navigate · click thread line to collapse