Flatpaks / Snaps / AppImages aren't the solution
Posted by SaltyMaybe7887@reddit | linux | View on Reddit | 61 comments
One major issue with Linux distributions is that for each piece of software, there's a package for Debian, Arch, Fedora, Ubuntu, etc. Binaries are usually compiled dynamically linked (as opposed to statically linked), which means the libraries aren't contained in the binaries themselves, rather they're linked to system libraries. Therefore, you can't just run a binary from your Arch system on a Debian-based system. Many people say the solution to this issue is Flatpak, Snaps, and AppImages. These don't really address the real problem though. The actual solution is compiling statically linked binaries. This would also make it easier for developers to make binaries for Linux knowing they can be ran on any distribution.
darth_chewbacca@reddit
This introduces a much bigger and much worse problem.
Bulky-Pianist6049@reddit
which is?
darth_chewbacca@reddit
It's a potential security timebomb.
Lets say you have a bunch of applications, all of which use libfoo. Now lets say a security vulnerability was discovered in libfoo.
On a non-static distribution, libfoo.so is updated, all applications are now patched against that vulnerability.
On a static distribution, every single application needs to be recompiled against a patched version of libfoo.a. If one application is overlooked, the system is vulnerable.
KittensInc@reddit
This isn't a problem for distro-provided packages. Packages already have to explicitly list their dependencies, and they are built in isolated clean environments. This means you know exactly which libraries each package depends on, so setting up a pipeline to automatically rebuilds all dependencies when a library gets updated is reasonably easy. You cannot "overlook" anything because you don't even have to look at it.
A bigger issue is the sheer scale of a rebuild. An issue in OpenSSL could lead to thousands of packages needing a rebuild, saturating the build servers for quite some time. Similarly, each machine now needs to downloads several hundreds of megabytes of updated packages, rather than just a megabyte or two of OpenSSL.
SuXs@reddit
This guy has never heard of software distribution.
Did you read what the previous poster wrote ? Do you understand that not everyone has time/resources to create build and distribute new version of their software every time some dude upstream fixes a single line of code ?
Statically linked library is garbage. It's literally why windows is a security cheese with non-stop garbage updates that don't fix anything and break everything. Why would you want that software distribution model in your operating system? Do you understand what we are saying ?
KittensInc@reddit
Have you never heard of "automation"? Compilation and distribution is almost entirely automatic these days. It is trivial to set it up in such a way that you click one button, and everyone gets all of their updated apps automatically. That's pretty much how every single Linux distro has their packaging set up. There is literally zero difference from that one button recompiling a single dynamic library, or that one button recompiling dozens of apps!
If you're manually building and distributing software, you have no business running a distribution.
SuXs@reddit
~Do you understand that..~ I give up you know what ? If you like statically linked everything just stick to Windows. Apparently that's what you think is the superior distribution model. Make sure to Avoid Mac and Android too.
Some people are just too far up their arses to understand basic concepts.
Bulky-Pianist6049@reddit
Someone might argue that this way of thinking is the cause of dependency hells.
Also, flatpak doesn't work that way. Every app has it's own dependency chain so if one app requires dep 1.2 and another one requires dep 1.3, dep is installed two times for each app.
Patient_Sink@reddit
The vast majority of libraries used by flatpaks come from the runtimes which are updated independently. If an app needs earlier versions then they usually just use an older runtime, which can still be updated with security patches.
darth_chewbacca@reddit
Dependency hell is a smaller issue than a security timebomb.
Ok, so Flatpak, et. al isn't the final answer. They add sandboxing (not sure appimage does...) capabilities which give them an edge, but they have work to do; However, just because Flatpak & Snap aren't perfect doesn't make static compilation "The actual solution".
Static compilation is very much a worse move than Flatpak & Snap.
mwyvr@reddit
Adding this to the mix
https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/
cac2573@reddit
IMO this post is a borderline rule 4 violation.
Antique-Clothes8033@reddit
Trying to start a flamewar?
darth_chewbacca@reddit
vim > emacs. spaces > tabs
Come at me bro!
/s
LowOwl4312@reddit
This but the opposite
NoRecognition84@reddit
vi > vim
damn kids and their new fangled text editors. /s
SaltyMaybe7887@reddit (OP)
How?
