When is using Flatpak not advised? Or should we all switch to only using Flatpaks?
Posted by 3030Will@reddit | linux | View on Reddit | 108 comments
I know Flatpaks are sandboxed which can be useful, and can also help avoid dependency hell (at the expense of a slightly larger package size). But are there times where using a system package might be better? I've heard some people say Flatpak is good for GUI applications only, but is there any credibility to that claim? Would an application like Steam for example perform better as a system package or Flatpak? (A popular GUI app I've heard people claim runs better as system package instead of Flatpak)
xpressrazor@reddit
I use Flatpak for everything possible. Makes the OS more stable, with less and less dependency and less bloat, less OS update size, and less risk of things failing during update. Also, it’s easy to experiment with Flatpak apps, as I can clean everything.
Samonitari@reddit
Less updates? You mean you showed the updates elsewhere? I am playing with Aron and Kappa, and I see the pros, but less updates are just plain wrong, only now you have to call 2 separate tools (discover does that for you afair), and you have more redundant dependencies. Core system IS leaner though...
xpressrazor@reddit
Less update from system packages as you have more flatpak packages and less system packages. I did not mean overall less update size.
Why I don’t mind bigger flatpak size is, if something breaks, it does not break the whole system. Also, most flatpak managers like Warehouse and even discover has options to cleanup flatpak settings. So flatpak is better for experimentation.
Obviously, I am not saying all packages are suited for flatpaks. And clearly you can move from one to other, but for overall stability of the underlying system it’s best to have less system dependent packages.
I had a time, when I completely removed my desktop, just because I wanted to switch from one Bluetooth provider package to another one.
Also, for more experimental system packages, it’s best to use docker/podman before you decide they need to be installed in your host system.
It’s like treating your system like a readonly or immutable system, whenever you can. These days, you can largely can.
Javelinv12@reddit
i'd say that if you are on rolling releases, then it is better to use flatpaks for better stability. if you are on an LTS distro, then you can either go with repos or flatpaks since both would be safe for stability. Exceptions are tools that need deep os integration or CLI apps that are meant to be used on console...
Shadowborn_paladin@reddit
General rule of thumb: If it's a CLI app or the sandboxing interferes with certain functions of the app, then it's not recommended to use the flatpak version.
If these aren't an issue, then it mostly comes down to personal preference of which format to go with.
redoubt515@reddit
> General rule of thumb: If [...] the sandboxing interferes with certain functions of the app, then it's not recommended to use the flatpak version.
The better solution would be to adjust the sandbox permissions and/or file a bug report upstream so the maintainer can fix the permissions.
Barafu@reddit
Permissions won't fix problems like password manager unable to type passwords into browser, or the talk button in Discord not working in games.
Dangerous-Report8517@reddit
There's explicitly defined permissions to let Flatpaks talk to password managers though
Thunder3000@reddit
I have never been able to get this to work.
dylon0107@reddit
Proton pass works fine for me
Dangerous-Report8517@reddit
That's because it's relatively new and the support by applications being packaged as Flatpaks is a bit hit and miss right now, the solution still remains fixing the permissions though
gmes78@reddit
That is entirely unrelated to Flatpak.
rinart73@reddit
Please then explain how to make Flatpak VSCode work with external tools like phpcs and rector then with php installed as system package. Because no matter what I did in the past, permissions weren't enough. I asked around, nobody knew either. Gave up and went for system package.
No_Diver3540@reddit
And if the small performance hit is acceptable.
Shadowborn_paladin@reddit
From what I've seen, actual performance as a result of flatpaks overhead is fairly minimal. The bigger difference comes from the compilers version used iirc which can be different for different package formats of the same app.
A bigger concern might be the storage space. If you have to download a whole new runtime just for one app it might be better to just grab the .deb or whatever distro package instead.
But if you already have the runtime it requires then you might want the flatpak version as it won't need to grab any more dependencies.
