Flatpaks kinda suck in my experience
Posted by Pixelaar@reddit | linux | View on Reddit | 187 comments
Let me start off by saying the idea of them is great. Obviously uniting all distros behind a single format is a sound idea and having them sandboxed is great for security. It's just that nine times out of ten, using a flatpak just causes issues for me that are easily solved by not using the flatpak version. Whether it's programs straight up not launching or causing issues with my hardware or other software or certain functions just not working, they just cause issues too often. It's gotten to a point where I will just install the RPM without even trying the flatpak because I don't want to deal with the issues that it is inevitably going to have. I never see anyone talking about this so I wonder if some of you might recognize what I'm getting at.
Danrobi1@reddit
Have a look at soar. A fast, modern, bloat-free distro-independent package manager that just works Supports Static Binaries, AppImages, and other Portable formats on any *Unix-based distro
Soar comes as a single-file, statically-linked executable with no dependencies that you can simply download & run.
Im done with flatpaks!
cincuentaanos@reddit
Yes, I too hate Flatpaks. Along with AppImages, Snap packages, Docker images, etc. That said I use all of those as well as my distro's native packages (DEB). Oh, and I forgot the odd tar balls to extract in /opt. I would prefer it if everything came as DEB packages, which annoy me the least. But I suppose the Linux world wants this situation and I have to adapt.
Dangerous-Report8517@reddit
I for one would find it kind of tricky to install DEB packages on my Fedora machine
cincuentaanos@reddit
Fedora has RPM as its default package format, but you knew that.
Dangerous-Report8517@reddit
That's my point, yes
cincuentaanos@reddit
Ehh... OK, I guess?
Dangerous-Report8517@reddit
We can't all standardise on DEB when one of the main things that differentiates families of distros is how they approach packaging. That's a huge part of why flatpak exists in the first place - to bridge across distros that fundamentally differ in terms of package management, and the fact that it doesn't depend on traditional binary packages is exactly the reason it's finding success where previous attempts have failed for one reason or another
vmcrash@reddit
IMHO Docker images are perfectly for running several services in an easy to setup and maintain way. But for GUI applications (flatpak) I don't see a good point in using them, as most of those I've tried need access to my file system anyway, and the sandboxing only causes troubles (e.g. can't see some files/directories).
Dangerous-Report8517@reddit
I've yet to encounter a Flatpak that needs access to the entire filesystem, most only need specific files or folders which can be handed to them selectively using either the standard permissions system or portals. The vast majority of GUI applications don't need anywhere near as much access to the system as they have by default and with increasingly complex GUI apps being run on an increasingly popular (and therefore targeted) platform it makes perfect sense to limit what damage apps can do if they go rogue
Disbulia@reddit
I had very few problems, and the ones I did have I managed to solve by tweaking the permissions a little with something like flatseal
MattyGWS@reddit
If you're on KDE you can actually tweak flatpak permissions right in the KDE settings menu
pfmiller0@reddit
Yes, but that feature is only a week old. It'll be a while before everyone has that option available.
BinkReddit@reddit
This feature has been available for quite a while.
pfmiller0@reddit
Has it been? They just added an Application Permissions page to the settings in 6.5. I don't remember seeing Flatpak permissions in there before, but it's possible I missed it.
cwo__@reddit
flatpak-kcm has been around for a good while, it was started in 2022. Your distro may not have included it by default.
The recent change was to turn if from a flatpak permission management kcm to one doing general app permissions. By now, even lots of non-flatpak applications use desktop portals to access things (e.g. the permission to take screenshots), so it's helpful to have something to manage these permissions later (for example, if you want to remove one later that you have set to always allow).
tajetaje@reddit
No, it’s been there for a couple years I think. Your distro may just not have shipped it
https://github.com/KDE/flatpak-kcm
MattyGWS@reddit
A week?! It's been years I think
rbmorse@reddit
Flatseal can resolve a lot of issues of this nature. I've found it's made integrating flatpaks into my disto (Mint) a great deal easier.
OliM9696@reddit
Flatseal certainly helps a lot but it kinda sucks to need other applications to get others to work.
tapo@reddit
KDE just bakes this in by default.
Ideally more applications are developed to be Flatpak aware and use the portal API to request permission to do something. These issues only exist because the apps are being containerized without their knowledge.
Askolei@reddit
Ideally, this would be transparent. It's weird that I can't drag and drop files from a filesystem the app cannot acess, the portal API should handle that for me.
UnassumingDrifter@reddit
This is Sparta (umm, Linux). We want security defaults locked down tighter than a gnats ass. We then open things up as needed. When I first used flatpaks I hated this nothing worked couldn't open network files in media players blah blah. Once I realized what it was I too thought "why". Then I realized.
This is Sparta.
AntLive9218@reddit
I believe portal-aware should be the better term, as I don't think portals are inherently limited to Flatpak.
Also hoping that more container managers will get portal support, so eventually Flatpak's bad design choices like single instance limitation can be left behind.
rbmorse@reddit
The thing is that no packager/developer knows MY tolerance for risk, or just how "sandboxed" I want a sandboxed app to be. Nor do they know yours. The kid who lives next door to me has her own pantheon of needs and preferences and they are way different from mine (I tried to teach her, but...well, you know kids.)
So from the packager's/developer's standpoint, the reasonable approach is to ship things that are complete and pretty well locked down (that being a guiding principle behind flatpak) and let the user readjust things to fit their own needs and abilities with the tool provided (flatseal).
I can't think of a better way to approach the problem, can you?
YoMamasTesticles@reddit
I can, easily. It's called runtime permissions. Start with none and ask the user throughout
User_8395@reddit
I wish flatpaks would ask you if you want to grant certain permissions.
proton_badger@reddit
Flatpak does have a lot of mechanisms in place for asking for things, through XDG portals and also mechanisms for communicating between Flatpak and apps outside the sandbox. However a lot of apps are not taking advantage of this, they’re just repackaged, sometimes by volunteers rather than their authors.