Business_Reindeer910@reddit
This is not a unique take. You should have searched first.
SaltyMaybe7887@reddit (OP)
I know it's not a unique take. Never claimed it was. I want more discussion about statically-linked binaries which is why I posted this.
TotallyNotARuBot_ZOV@reddit
So why do you think you have anything more to add than previous discussions?
SaltyMaybe7887@reddit (OP)
Like I said, this is just discussion. Not claiming to have thought of anything new.
TotallyNotARuBot_ZOV@reddit
This discussion does not have any value. You don't have new or interesting insights, you also don't seem to have the necessary background to understand why Flatpak, Snaps, and AppImages have been developed, you don't even understand what the point of them is.
SaltyMaybe7887@reddit (OP)
Then you shouldn't be here. Lots of people think it does. I've had people disagree but list good reasons why they disagree, which I respect. Not sure why you wanna make a bunch of comments here if you think this topic is pointless.
I'm a C programmer who's used all three. The point is pretty obvious: to provide a software centre for installing packages that work regardless of the distro you're using. AppImages are a bit different from the other two because it's just one file.
Business_Reindeer910@reddit
there's plenty of old discussion for you to read on this topic.
SaltyMaybe7887@reddit (OP)
I posted this for others to read.
TotallyNotARuBot_ZOV@reddit
Are you just farming Karma?
SaltyMaybe7887@reddit (OP)
No? I just post whatever I'd like to share. If I was farming karma I wouldn't post controversial things that would get me downvoted.
Annas_Pen3629@reddit
Alone for security reasons, letting the distributor bugfix dependent, that is in this case dynamically linked libraries, is a plus. But there are a ton other advantages, let alone disk space if every app contains the same libs over and over and over again.
mrlinkwii@reddit
this is a not an advantage , its not 1990 any more where the max drive is 3GB
TotallyNotARuBot_ZOV@reddit
So you want the distro to rebuild every single package, and then you want the users to download every single package of a dependency?
TotallyNotARuBot_ZOV@reddit
You have no idea what "the problem" actually is and what they are a solution for.
You swapped out the entirety of the issues with the traditional approach with a small subset of it, and even then that issue isn't "solved" with static linking.
mrlinkwii@reddit
they are
Alternative_Data9299@reddit
Eh. Not a huge fan of apt package manager and pip is always annoying as shit. But flatpak and snap seems good to me. I know npm packages are being targeted a lot with malicious stuff. Some improvements can be made for sure but I wouldn't say it's not the solution.
Plan_9_fromouter_@reddit
I guess if that were the only issue. But the reality is, flatpaks and snaps are enabling a lot of apps to be used across most distros.
CecilXIII@reddit
I guess your problem is with binaries requiring outside deps rather than the distribution platform? Since you said you don't mind package managers below. So why is AppImage in the list? That's your portable one file solution
MatchingTurret@reddit
Utter nonsense that completely ignores all the other dependencies. Resources like icon sets, images, tz files...
An application is more than just the ELF binary. And it doesn't address applications that require a runtime like Java or Python.
And it ignores the security implications of running an untrusted binary with access to at least the user's home.
SaltyMaybe7887@reddit (OP)
All of these can be handled by a package manager or a good old Makefile.
MatchingTurret@reddit
How do you handle things like the Nvidia drivers where the user space library has to match the kernel driver? Your statically linked binary would only work with exactly one kernel driver version.
SaltyMaybe7887@reddit (OP)
I didn't say we have to use statically linked binaries for everything. You just listed one exception, that doesn't disprove the rule.
bdingus@reddit
On a platform like desktop Linux this isn't really viable. If you want to make a truly portable binary you have to statically link absolutely everything down to the libc, because there's no guarantee of literally anything that your program needs existing on the user's machine. You'll be lugging around binaries hundreds of megabytes in size for even simple desktop applications, and that binary size will be duplicated for each and every one of the apps you have installed. AppImage has this problem as well if you want to actually be sure your thing will run everywhere.