WeinerBarf420@reddit
Flatpaks can be annoying when you need a program to interact with other programs on your system, e.g. trying to import bookmarks and settings from one browser to another
Bestmasters@reddit
For one, CLI apps are usually never suitable as Flatpaks. Also, IDEs and other developer tools are usually not great as Flatpaks. Discord's RPC functionality is very iffy on Flatpak. That's all that I remember.
Snoo_4704@reddit
You can add any graphical applications on embedded systems to this. It's a nightmare! I'll compile necessary user space components for something like Mesa and Flatpak/Snaps refuse to use them. To make matters worse distros like Ubuntu trying to shove the format down your throat so you can't even get a simple browser with video accel.
Business_Reindeer910@reddit
flatpaks would and probably will get better for developer tools
Bestmasters@reddit
Yes, native, container, or snap. In that order, that's the methods I use for developer tools.
Business_Reindeer910@reddit
snap would never be a thing for me, so it's just native or container.
Bestmasters@reddit
I don't see a reason not to use snaps, they're basically heavy flatpaks. It's just flatpak but the permissions are a lot more wild & powerful, and the whole thing is a little more bloated. The reason I use containers over snap isn't because containers are better, it's because snap doesn't have many apps.
Left_Security8678@reddit
I wont use something hardcoded to an closed source remote lol. That runs as root and installs stuff in the background and kidnapps apt commands its just malicious and thank god its bad.
JockstrapCummies@reddit
I
git pullfrom GitHub remotes everyday without breaking a sweat.As long as the code I run on my computer is free and open source I'm happy.
tes_kitty@reddit
FireFox as a snap is borderline unusable and has GUI problems.
All issues were fixed by switching to a native install.
pragmatic_username@reddit
How long ago?
I'm using it now and I don't have any problems.
tes_kitty@reddit
Been a while ago, switched to native and never looked back. My main issues were font display (pages looked ugly), inability to start my external PDF viewer (atril), inability to safe anywhere I wanted a downloaded file to safe (was limited to $HOME if I remember right) and messing with my mouse pointer look if the cursor was inside the Firefox window (I use the 'core' cursor theme, moving inside the Firefox window changed the look of the pointer).
580083351@reddit
The cursor thing is the GTK-QT transition.. this can be fixed with some variables and the like, but I never cared enough to dig into it and fix it because the colour was the same even if the shape was different. It is however one of those things that separates Linux from the other OSes, because it's the equivalent of having to turn a crank at the front of your car to start it or a kickstarter on a MC. People just want to use electronic ignition.
Right now I am dipping my feet into the distrobox waters with GUI apps, and am going to have to enter variables hell because colours, icons, etc. are all different and that I seem to need to use this qt5ct app to set some of that up which isn't used on my normal kde desktop, etc.
tes_kitty@reddit
I use XFCE. And for me the color was not the same. 'core' means the cursor theme the X11 server comes with, a simple black cursor with a white border.
Business_Reindeer910@reddit
The real is that there's only one official snap server. I'll never support that.
Confident_Hyena2506@reddit
Because it's proprietary and controlled by some company.
Big-Afternoon-3422@reddit
I had a weird issue on pop os cosmic where snap apps were consuming 100% of my ram and CPU. Did not want to fight for 2 days to figure out the issue, disabled and removed snaps.
Booty_Bumping@reddit
Also should be noted, distros that have SELinux or AppArmor often already have hardening rules specific to particular CLI programs. For example, on Fedora, the
pingcommand cannot access the filesystem.It's certainly not foolproof, though, because the rules can't cover all scenarios especially for all the various unix commands that need a lot of access. Firejail can go a bit further than just SELinux by also applying namespaces and seccomp-bpf rules (similar to the Flatpak/Snap sandbox, but not quite the same).