Also it’s not quite as comprehensive as a phone, for example; it can pop up an on-demand dialog to request permission to use your webcam or mic, and open file portals/dialogs to get files/folders outside the sandbox, but it can’t pop up a single dialog with a list of permissions to grant at first load, which would be nice. Flatseal is basically a Settings app, though it is more intuitive if worked into the native DE Settings app like on a phone.
I noticed in libcosmic XDG file choosers are directly supported so they work both natively and in Flatpak, it makes writing apps easier. I also used XDG file choosers in my own apps using a crate and it was no more difficult than any other method.
AntLive9218@reddit
Considering all the years going into development, the permission system is still rather primitive.
What I find the most odd is that it's neither beginner, nor expert friendly. It's not friendly to beginners because the understandable problem of popup permissions barely existing, and most programs still not even trying to request permissions. But given that limitation, it could have at least crude interfaces for some limitations, like offering firewall rule configuration in a config file to isolate programs, but that's not even considered.
Technically it could, and it already has something similar, but really crude.
For example during the update process, it lists new permissions, and waits for confirmation to proceed. Changing permissions at this step could be made user interactive, and could be done at install time too.
Business_Reindeer910@reddit
it doesn't help that we have no indication what 'not working' means since it's separate from apps not launching. Apps should indeed always launch.
Bachihani@reddit
It's not exactly "another app" flatseal is the official way to configure and set permission and app environment settings. It is as much part of flatpak as the cli command
GolbatsEverywhere@reddit
This is not true at all. Flatseal is not part of the Flatpak project. It's a third-party application. Think of it as a debugging tool.
End users shouldn't ever have to touch Flatseal. You can certainly use it to work around many bugs, but if you do, please consider creating a bug report.
kemma_@reddit
Why would somebody have to set something for something to work by installing another when it should just work out of the box?
I can’t imagine downloading an android app then another android app to tinker with the first one just to be able to use it
void_nemesis@reddit
You are though, every time an app asks for camera or gallery or phone permissions, you're setting the permissions externally. The only difference is that on Android the permissions manager is built into the OS, while on non-KDE Linux you need to install it with Flatpak.
Existing-Tough-6517@reddit
No the difference is the user experiences it as the app having a button to go to the permission screen whereas the flatpak user experiences it as the app being broken and finding out how to fix it on reddit
Bachihani@reddit
But it does work out of the box, i started using flatpaks exclusively over 4 years ago and i only needed to use flatseal once for a neiche matter. And again ... Installing flatseal is the same in principle as installing flatpak. It's a tool that offers an easier way to accomplish a task, everything is still available through the cli, and in 90% of the cases, it's plug and play so u dont really need to worry about setting permissions in the first place.
OliM9696@reddit
I know,.... But it should just work when I install something.
karlk123@reddit
The problem is not from flatpak but the app in there need to ask you for permission like android apps do. Also flatseal is necessary and I see that it should be downloaded with flatpak automatically
computer-machine@reddit
Flatseal is just a GUI front-end to the flatpak commands already there.
natermer@reddit
All the bits are there to twiddle without flatseal if you want. There is command line client and whatnot.
But why make it rough on yourself? Just use flatseal. That is what it is for.
Inevitable_Taro4191@reddit
Kde has it built in, in the settings menu. Not super easy to know or find it if you dont know about it, but it is there.
waitmarks@reddit
That is the nature of a sandbox though, it's more isolated and sometimes you need to grant extra non-standard permissions.
Prestigious-Stock-60@reddit
My problem with Flatseal is idk wtf each button I'm clicking does.
uoy_redruM@reddit
My experience with Flatseal is hit and miss. For instance, right now I'm trying to use KeePassXC with the browser extension in Vivaldi to connect to the KP database. No matter what options I use in Flatseal, they wont connect. As soon as I drop the flatpak and install the Vivaldi .deb file. Run Vivaldi and it works like a charm. That said, Flatseal has resolved numerous issues for me in the past. Still, +1 for Flatseal.
Nereithp@reddit
It has nothing to do with Flatseal, KeepassXC has just not implemented the necessary functionality yet to connect to sandboxed browsers. There is an open issue on this.
JockstrapCummies@reddit
You know what's funny? This has already been working since 2022, but not on Flatpak'ed browsers --- it works in Snap browers, and they use the
flatpakcommand to set the permissions to use XDG Native Messaging.I have no idea why to this day in the year of our lord 2025 that the Flatpak'ed browsers on Flathub still haven't implemented this. It's been years.
AntLive9218@reddit
I don't think Flatpak could do this since 2022, at least I've followed relevant issues, and it seems like support was just getting worked on this year, not even sure if it finished.
Flatpak development seemingly stalled in the past years, or at least after a strong start, it slowed down a ton.
It's also not looking too great that very old, reasonable feature requests are not proceeding at all. For example there isn't even a bandaid fix thrown in for network restrictions, like offering a hook to setup a network namespace, and the multi instance app request was just closed recently without proper explanation. Flatpak's future isn't looking too good, and that might affect the willingness to adopt the occasional new feature too.
Nereithp@reddit
That is, indeed, funny.
Personally I keep my Flatpak usage to a minimum and only use it when it makes sense. I prefer native packages to flatpak (but generally prefer flatpak to building from source/COPRs unless the given flatpak has some issue).
uoy_redruM@reddit
Good to know. Thanks for the info. I put that on subscribe to track the issue.
natermer@reddit
That is because KeePassXC works by using a keepassxc-proxy to be a native messaging host between the application and browser.
It is launched as a command line tool.
The challenge is that the browser needs to have the keepassxc-proxy executable in its path and have access to the socket shared by the application. Or something like that.
Here are instructions to get it working for Firefox.
https://b-ark.ca/2025/02/01/flatpak-zen-keepassxc.html
Don't know if it applies to Chrome or not. I don't use KeepassXC.
It is kinda of a lousy design to have browser extensions dependent on command line clients. But it is what it is. I understand that people want the functionality and that is 100% reasonable expectation and it is a problem.