That's also not even getting into the UX implications, I mean sure many Windows programs do this, you download a zip and extract it into your documents or whatever people do and hunt for the exe file every time you want to run that program I guess? This is really not something Linux should be striving to emulate.
The solution in the world of unpredictability that Linux is, is Flatpak or something similar.
dev-sda@reddit
That's only true if you care about the tiniest niches. Practically speaking you can cover everyone by linking against glibc 2.17, gtk 3.22 and other libraries from that time with stable APIs. If it runs in rhel 7 you can run it basically everywhere.
SaltyMaybe7887@reddit (OP)
What are you on about? You can run programs with an application launcher as long as a .desktop file is shipped.
bdingus@reddit
Sure you can, but how do you get that .desktop file into
~/.local/share/applications
or whereever else so the desktop will see it?In your original post you say that a package for each distro is an issue so I assume you wouldn't want to use distro packages, but if you just want to ship a static binary to everyone how else than "extract this thing" would you get it on people's computer? Some custom installer?
SaltyMaybe7887@reddit (OP)
I'm not against package managers, I just think that developers and distros should ship statically-linked binaries. Of course, package managers will need to ship things other than binaries. Alternatively, developers can use Makefiles for software that isn't in the repos of a distro so that running a
sudo make install
does everything you need. Developers should not expect everyone to compile their software from source.bdingus@reddit
If you're still using distro-specific package managers, then you may as well stick to the status quo. The dependencies of those statically linked binaries at build time need to come from somewhere, and if you're using the distro's package manager to install your software you may as well use its (typically dynamically linked) dependencies and its build system to build the software as well – building the software with the package manager is not much more work than packaging up a preexisting binary. In fact, producting that binary in a way that is portable rather than depending on distro-provided package is actually a lot more difficult, historically everything has been built around this model of a repository providing system-wide installed dependencies and if you go against it you set yourself up for a lot of painful troubleshooting and fragile setups as the developer.
(This should be taken from the perspective of someone shipping a C/C++ based desktop application. I have far less practical experience with other languages or frameworks.)
I'm not sure what you mean here. Do you want to use Makefiles to install precompiled binaries into your system? How will the user uninstall or update the software then, more Makefiles?
Without a predictable base set of packages like what something like a Flatpak runtime or a fixed base platform like Windows or macOS provides, there's just not a good way to solve this problem that doesn't either lead to a ton of work for the developer (supporting a ton of package formats is not easy) or users being stuck with needing to compile or repackage the software for their distro if it's not available.
Saxasaurus@reddit
I soft agree, in that I think distros should be somewhat more flexable about allowing static linking/vendored dependencies.
For example, Hyperland used to use a forked version of wlroots and some distros wouldn't package it because it didn't work with their wlroots package.
Also, static linking is the default in rust development. Distros could save a lot of heartache by just packaging those apps the way the developers intended.
ang-p@reddit
Has anyone got a link to that Nix video about how they are handling the
libpng
vulnerabilities - and show how many packages in 2024 are still pinned to version 1.2.0 from 20 years ago with CVEs coming out of it's hoo-ha, not to mention many more recent releases also with issues.?IIRC there was over 1100 packages holding a libpng version with known CVEs I saw it in a reference to a post (on here?) the other week, but
RusselsTeap0t@reddit
It would be counter-productive. For example on a
Clang/Musl
only system; I can add an environment variable such asLD_PRELOAD
to preload Microsoft's Mimalloc in order to HUGELY increase threaded performance compared to native memory allocator in Musl.Statically linked binaries are significantly larger in size. They consume more disk space. They use more RAM when running. This is especially problematic for systems with limited resources.
Static linking makes it harder to patch security vulnerabilities. Each application would need to be recompiled and redistributed for every security update.
Dynamic linking allows for better memory sharing between processes. Static linking can lead to slower startup times for applications. Overall system performance may degrade due to increased memory usage.
Hardware-specific optimizations become more difficult. Applications may not take advantage of newer CPU instructions or features (unless recompiled and distributed). There is a possibility for potential conflicts with system-specific configurations or hardware.
Developers would need to maintain and compile binaries for multiple architectures. This means increased complexity in build systems and continuous integration pipelines and higher chances of introducing bugs due to different compilation environments.