SithLordRising@reddit
I was building an appimage until I realised the core was a shell script so had to start over!
picawo99@reddit
Since I am not on linux anymore, returned to windows , where you never has these problem, I just wanna share my experience. I install vlc from flatpak-it lagging 2 seconds at video start then works well. I install from other source and it works perfectly. I install blender from other source and it doesn't work well, shows textures can't be applied. I install blender from flatpak and it works well. And coil whines when rotating model in render view. I install vscode from flatpak and it says it's not official version and can't access sdk, I install from website and it works well. I don't need these problems, really. ...
bruhwhatisreddit@reddit
exclusively flatpaks, even if the repo have it.
no, im not using an immutable distro.
tuxalator@reddit
Use Pacman and the AUR, never a real problem.
derangedtranssexual@reddit
The AUR is far worse than flatpaks
3030Will@reddit (OP)
I’ve been trying to stay away from the AUR. I have a few system packages on my install right now, and it’s not available in the main repositories then I use Flatpak just to avoid breaking my system. Still need to read up on the wiki to learn more about how it works and how not to break stuff. I’m pretty new to Linux even more so to Arch.
Ok-Salary3550@reddit
The AUR will not break your system.
ElderKarr2025@reddit
In what way?
crackhash@reddit
Aur can break system. It also got malware in the past.
MoussaAdam@reddit
where did you read that
MoussaAdam@reddit
so did flatpak
derangedtranssexual@reddit
Less secure and less convenient
Glittering-Tale4837@reddit
Pacman and AUR will pretty much have everything. No reason to use flatpaks on arch.
I've also noticed flatpaks take a lot of space unnecessarily
Ok-Salary3550@reddit
Flatpaks also install in your home directory, and I’d rather use that space for my actual files.
I already have a partition for app files. It’s called /.
Stratdan0@reddit
Flatpaks are evil, use it only if you can't install something without it
GirthyPigeon@reddit
I downloaded a Gnome 48 process monitor app of 3 megabytes. It needed 1.2GB of runtimes to make it work. On a Gnome 48 desktop. The developer of the app only made a Flatpak version of it. In those situations, just look for another app.
abcpea1@reddit
For me flatpak is nice because it segregates core os package management from user software
b3081a@reddit
I personally use Flatpak whenever I can due to its ability to (mostly) avoid generating random dotfiles at home path.
Upstairs-Comb1631@reddit
Native distribution packages, then possibly Appimage or Snap, and finally Flatpaks. Why? Because Flatpaks duplicate my system and download a huge amount of dependencies and have massive updates, which are annoying on a slow 10Mbit line and additionally wear out my old SSD.
from-planet-zebes@reddit
I try to default to flatpaks if possible.
The exception to that is for flatpaks that have limitations that I don't want to work around or don't want to deal with. For example I use 1password and if I use a flatpak version of Firefox then I can't unlock 1password from the browser. So that's not worth it to me and I install Firefox with my package manager. I also don't use a flatpak for 1password (if it even exists) because I suspect there would be too many limitations.
OBS, Thunderbird, LibreOffice, stuff like that I use flatpaks.
tes_kitty@reddit
It should be the other way round, only use flatpacks if there is no native version.
IAm_A_Complete_Idiot@reddit
Depends on what they care about. If they'd rather have applications sand-boxed and as isolated as possible from the rest of their system as default, it makes perfect sense.
tes_kitty@reddit
Usually you want your applications able to interact with the system in some way though.
IAm_A_Complete_Idiot@reddit
Typically applications don't need full filesystem access, either though. Having any app arbitrarily be able to add something to your $PATH (including a fake sudo utility for instance), could trivially lead to a privilege escalation.
Or having any app be able to access your browser caches, to get cookies / credentials for your bank, or email, or social media.
Or really, any number of things.
tes_kitty@reddit
They need to be able to read or write where I need them to read or write. And that is, on my system, not just $HOME.