This is also why I switched to using bitwarden clients with self hosted vaultwarden. It doesn't depend on command line clients and works fine with sandboxed applications.
On top of that it takes care of sync'ng passwords between devices and offline use isn't a issue once a client has sync'd. The password vault is encrypted on the client side so that server side there isn't any access to the actual passwords.
Previously I used browser extensions with password-store (pass, the standard unix password manager). Which I still like and use for some things.
archlyn@reddit
Holy crap, I thought that was just me! Just replace Vivaldi with Brave and yeah, same issue.😳
uoy_redruM@reddit
Yeah, it's annoying. Fortunately for you Brave has an APT repo by default. Per what Nereithp said, looks like it might be awhile before the issue gets resolved. If it ever does... It's fine though, I don't need bleeding edge updates.
getapuss@reddit
Does it get the flatpack apps to actually use the system theme consistently?
Nereithp@reddit
Flatseal provides a convenient UI for you to do the tweaks, but you still need to know what to tweak.
If you do:
Flatpak will be able to see themes in
~/.local/share/themes, provided you don't have a flatpak theme overriding it.genpfault@reddit
https://github.com/tchx84/flatseal
Affectionate_Fig9084@reddit
I've never heard of flatseal. I'm going to have to look into this.
Reasonable-Mango-265@reddit
Flathub is problematic. There's a flatpak on there for the very good backup program called "FreeFileSynch." The username associated with it is the same as that used by the author on their support forum. It looks legit, but I was skeptical because the ffs download page doesn't list it.
I suggested to them that they list it so people would know it's legit. They said they don't know anything about it. That's scary, right? There's no way to report it either.
I'm not trusting flatpaks anymore. Only if the app owner links to it from their own site.
Dangerous-Report8517@reddit
To be fair, there's a bright "Unverified" label right under the name on that app, it seems they make it pretty clear that it isn't provided by the original developer. Honestly that's the ideal use case of the Verified label, it's much more of a problem when developers without much of a rep can package malicious software directly and still get it labelled "Verified", or how trusted third party packagers can't get their apps labelled as such (see the Chromium package)
mrtruthiness@reddit
Similarly, there is an app that manages crypto-wallets which is "Unverified". https://flathub.org/en/apps/io.exodus.Exodus
If you go to the linked github page ... they claim it's verified when responding to the issue reporting that it's not: https://github.com/flathub/io.exodus.Exodus/issues/245
If you go to the actual Exodus website, they don't have a link to flathub or mention it. There is only a download ( https://www.exodus.com/ )
There's an unverified snap that keeps appearing (and quickly gets removed) by that name and people keep getting surprised that their wallet is empty.
That sort of thing just doesn't happen with normal distro repos.
Dangerous-Report8517@reddit
That sort of thing doesn't happen with normal distro repos because normal distro repos are either entirely controlled by the distro's internal package management team (ie all packages are third party but independently validated in some way or are secondary repos solely for direct developer publication with no claim of distro oversight). None of them are trying to offer a multiplatform packaging system that genuinely needs to allow for both third party packaging to allow for broad support while also supporting direct first party publication, and aren't directly comparable to Flathub as a result. In both of your specific examples the packages wouldn't have been available at all in any form through normal distro repos. Flathub makes all of this clear as well, with big red and yellow warnings all over the place on unverified apps with lots of permissions.
As for your specific examples, Flathub lays out how to get verified very openly, and it's trivially easy, amounting to just proving that you control the repo that your manifest builds the flatpak from. If a developer claims their package is verified but links to an unverified package I would be very wary of trusting that developer's software through any channel, let alone Flathub, unless they could explain very clearly both that they are in fact not verified and why. If you're downloading an unverified flatpak without a very clear understanding of why it's unverified, you are doing something very wrong.
Ironically I'm pretty sure my beef with Flathub is almost the exact opposite - there's applications on there that are packaged by third parties and therefore must be marked as unverified even though the third parties are highly trusted community members or even direct contributors to the Flatpak project itself. I'd like to see some way for them to vouch for packages like that even though they aren't verified as first party, that might indirectly help your complaint because if they had a trusted third party label as well they could flag packages that aren't verified or packaged by a trusted entity more aggressively as potentially hazardous without careful evaluation
GolbatsEverywhere@reddit
You can report issues here but this is not reportable. The Flathub package owner is only expected to be the same as the upstream developer if the app is marked as "Verified" and this one is not. Also, in this case, I see the packaging is maintained by a prominent Fedora developer.
I do strongly dislike that it's not built from source, but it's just downloading the binary released by upstream, so looks safe enough provided you fully trust the upstream developers to not be malicious.
dkopgerpgdolfg@reddit
b) Many flatpaks aren't that well maintained, and some are outright malware disguised as proper app
b) Bloat, by having the same basic libraries many times
c) Less adapted to one distribution, eg. file path of config files etc.
d) It invites to blindly relying on sandboxing, wenn quite some of them are not only completely open, but even less secure than non-sandboxed versions (just recently I looked at one flatpak that allows full access to eg. /dev, prevents namespacing that the contained app wanted to use for more security, and tried to create a suid binary)
e) Instead of "fixing" one bad flatpak with flatseal, it's more straightforward to go the other way and create a customized own ruleset (for apparmor etc.) based on the native application.
omniuni@reddit
For Debian based distributions, I always use a proper repository when I can. The benefit to Flatpak is that it works on Debian, RedHat, Arch, etc, and even immutable distributions. It's not suitable for system level software, it's slow, it uses a ton of space. Flatpak is necessary for some things, but I do not think it is a "good" solution.
i_h8_yellow_mustard@reddit
Space considerations aren't relevant on the lion's share of modern systems. Easily one of the more confusing complaints about snaps and now flatpaks.
omniuni@reddit
The first rule of software engineering is that you don't tell your users what is and isn't a problem.
I still have some computers that have "only" a 512GB SSD, and when Flatpak uses sometimes literally 1000x the amount of space that a .deb would, I consider that a problem.