Users would lose the ability to use alternative versions of libraries. System wide tweaks and optimizations would become more challenging. Customization options for advanced users are reduced. For example, I am a Gentoo user. I do in fact statically link some binaries but having the ability to dynamically link them, open the possibility for customization.
Compiling statically linked binaries takes longer. More powerful build systems would be required. That means higher storage and bandwidth costs for distributing larger binaries.
Applications may include outdated or conflicting versions of libraries. Inconsistent behavior between applications using different library versions is possible. There are potential licensing issues with statically linked proprietary libraries.
Distribution maintainers can no longer optimize packages for their specific systems. Performance benefits from distro-specific patches are lost. This also means reduced ability to integrate with distro-specific tools and features.
Users would have to wait for developers to recompile and redistribute entire applications.
Existing package managers would become less effective. Dependency resolution and tracking would be more difficult. System-wide updates would be more complex and time-consuming.
Each application would include its own copy of libraries. This is a security vulnerability since we also don't have sandboxing in this case. More code means more potential vulnerabilities. They could exploit outdated libraries bundled with applications.
Users would need to download entire application binaries for small updates. We are trying migrate to atomic updates with very little changes. This would become the exact opposite.
Debugging statically linked binaries is more complex. Stack traces become less informative. Identifying the source of issues becomes harder.
The shared effort of maintaining and improving shared libraries would be destroyed.
Complying with licenses that require source code distribution becomes more complex. You need to make sure that all statically linked libraries' sources are available and matching.
Dynamic linking allows for some runtime optimizations and replacements. Some performance enhancing techniques like prelinking become impossible.
Some security mechanisms rely on dynamic linking, such as ASLR. Implementing certain sandboxing techniques becomes more difficult.
GradSchoolDismal429@reddit
Found Linus's burner account
throwaway6560192@reddit
You don't mention why you consider Flatpak so much worse than static linking so as to "not really address the real problem". You just declare what the "actual solution" is without justification.
QuickSilver010@reddit
The solution is using nixpkgs on every distro
IamfromSpace@reddit
Came for this. Nix is a paradigm shift that makes for a lot of challenges in today’s world, but holy cow is the work worth it.
I am so hoping that the industry “gets it” in a decade or two. They will think we were cavemen for managing software the way we do today.
QuickSilver010@reddit
It doesn't even have to be tbh. You can do either one with it. I just install stuff with the nix-env command. Personally don't see any reason to use the config unless you're on nixos itself. But yea I'm definitely hoping for more adoption of this technology. The leadership has me a bit concerned for this project. But so far nothing bad seems to have happened to nixpkgs just yet
Houndie@reddit
In addition to the other answers, there may be license considerations at play. For example, dynamically vs statically linking an lgpl'd library has affects on your project
Business_Reindeer910@reddit
That's a point I don't add enough to my posts against this. Thanks for reminding me.
srivasta@reddit
Most of this seems to be concentrated on binary distributions. Source distributions don't have this issue (I have a couple of packages that are synchronized from the source repository, updated the packaging config, and builds a Debian package and puts it into a local repository). (These can then be submitted to Debian proper, but one does not need to do that).
This can be mostly automated, and the automation script is fairly generic for each family of Linux OS' . You still need multiple scripts to cater to each Linux family, but they mostly fit a template.
KrazyKirby99999@reddit
Static linking is the solution for CLI apps, but Flatpak is better for graphical applications.
MatchingTurret@reddit
No, it's not. It ignores a ton of issues. You can't statically link things like the resolver library or the timezone functions from libc and expect them to work. They might, but that's not a given.
KrazyKirby99999@reddit
That's true, however static linking should used where possible.
viliti@reddit
Static linking isn't some holy grail solution—there are multiple problems that are being solved by Flatpak and Snap. Portability between distributions is only one of the problems. The others are automatic updates, a common store for Linux applications, sandboxing and runtime permissions.
People already complain about large file sizes and loading times for Flatpaks despite them sharing runtimes. These issues will be much worse if every application statically links all libraries. On top of that, static linking as opposed to dynamic linking has legal implications in some jurisdictions which makes static linking a no-go as a generic solution for all applications.
rszdev@reddit
Agree