IAm_A_Complete_Idiot@reddit
You need discord to have write access to ~/.local/bin? I don't think we're going to agree on security here if we can't agree on the principle of least privilege, especially for applications that could be easily compromised or are proprietary.
tes_kitty@reddit
I don't use Discord and have no \~/.local/bin
IAm_A_Complete_Idiot@reddit
My point was largely that it could be any app, on any folder. Even if your $PATH doesn't contain ~/.local/bin, a program could easily modify your
.bashrcor.zshrcor the likes to include a new folder under your $PATH, and addsudoto it. It could then use the authentication attempt you give to the fakesudo, and use that to auth against the realsudoin order to elevate itself.That kind of vulnerability is just one compromise away without sandboxing, even if you are lucky enough that you don't use any proprietary apps. Log4j, OpenSSL, etc. are FOSS tools, and CVEs enabling remote code execution are far more common than they should be. It could be older version of gimp with a random image from the internet, or a game, or any other tool. It's just about not trusting every app on your system implicitly to be vulnerability free.
580083351@reddit
LibreOffice appimage is better because it supports Qt. The flatpak is GTK at the current time.
If your desktop is KDE, use the appimage of LibreOffice, you will notice icons in the menus, etc.
Ok-Coyote87@reddit
Firefox (apt) and KeePassXC (flatpak) play nice for me.
alwyn@reddit
30 years of using Linux hasn't given me enough dependency hell to want to use snaps or flatpaks.
Feeling_Beyond_2110@reddit
My rule: if it's not in the repos and i really want to use it, then I use Flatpak.
johncate73@reddit
Same for me. Repo first, and if not available, then Flatpak.
Cephell@reddit
Use whatever the maintainers recommend.
OBS recomends flatpak, so (I) use flatpak.
Many system packages are listed as officially supported on many projects, so (I) use those.
J-Cake@reddit
My experience with Flatpak is disappointing. Blender only detected my GPU natively. Prism (Minecraft) sorta just works, so unfortunately it's quite variable. I tend to find though that what isn't in the full repos is, is in the AUR. The rest I compile myself.
Sure flatpaks are convenient and I try to use them where possible, especially for desktop apps, but otherwise native
FengLengshun@reddit
A lot of people says "CLI apps" but funnily enough, I used the syncthing app on Flathub back then because I can't be bothered to set it up manually, I used the pdftk cli on PDF Chain because I can't be bothered to install it manually when I already have PDF Chain, and I use Bottles' bottles-cli as a drop-in replacement for Wine.
Honestly, it's no different than a container or distrobox. Only, instead of once you think about it. And it doesn't matter once you alias'd it anyways.
distrobox enter arch -- wine...it isflatpak run --command=bottles-cli com.usebottles.bottles -- run.... It's still the sameSuAlfons@reddit
I take it the othe way around:
Is there a package in the repository that is the version of the app I need ?
If not, is it available on AUR? (applies to Arch-based only)
Is there a flatpak? - Or is flatpak the "official" release? Or is it a beta version that I want to install? Or is ita Qt app that I want to install on a gtk system or vice versa ->> then use Flatpak
If all else fails or it is an app you'll u ojly need once: AppImage
Majestic-Contract-42@reddit
Just my own personal take.
If the system is a desktop and the program is GUI, then Flatpak; otherwise native package manager.
PythonAndBeauty@reddit
Just do the linux mint thing, stick to only flatpaks maintained by the original devs and ignore flatpaks made by third parties.
Fit_Smoke8080@reddit
Anything that requires interaction between programs needs extra steps. I.e. Firefox with KeepassXC and other Native Host extensions.
3030Will@reddit (OP)
Makes a lot of sense. Thanks for the insight.
Chromiell@reddit
Using VSCode on Flatpak is pretty terrible, if it's an app that needs to integrate with other applications I strongly advise using the native package, otherwise you can go with Flatpak.
3030Will@reddit (OP)
Thanks for the insight. I’ve heard CLI tools and IDE’s don’t work well as Flatpaks.
kuroshi14@reddit
Regarding the Steam app on Linux, it is officially supported only on Ubuntu by Valve. This is the Github issue tracker for the Steam app on Linux. The "OS requirements" only mention Ubuntu. If you try to download the Steam app from https://store.steampowered.com/ then it will download a .deb file.