So yes, the absurd amount of space that Flatpak uses is a problem for me, and for many other users.
Dangerous-Report8517@reddit
I'm using Fedora Atomic on a 512GB SSD and nearly the entire drive is empty, despite the flatpaks. Worth noting that if you have exactly one flatpak with a teeny tiny application then it's going to look scary with a few hundred megs of runtimes but those runtimes are shared across a lot of apps, so the incremental cost of running one more flatpak is pretty similar to just installing the package natively (and the first few hundred megs are comparable to the bulk of pretty much any major modern distro)
omniuni@reddit
Good for you. I have my root and home directory. I don't want apps in my home directory, and I don't want system software duplicated.
AntLive9218@reddit
Ironically Flatpak is hellbent on satisfying your need with some nasty practices.
It really tries to do operations as root by default, resulting in installing programs on the system level, outside of the home. I actually consider this a design problem, because it's an implicit privilege escalation without the user's explicit consent, assisted by PolKit rules allowing this to happen silently.
omniuni@reddit
Root partition, not root user.
Dangerous-Report8517@reddit
System level Flatpaks, like many system level stuff that's installed or run under root, aren't installed or configured in root's home folder, and even if they were /root isn't mounted under /home anyway and therefore isn't on the home partition
Dangerous-Report8517@reddit
It's fine to have personal preferences, I'm just saying that the space really isn't a big deal from a technical standpoint and remains far, far less impactful than any of its detractors seem to think it is
AntLive9218@reddit
If by system level software you mean administration tools, then those will always have a problem with isolation.
Which part is slow? I've seen some limited performance issues due to for example syscall filters, but aside from that, I don't think it had very obvious problems like snap-like slow startup.
The ton of space usage is debatable. The Flathub repo files aren't light, but I assume you mostly mean the space taken by installed programs. Compared to "regular" containers those aren't really bad, compared to self-contained programs, sure, there's a lot that can be saved. But then in glibc and systemd land, you can't really have statically linked binaries without tons of nasty hacks which keep on breaking.
Flatpak is a bad implementation of a good idea. I just generally hope that portal support will spread to the more generic container managers, so the benefits can be reaped, but the stagnant Flatpak base can be left behind.
MouseJiggler@reddit
Flatpak is the last resort if there is no native package to be found.
TheNavyCrow@reddit
why are you using fedora then?
atomic fedora is a priority rn, and it relies on flatpaks
MouseJiggler@reddit
And whatbdoes that have to do with normal fedora?
Ok_Resist_7581@reddit
As a gentoo user, I'm being super grateful with flatpak existence. Sometimes i just want something quick with gui installation, and flatpak really come in handy. Once i get enough of that app on flatpak, then only i will start compiling it.
demonpotatojacob@reddit
The idea is actually pretty fucking horrendous. You simply cannot make a universal software delivery system. There will always be edge cases and things that break. The sandboxing also sucks, and ironically for web browsers literally makes them inherently less secure because in order for Bubblewrap to work Blink, or Gecko, or whatever other engine has to have been compiled with sandboxing disabled. 10/10 job there, guys. It also doesn't even solve the problem of developer burden at all. Because in order to make something that works as intended when packaged as a Flatpak you have to design it to use portals and everything else. Otherwise it just won't work correctly. What's my solution? Fairly simple. It's called a self-hosted static binary in a tarball extracted to /opt. You know, how all of Unix software has been installed since the beginning of time‽
TheNavyCrow@reddit
snap can run without sandbox and works on most distros (with sandboxing disabled)
Dejhavi@reddit
All problems with Flatpaks are usually related to permissions and can be easily resolved by using the FlatSeal app
mrtruthiness@reddit
You do understand the issue here, right???
mrtruthiness@reddit
Yeah. I try to run untrusted applications in lxc/lxd containers. I haven't had a single flatpak work in my containers. I'm pretty sure that's because my containers are unprivileged and flatpak currently requires some privileges. [To be clear, things like "flatpak install" works. It's just when I do a "flatpak run" that there are issues.]
angus_the_red@reddit
Brand new Linux user and have had the same experience. It's frustrating to have so many ways to install and update with so many trade-offs between them.
Destroyerb@reddit
Hate to have a choice?
The same can be said for everything else on Linux
Go back to Windows
angus_the_red@reddit
Lol. Hi nice to meet you.
I hate to make the wrong choice. I hate to choose from many bad options. I hate spending my time to makes an informed choice over something that should be unimportant.
mrtruthiness@reddit
Very well stated. Also: https://en.wikipedia.org/wiki/The_Paradox_of_Choice
bonzibuddy_official@reddit
it's at least a good way of picking what distro you want by judging package managers. pacman with paru/octopi just werks for me for example, but i either don't have enough issues with flatpaks or just don't use flatpaks enough (could be either) to have an issue when i need to use it for some software.
i'd also rather the developers and software distributors have that choice in the first place. some programs are probably just easier to throw on flatpak than work with distro individualism. it happens.
Inevitable_Taro4191@reddit
There are applications solely developed for distribution via Flatpak. Take Bottles for instance, they make it so it is only supported via Flatpak.
Doesnt stop rpmfusion they have it, its also on the Aur. So yeah the developers made their choice, they are following the flatpak route. But since its free software we have the freedom to build it and skip Flatpak but yes, we are on our own with no official support.
phylter99@reddit
I’ve been using Linux a long time and I’ve only recently started using flatpak and snap to install things. I find there are certain apps that work really well that way, but that most of the time I’m better off using whatever the original developer provides if anything. Some snaps are supported and recommended by some publishers like Microsoft and JetBrains, and those are pretty good. Most of the time the normal package manager for the distribution is perfect.
bullwinkle8088@reddit
This has been my take to date, flat pack solved a problem that really did not need solving.
matjam@reddit
I’ve never been on board with Snaps or Flatpaks, mostly because they try to solve too many problems at once.