Sidenote, see this issue for official support on other distributions.
The Steam Flatpak on Flathub is unverified. It is not official, it is a community maintained effort.
They are bullshitting you because they want you to switch to Flathub. There are people who have a very strong "us-vs-them" mentality and will make ridiculous statements like "Flathub won the packaging war". Make up your own mind on how much you want to trust them.
Do you check if the Flatpaks you install are actaully benefiting from the sandbox? If you install an application like LibreOffice from Flathub, do you think the sandboxing is making you more secure than a native package despite the page mentioning that the app requires full filesystem read/write access?
Web browsers like Librewolf have a note about security issues when installed via a Flatpak. A developer of Vivaldi explains why the Vivaldi web browser on Flathub is unverified and why he prefers snap instead.
Look into the official channels of an application if you want to know the details of their Flatpak support. Anyone can make statements like "bro all flatpaks are just always better than native packages all the time, trust me bro".
samueru_sama@reddit
Same story with cromite
reblues@reddit
Mu rule is:
Distro's repositories
if not available or too old; Appimage
If not available in any of the above Flatpak
580083351@reddit
2 is not a fixed rule. I have encountered several appimages that flat-out did not run because of the host system, or did run but looked bad because they weren't configured nicely and the flatpak version looked much better. I have also encountered appimages that were better because flathub (this will change later in the year) has trouble building extremely large apps which is why the flatpak for libreoffice is only gtk but the appimage is kf5.
On my immutable, I tend to go with flatpak, but I do use appimage sparingly and am currently experimenting with distrobox.
Morphon@reddit
Truly preference. My brother prefers everything to be installed into the system, I like all mine in flatpak and appimage.
No wrong answer.
dawsers@reddit
I would only use flatpacks if:
wine, which adds a ton of 32-bit libraries that are not needed for anything else.One-Strength-1978@reddit
I don't care how software gets packaged. I usually install debs and use a recent system.
Rarely software breaks, sometimes it does, as recently Gscan2PDF.
Using flatpaks is fine to me. But I do not agree that we should all use flatpaks. Rather we should not care for the type of packaging.
CleanUpOrDie@reddit
In my experience, the flatpaks usually work better than from repo. Might be because of dependencies, or might be something else, not sure. But I've seen several times that apps that I use and are installed from repo have functions that don't work properly or the app crashes, where the flatpak versions work properly. Happened no matter if the distro was based on Arch or Debian. I've tried Snaps in Ubuntu too, which worked fine but for some reason were slower on my computer than flatpaks. Haven't noticed any slowdown with flatpaks compared to repo apps.
SeriousPlankton2000@reddit
Do these flatpacks contain libraries?
Is the flatpack that you use managed by an update mechanism?
If I can I'll use the distributions' versions.
julianoniem@reddit
Prefer apt if in official repo (and not too old version) via cli, Discover or Synaptic, otherwise flatpak (manage permissions with Flat Seal) or after that appimage (manage via Gear Lever). Canonical distro's incl. snap I boycot because of growing lack of quality and stability. Rather not use 3rd party sources causing future update/upgrade problems. However have been forced to install deb versions like for instance yesterday in Debian 13 for the app Rustdesk. Flatpak and AppImage too much lag, the deb install works flawless. Not on top of head, but had lag and stutter issues with flatpak and appimage of other apps before on by far powerful enough devices contrary to deb installs.
theRealNilz02@reddit
If the app is available natively and works, use the native app. Only use flatpak if the native package manager does not provide the app.
ExaHamza@reddit
It all depends on what works best FOR YOU.
mrtruthiness@reddit
I prefer system packages primarily. They are more stable and tested.
If it's not in a system package (e.g. whisper.cpp, ollama, ...) I usually spin up an lxc container and download and install from upstream. It's sometimes awkward since that container won't have access to the host data ... but ssh and scp are your friends. I also run untrusted command line snaps in containers (e.g. yt-dlp)
I don't currently have any flatpaks installed, but I would if I needed to. I reserve it for GUI apps that are not available in my repository ... or for which I would need a newer version. I've found they often don't work in containers. If so, it's important to understand the sandboxing.
Misicks0349@reddit
Generally default to flatpak unless:
1) it's a CLI app
2) its out of date
3) the package in your repo is maintained by the official developers
4) It requires a lot of permissions and workarounds, e.g. something like VSCode.
lKrauzer@reddit
I only use Flatpaks for everything only exceptions are Steam and CLI tools, everything just works
HurasmusBDraggin@reddit
Bruh what? 🙄
TurncoatTony@reddit
I don't use them at all. Though, I'm not sure what you should do. Lol
djustice_kde@reddit
libraries without ui are fundamental components to all programs. keeping them sandboxed or unused is asking for security problems. they are dynamically linked to every executable that needs them for a reason... flatpaks cannot replace the entire ecosystem.
i wrote the flatpak precursor library back in 2010 or so for Chakra to allow for non-kde apps in a purely kde archlinux.
The_IT_Dude_@reddit
I find that Gui apps with all kinds of dependencies and flatpaks bread and butter. VLC, Spotify, game emulators, etc.. It's just easier to manage the app how the devopers think it should run inside of a flatpak. Something like htop, not so much. There is no real benefit for something like that.
diyopedia@reddit
Security risk. Same as snapd and docker. Although to be honest flatpakbis the least dangerous. Imho. Avoid snap and docker. Fr brh
Dxsty98@reddit
In what way are they a security risk? I
RoboticInterface@reddit
Im not informed about Snap, but Docker by default runs everything as root (and is orchestrated via a docker daemon which is typically root), there are ways to get around this, but really it's better to transition to podman which is daemonless and fully supports rootless out of the box if you are concerned about security.
Podman has tools to follow the docker CLI & compose.
Business_Reindeer910@reddit
docker does support rootless containers these days pretty easily though. I still dislike the daemon though.
fankin@reddit
This is how a security engineer evaluates if something is a security risk:
Does it exist? If yes, then it's a security risk. If not, it's a zero day vulnerability besudes being a security risk.
This consultation will be 16354€.
Business_Reindeer910@reddit
I default to flatpak for gui apps every time, unless it's a developer tool.
jr735@reddit
That's a very broad and extreme position. No, we should not all switch to only flatpaks. That would be nonsensical.
benuski@reddit
Steam flatpak has worked well for me with Nvidia, so I just trust that implementation. I tend to do flatpaks for proprietary apps and system for open source, but that's just based on vibes.
full_of_ghosts@reddit
If the system package works, I usually don't bother with flatpaks.
The exception is if I have a specific reason for wanting a specific application to run sandboxed. But those tend to be niche cases that don't come up very often.
shakypixel@reddit
You said the words better and “perform better”, but these are really subjective. In theory, flatpak will either be worse or at most be similar to (but not beat) system packages in terms of startup times, file access, etc based on being the containerization techniques it uses.
But performance isn’t really why people promote flatpak. It’s sandboxed and should be more secure if the developer themselves are developing the flatpak and if the permission it requires / directories it can access are limited. With Steam it seems that games are also sub-containerized so theoretically you can feel more at ease that that new game by that developer out of nowhere you downloaded which was secretly malware can’t do any major damage to your system (people often forget games are apps too and can be malware)
I’ve used flatpaks (I just deleted my last remaining flatpak app though, zen browser, after realizing I’m not really sold on it), but if it’s in the main arch repo I will prefer that.
gcavalcante8808@reddit
Everything but cli tools and IDE I would say.
Personally, after switching to silver blue, brew covered the cli tools part by 80%+ so I could use flatpak for the rest.
daemonpenguin@reddit
Always, if a system package is available.
Yes, virtually all Flatpak packages are desktop packages.
No, package format doesn't affect performance.
This isn't about the package formatting, but what version and what options are used to make the package.
adamkex@reddit
You can't use Flatpak if you want SVP interpolation in Jellyfin Media Player