Dependency bundling is fine. If you want an app to ship with its own libs and not depend on whatever the host distro happens to provide, then bundle them. That’s not weird. Windows and macOS apps have dragged their own DLLs/frameworks around for decades; CLI tools too. Totally fine, though it can risk being a little DLL hellish but its worked reasonably well in practice.
Where it goes sideways for me is when bundling gets fused with sandboxing. Sandboxing makes a lot of sense on phones. On desktops it often feels unnecessary and adds overhead and sharp edges. We’ve all seen the messes with Steam, OBS, and friends not behaving in Flatpak/Snap land. Sure, most of that has been papered over, but it’s still extra complexity for marginal benefit in a lot of desktop use cases.
macOS solved this a different way: apps are just .app bundles with their dependencies inside, and the OS layers permissions into the system APIs (TCC/entitlements). You get a consistent permissions model without containerizing the filesystem or inventing a new packaging universe. They’re just folders plus protected APIs.
I think there's been a few attempts to bring this model to linux but nothing seems to be succeeding quite as well as Flatpak, so I guess I'll have to get on that fucking train at some point, even though I don't like it.
AntLive9218@reddit
Sandbox is the main selling point for me, and I'd say there's not enough (or more precisely not done properly).
Overhead varies, but in a lot of cases it could be negligible. For example network restrictions are really overdue to be added, because once setup, the kernel takes care of everything with high performance using a network namespace with its nftables rules.
The benefit may be only marginal for your use case, a phone isn't any more special to need more security, I would actually argue that a desktop is more likely to have access to sensitive networks and services.
This kind of permission model is the obvious response to a lot of programs not being feasible to fully audit anymore, so I'm not really surprised about it. Also consider that containers are well-established for non-GUI use cases, the only oddity here is Flatpak which is a good idea with bad execution, and questionable development effort in the past few years.
Dangerous-Report8517@reddit
Actually the OBS issues were caused by third party distribution, Flatpak actually solved a bunch of issues that Fedora re-introduced by trying to repackage it the distro specific way. Plus, integrating sandboxing into app distribution actually makes a ton of sense because the package manager knows what permissions the app needs and can inform you about them when you go to download it, and makes a perfectly sensible place to control them too.
This is more or less how Flatpak permissions work too, the containerisation is a solution to the fact that different apps are intended to run in different runtimes, not the sandboxing mechanism.
ILikeBumblebees@reddit
Yeah, it's really bad separation of concerns, and forces you into a potentially sub-optimal solution for one problem in order to use the other. There's little reason for it when there are dedicated sandboxing tools like Firejail around.
Shrinni_B@reddit
Don't see anyone talking about it? It's a pretty big topic every time it comes up when I've seen it. Everyone is so polarized on the subject of flatpaks.
I use them very seldom on Arch but a few times I have to or it's just easier to use a flatpak. As others have already mentioned, learning how Flatseal works is what makes them significantly less frustrating into integrating them into your system especially if you are using a flatpak that needs to communicate with other programs that are not flatpak.
I understand the dislike, but I also think a lot of the dislike is just ignorance until you understand how to get integrated. After that it's just preference or bias which is okay to have but not to force onto others. I'd personally rather not use them but won't shy anyone away from using them.
shanehiltonward@reddit
Super insightful take from a Fedora user.
I'm on Arch and just install Flatseal, allowing me to give certain rights to certain flatpaks. No issues.
Keep on trucking.
Pixelaar@reddit (OP)
arch users try not to mention they use arch btw challenge (impossible)
shanehiltonward@reddit
Fedora is so good that Valve chose Arch instead. ;)
Bitter-Elephant-4759@reddit
Since switching to an atomic distribution, Project Bluefin, I have almost zero issues. I know in distros that combine flatpaks and their own package management there is communication issues between applications that involves investigating permissions, etc...
The only thing I can't have for now, as I have chosen to not do a rpm-ostree to install firefoxpwa's is I can't use the firefoxpwa extension.
Before, when I used Fedora, if I installed something through flatpak I often would have to go through Flatseal to give permissions where now -almost- everything works beyond the aforementioned case with firefoxpwa's.
Now I just use my desktop without having to mess with anything; updates go in the background and everything works without me having to intervene. I think it's when you mix the two ecosystems
i_h8_yellow_mustard@reddit
Can you give examples? I've had essentially the opposite happen to me, where the default Fedora packages don't work (more often are just outdated) but the flatpaks do work.
nicman24@reddit
Bottles, Firefox, moonlight, megatools, pymol, that one that makes steamicons for steamdeck, all had at least one issue for me
i_h8_yellow_mustard@reddit
Bottles is flatpak only, the devs have made it specifically to work in that environment.
nicman24@reddit
Lol no they just don't how to package their bad app
Avbpp2@reddit
Like when I first use blender,a total beginner in linux and wonder why the flatpak blender doesn't seem to see my cuda and nvidia drivers.Later found that flatpak blender is not the official wrapper distributed by blender foundation,Need to install the official snap version of blender to work.
i_h8_yellow_mustard@reddit
Fair, I don't get that technical with my setups that often.
Sunsfever83@reddit
I was using flatpaks for a few programs, but I found that to many issues were coming up. So I just eliminated flatpak from my system and found everything works so much smoother than before. I use Arch with Hyprland, and I don't see any reason why I need to have flatpaks, so just link Windows, I don't.
StayAppropriate2433@reddit
I miss the days of synaptic downloading deb files and everything just worked.
DriNeo@reddit
I still can do that on my OS.
lmarcantonio@reddit
Also the portal thing for accessing external files is unconvenient for *most* applications.
NebulosaSys@reddit
If I have to open FlatSeal
The flatpak is not set up right.
bawng@reddit
Same here.
Conrete examples:
Firefox have trouble with some videos (codec issue?) that the RPM version doesn't have.
Steam has trouble with some games (example being Day of the Tentacle Remaster)
Bottles has trouble with basically everything.
However I usually try Flatpaks first anyway because I support the concept and want to promote it.
Material-Nose6561@reddit
The video issues are easily solved using Flatseal to adjust permissions to allow Firefox access to the GPU. Those codecs require hardware acceleration to work properly. Enabling access to the GPU allows for hardware acceleration to work correctly.
ImpossibleCarob8480@reddit
I think that's one of the big issues with flatpak, even some basic things like GPU access aren't granted by default and then aren't clearly indicated to the user that they need to manually enable it
bawng@reddit
Alright, good that there's a solution, but I'd rather just use the RPM then until they solve flatpak functionality out of the box.
spyingwind@reddit
Steam flatpak, never. Steam is almost a container manager it self. Each game gets its own proton "container". As a dev you can also specify a linux runtime for linux customers that reduces issues with different ditro's.
Fuzzy_Ad9970@reddit
Steam is much better as a flatpak. Many distros contain outdated libraries, that are updated in the flatpak. Flatpak allows devs to expect certain libraries to be there, and they always are.
Yes, containers are a bit of an issue. Flatpak has gotten really good at fixing those, although some still remain.
JockstrapCummies@reddit
Those same "updated libraries" of the Freedesktop runtime made several games outright not function for me (e.g. Dawn of War 2).
It's only by using Ubuntu's native libraries in a .deb install that they worked.
BinkReddit@reddit
Also works in the reverse case where the distro is up to date, but the flatpak program is behind.
spyingwind@reddit
If Steam published their own flatpak on flathub, then I would be more likely to use it.
tapo@reddit
The Linux container is required as of December last year. Everything in Steam runs in a Steam Runtime container. Games don't run "natively".
If Steam is in Flatpak it can't spawn containers itself, so it asks Flatpak to do that on its behalf. It is actually Flatpak aware.
shroddy@reddit
Is it a container to prevent games on Steam to access files they are not supposed to access, like recently the game Blockblasters, which contained a Windows malware that stole 30000$ worth of crypto currency from one guy.
Would that container on Linux have prevented that, or is it more to provide games with a unified runtime and libraries, but no security boundary?
MythologicalEngineer@reddit
Same goes for VLC regarding codecs. Not sure what the fix would have been to get it working properly in flatpak.
Business_Reindeer910@reddit
I've been using flatpaked vlc for over a year now and the only problem I have is with fonts that i've been too lazy to look into.
Fuzzy_Ad9970@reddit
VLC has always worked for me as a flatpak and has opened every single file I've asked it, just as usual.
ComprehensiveSwitch@reddit
This is actually the exact opposite for Fedora vs FlatHub Firefox fwiw, It's the Fedora RPM and Fedora Flatpak that have major codecs missing for licensing reasons. The FlatHub Flatpak is directly from Mozilla and does not have this issue.
ir0nslug@reddit
I've never had any issues with Flatpak, but I don’t use things like Steam with it. I prefer using Flatpak for most other applications because I like that it’s sandboxed. The permissions could be made more understandable for the average person though, and I think that’s what trips a lot of people up.
Flatseal helps with that, but should you really need a separate piece of software outside your desktop environment to manage permissions? Ehh..I don’t think so. They could suggest permissions to grant when someone runs a Flatpak for the first time, kind of like how Android does it, or give some tips about setting permissions and why you'd want to.
I know a lot of people got hung up on DuckStation forgetting the user’s chosen directory for games, so they’d have to redo it. They just didn’t realize they needed to give DuckStation permission to access the directory they selected.
There’s still work to be done to make the Flatpak experience better for the average person, and I hope they continue improving it in the coming years. Not having to worry about whether a piece of software is in your chosen distro’s repositories is nice. It also makes it easier for companies that want to port software to Linux to distribute their software or w/e.
Dangerous-Report8517@reddit
KDE and presumably Gnome are working on permissions stuff, I don't have FlatSeal on my system because the current KDE permissions manager does everything I need it to
viliti@reddit
Do you use Fedora by any chance? Fedora prioritizes Fedora Flatpaks over Flathub and Fedora Flatpaks have historically had more issues when compared to Flathub Flatpaks or RPMs. I would recommend removing the Fedora Flatpak remote and using Flathub instead.
whosdr@reddit
I thought Fedora moved away from their own Flatpak repo. Maybe I'm mistaken though.
Dangerous-Report8517@reddit
No they still have it. I actually use it for some things (on Atomic so preferable to not use native RPMs, and I prefer getting some of the apps I use from a packager rather than a random ass third party on Flathub)
Pixelaar@reddit (OP)
I use Fedora but only have Flathub enabled
Dangerous-Report8517@reddit
The biggest problem I see is how Flathub paints itself as being like the App Store, there's a lot of "Verified" apps that are packaged by very novice developers of their v0.0.1 app release or whatever, and a lot of more mature projects that have been packaged by either third parties or by developers not overly familiar with Flatpaks that have packaging issues as a result. Then there's the additional confusion of Flathub vs Fedora Flatpaks
leaflock7@reddit
agree on your pov. Flatpak as an idea is great for security and privacy . BUT its implementation as is currently is not production ready. Very rarely I had flatpack popup a window to tell me it needs XYZ access, and most important Flatseal it has its options in a way that a simple user could not make sense .
MrLewGin@reddit
The most disappointing thing for me regarding Flatpaks, is the fact you can't simply download them to save for offline keeping.
So often features are removed from software, or updates break it, or maybe a developer change the user interface which is a nightmare for your particular workflow, it is so handy to keep a copy of the software you enjoy using.
This was the way software always was, going way back to the 90's. It's incredible to me that we have replaced this with no control whatsoever and an over reliance on the internet.
Rialagma@reddit
If all the necessary packages are included in each flatplak, then you won't be able to reuse the ones already installed and the files will be very heavy. Why not just use AppImages at that point?
samueru_sama@reddit
The funny thing is, a lot of flatpaks already do that, they just repackage the appimage or portable bundle, that is pretty much all the flatpaks of electron apps and web browsers in flathub.
So you have the current situation where flatpaks use +2x more storage than the AppImage equivalent if you have a filesystem with transparent compression (if you don't it is 5x more).
MrLewGin@reddit
I'd love to for that reason, but more frequently I'm seeing apps only distributed in Flatpak and not Appimage.
0x6b706f70@reddit
You can have your cake and eat it too
https://docs.flatpak.org/en/latest/usb-drives.html
MrLewGin@reddit
Thank you, I had seen this but it seemed so immensely complicated and way above my technological abilities unfortunately.
Bachihani@reddit
But u can download and install whatever version of the flatpak u want 🤨
JBDBIB_Baerman@reddit
I couldn't get the rpm version of steam to work on my fedora install. It just wouldn't load at all. Flatpak through the actual flathub repositories has so far (since April) worked with absolutely zero issues
AtheneNoctuaz@reddit
I rarely have problems with it tbh and any time I did it was fixable quickly
sLimanious@reddit
Used to have all non-pre installed apps on my fedora as flatpaks until I tried playing gta san andreas, now I run everything first on rpm then flatpaks on apps without official rpm package on the software center. Like Spotify and brave.
trusterx@reddit
I use flatpak as much as possible, because I'm on Silverblue. Haven't had any issue so far.
GroceryNo5562@reddit
Might be a dumb question but has anyone looked into flatpak sandboxing? I feel like in current state most apps sandboxing is quite loose and does not really provide much of a security layer
Am I wrong?
I guess once portals get more mainstream sandboxing would get more useful
BypassBaboon@reddit
Just googled what a flatpack is. What is the Windows/Apple equivalent?
BinkReddit@reddit
Flatpak. Windows applications often include their own versions of the libraries they need, and this is part of the reason why Windows is so bloated.
vortexmak@reddit
I prefer Appimages and they work perfectly fine
Ok-Winner-6589@reddit
Fedora uses their own repos, there had been multiple times that devs reported getting masive amounts of reports from people using Broken Flatpaks, from Fedora repos, meanwhile the official Flathub version works. You can change the repos instead of supporting such a dumb idea coming from Fedora project
Pixelaar@reddit (OP)
i use flathub
Ok-Winner-6589@reddit
My bad.
I didn't have issues with Flatpak except Brave, which tried to acces kdewallet and reffused to open until I denied acces to that software.
adamkex@reddit
It's been almost completely pain free for me and I try to use the vast majority of my apps that I don't consider a "part of my OS" (think apps like Kate, Gwenview and anything that comes with Plasma) through Flatpak. However, there are some exceptions like Steam, Lutris (had some weird bug) and any IDEs.
binarypie@reddit
The root problem here is the app developers and/or packagers don't do a great job of setting the correct permissions in the flatpak manifest. This means that often applications are shipped to flathub in a pretty poor state requiring tons of extra work to make them work.
I run into this all time because my system is much more complex than a laptop with a single hard drive, single monitor, default home layout, etc..
__ali1234__@reddit
Quite often it is impossible to make software work because the necessary permissions simply don't exist to be granted, but the flatpak gets shipped anyway because it is unofficial and the person who made it doesn't care about the broken features and will just claim "someone is working on that portal" when in fact there's no evidence of that, and when you go and ask about it someone else tells you "well, that's fundamentally incompatible with the idea of portals so it will never be implemented".
requion@reddit
I understand what you are getting it but never experienced this myself.
But i try to minimize my usage of flatpaks. After all, using the native package manager of your distro is still the best way if possible.
I have to mention two notable exceptions though.
Under Void Linux, i had to use the flatpak version of the Steam client because the native version couldn't run games with EAC or Battleeye. This was due to some weird issue in a specific library. There was a lengthy github issue with no solution in sight. And because i am to stupid to build it myself, i just opted to use flatpak.
I'm on NixOS now. The native package for OBS Studio doesn't include the Twitch integration. You can still use it to stream on Twitch but its missing the Twitch specific panels. Its possible to add them as custom panels but that is really wonky. So in this case i also opted to use the flatpak version.
In both cases, i didn't have any issues with hardware access or anything really. The only thing was that after some update, OBS NDI stopped working. This was related to the flatpak missing a permission for system-bus and was easily fixed by one command or by adding the permission through Flatseal.
nicman24@reddit
In general if your application needs a containerized environment to run, it is not a good application.
Although I get paid a lot to install it and run so...
kleinmatic@reddit
Agreed. I’m never confident that a flatpak or snap installed package will work right the first time.
The best solution to there being too many package managers can’t be let’s add two more!
Both flatpak and snap feel overengineered and fragile. I’m not confident that sandboxing was necessary and a loopback mount for all your snaps makes df, mount, lsblk and other tools much harder to use.
Homebrew on MacOS just puts everything in /opt/homebrew and things generally work. Surely adds to the attack surface but with many eyes on the GitHub repo there is at least some curation happening.
Ugly_Slut-Wannabe@reddit
Funnily enough, my experience is often the opposite. Flatpaks usually work perfectly well while the native packages can be kind of shaky sometimes.
luigi-fanboi@reddit
Is it though?
What if distros are good actually.
I get for somethings having the latest version is great, but for most distros are a better way to package and maintain software than letting developers do it.
LateStageNerd@reddit
"Kinda" is the word here. Sometimes you need
flatsealto expand permissions enough to do the job. The advantage of flatpaks is you can get fresher apps than from your distro (particularly if on a 2 year or 6 month release cycle), and often the quality is as good or better (particularly if the app would come from AUR or and equivalent amateur supported method). On the whole, I like flatpaks.Even more than flatpaks, I like AppImages from ivan-hc/AppMan: AppImage manager to install, update and manage 2000+ AppImages ... that project makes an incredible number of apps available with top-notch life-cycle support. I know there are many that dump on AppImages, but, from AppMan (and I use vappman atop AppMan) they are super easy and super fast to install / update / remove. Naysayers may not down-vote me ;-)
Anyhow, with flatpak and appimages, there are very few penalties and annoyances with be on very stable / LTS distros ... Arch and Fedora be gone ;-)
VlijmenFileer@reddit
Flatpak and comparable suck by design.
Mebiysy@reddit
Yeah, i just tried it once, said fuck that shit and forgot about flatpak
eattherichnow@reddit
The worst issue with flatpaks, by far, is that so many of them are out-of-date. I didn't look into their process, but I wouldn't be surprised if it was all done by people who had a need once, and never came back to a package.
Most of other issues are fairly easy to solve. But that means at best making my own package.
BinkReddit@reddit
I hear you and I'm with you! Package maintainers are really undervalued! I try to stay away from Flatpaks as much as I can, but, sometimes, a software vendor will make no effort to make certain their program works with newer libraries and, at that point, it's better to sandbox their program and use the flatpak.
angeratyou@reddit
I don't like Flatpaks even when they work seamlessly.
DeadWHM@reddit
Sometimes flatpaks are better than native repos, especially if your distro's drivers or other packages are behind
For example some gaming software, example steam, you get the latest drivers and mesa package from flatpak.
lensman3a@reddit
Lazy developer’s who don’t use the latest modules that aren’t the latest code. Disk space is cheap.
Developers probably should just compile in all,the libraries into a large program. Linus is insistent that kernel developers not change the kernel calls.
crusoe@reddit
Snap is the better tech but partly closed source.
Decayedthought@reddit
I've never had issue with a flatpak or a snap. None at all over the years. /Shrug
Fuzzy_Ad9970@reddit
Conversely, I have little to no issues with running flatpaks.
MrKusakabe@reddit
Flatpaks are the reason Linux is, for me, usable.
The Mint version of Audacity is helplessly outdated that even the Wine version was a better deal - it even auto updates itself (I have VST3 plugins which are platform-dependent, so I use Windows Audacity and it works). The Flatpak version is equally up to date and unlike the native one, even in German.
So many programs that I booted into Windows for are available as Flatpak (and AppImage) and I think for the most normal users, Flatpaks are great. With normal users I mean not tinkerers or paranoid nerds but just like people that need/want a program and are happy the small software pool expands so much thanks to Flatpak.
IgorFerreiraMoraes@reddit
Everyone talks about this, all the time.
I'll start by saying I'm on Fedora Silverblue and everything I have installed is a Flatpak from Flathub, never encountered any major problem like that, but each system behaves differently, that's the "Linux Support" roulette.
The fact that each program is isolated can cause some trouble when trying to set an external editor in an IDE/Engine/Software, like GitHub Desktop or Godot, or having a Flatpak control a device. There are also concerns with packaging, that have nothing to do with the nature of Flatpak, but people don't do it properly. Some of them are packaged with wrong default permissions, either they request ones they don't need, like access to your whole file system, or they come with important ones not enabled.
One thing that I faced is that OpenTabletDriver worked but Krita didn't recognize any pen movement, don't know if that's an isolation or permissions issue, it was better to just layer the RPM. But drivers are not really what Flatpaks are for.
whattteva@reddit
I totally relate to you. I usually also never bother with flatpaks because it usually causes issues for me too. I guess you just never see anyone talking about it because people like me just default to the deb/rpm format instead of even bothering with the flatpak because they're usually available in those formats anyway.
Kevin_Kofler@reddit
The idea is not actually great. "One size fits it all" leads to larger packages less integrated in the distribution than native software. And the sandboxing is what is causing most of your issues to begin with.
momomomomomomoto@reddit
flatseal + warehouse are god sent to manage flatpaks
DiscoMilk@reddit
You can set the global flatpak permissions to remedy some of your woes. Some apps I prefer to have flatpakked. Discord being one, I don't want it installed on my system like that. The choice is great though, I can have my cake and eat it too.
A while ago I had the idea of running only a flatpaked browser, zen. It was awesome for a while till I noticed my ram usage with flatpak zen was 6gb but then I installed the system zen, same tabs, 1gb ram usage. Same tabs, extensions and bookmarks on both. Definitely some trade offs for the convenience of it but its a great package delivery system, certainly better than snap
sephsplace@reddit
I have no end of trouble on my work PC when trying to use a SSL cert. Always tried loads of stuff, sharing the network, allowing access to the cert, using env variables - but always issues. E.g when using bottles cannot install any dependencies as it says I'm not connect to the internet.
QuickSilver010@reddit
I only use flatpak for the few software that only ships to flatpak. Otherwise I use nix. Nix tends to work all the time. Even tho it runs apps with different dependencies, it still integrates with your system nicely.
FartomicMeltdown@reddit
I’ve had the opposite experience. Only a handful have caused any issues.
dddurd@reddit
Prefering packages from flathub over the official rpm repository doesn't make sense. Another thing is that if you need to rely to flathub sandboxing feature, you shouldn't be running the application to begin with. If a proprietary vendor provides only flatpak option, that is the moment to use flatpak, that's a fact.
waitmarks@reddit
It's called defense in depth. You should never rely on one single thing to ensure your system's security. Supply chain attacks happen on perfectly legitimate software and a sandbox around it could mitigate what damage it can do.
Catman1489@reddit
Funnily enough, for me launching flatpaks through steam works better than normal packages. Normal packages either dont start, or start incredibly slowly. Flatpaks just work.
Bachihani@reddit
I install the vast majority of my apps with flatpak and i ve only ever had to use flatseal once !
atoponce@reddit
The only time I'm installing Flatpaks is when they don't exist in the Debian repo. I've only got a handful installed and they all behave exactly as I would expect. It's been a great experience for me personally.
JigglyWiggly_@reddit
I generally avoid flatpak. The file manager that pops up often doesn't have the same settings as my native file manager.
Access to physical devices is always hit or miss. Shouldn't have to rely on flatseal.
legluondunet@reddit
It could depend your Linux distribution, I have not the same experience as you with Flatpak on Manjaro.
dobo99x2@reddit
Everything works great. Run flatseal if you have any issues to give permissions.
Valuable-Cod-314@reddit
For certain applications like Steam, I do not recommend it. Being a containerized program and coming with all of its dependencies, some of the libraries may be out of date or you will run into permission issues.
InnerRenault@reddit
How dare you...!