flatpak remote-add flathub-verified --subset=verified https://dl.flathub.org/repo/flathub.flatpakrepo
    • rollingflower@lemmy.kde.socialOPDeutsch
      23·
      7 months ago

      Fair point. But when apps are on Flathub and people say “I dont care I have the AUR” they need to know.

      • the AUR has no verification at all
      • the apps have no permission system at all, so you need to trust them 100%
      • they are installed on your system and might mess up updates, give dependency errors etc.
      • their solution does not apply to nontechnical people. If a solution is not scaleable, it is not a good solution
      • Skyflare@discuss.tchncs.de
        4·
        7 months ago

        All you need to verify an AUR package is to read the PKGBUILD file, which is something the AUR keeps on encouraging you to do (this assumes that you trust the upstream repo, which is something that even official packagers of most distros do)

        Also a lot of flatpak packages aren’t sand boxed enough to be safe and only ends up giving false sense of security to nontechnical users

        Your last point is extremely important though, AUR is horrible for nontechnical users (which is why the AUR discourages AUR helpers)

        • rollingflower@lemmy.kde.socialOPDeutsch
          2·
          7 months ago

          Okay having an easily readable build file is a bit missing. Flathub hides that a lot.

          I think their rating system, which is on the website and also GNOME Software, displays apps with home access as insecure.

          And somehow this seems to be general knowledge and an issue about a privilege escalation through a local override was just closed. Yay

  • infeeeee@lemm.ee
    211·
    7 months ago

    If an AUR package wants to install 137 python dependencies, I usually search for a flatpak instead.

      • infeeeee@lemm.ee
        3·
        7 months ago

        Beside what @fatihozs@mastodon.social wrote:

        • If the package wants to install an awful amount of dependencies it means those dependencies are only used by that package on my system. Flatpaks contains all dependencies, so the required disk space would be similar to the flatpak.
        • My feeling is flatpak install time is quicker in this case, to install 1 flatpak vs 138 AUR packages. I never measured it though.
        • I only do this if an insane amount of dependencies needed. Some dependencies are normal, if more than 50 than I think AUR is not an ideal way to distribute a software, or also include a -bin package.
        • If no flatpak available I still install the 137 dependencies, so nothing wrong with that, it’s simply the way I like to manage my system.
      • Fatih Özsoy@mastodon.social
        42·
        7 months ago

        @pineapplelover @infeeeee No, some people just don’t want to install tons of packages just for an application they want to use to. The more package means the higher chance for system breakage. It’s better checking dependencies and pkgbuild before install

        • /home/pineapplelover@lemm.ee
          3·
          7 months ago

          Yeah but I thought if I installed it through AUR natively then it would be better since if other programs need those same dependencies, I wouldn’t have to install them again.

    • devilish666@lemmy.world
      3·
      7 months ago

      Personally i like chaotic-aur because it’s already pre compiled
      The only aur packages on my is system is stacer-bin (the only cleaner i trust other than bleachbit)

    • Petter1@lemm.ee
      2·
      7 months ago

      You can remove dependencies after install, at least in yay, I never do tho.

      • infeeeee@lemm.ee
        4·
        7 months ago

        That’s install dependencies (in PKGBUILD they are called makedepends), python programs usually need them for runtime (depends in PKGBUILD). On the main page of a package they are listed together, but on the PKGBUILD they are separate

        • Petter1@lemm.ee
          2·
          7 months ago

          😁 I know (well that about two types of dependencies)

          That python dependency seem more a upstream issue, not a AUR issue, isn’t it? I mean, if I install the same app from another source, it still needs those dependencies, isn’t it?

  • PINKeHamton@lemmy.blahaj.zone
    52·
    7 months ago

    I have just had bad experiences with flatpack so I don’t want to use it and the aur has the stuff I need and flatpack dose not

    • taanegl@lemmy.world
      2·
      7 months ago

      I’ve had nothing but good experiences with Flatpaks/Flathub and bad experiences with AUR/nixpkgs.

      Fedora also has it’s own Flatpak repo now with it’s own runtime.

      • rollingflower@lemmy.kde.socialOPDeutsch
        2·
        7 months ago

        Same. Ubuntu AND Fedora Libreoffice, SciDAVis and more where broken, not the Flatpaks.

        Flatpak is really meant for the big GUI apps. No problem with small distro packages really. It just takes off the huge burdens of maintaining distro packages for like Libreoffice, which is as big as the Linux Kernel.

    • rollingflower@lemmy.kde.socialOPDeutsch
      11·
      7 months ago

      You need to be more specific.

      You need to think about the background problem here.

      When Google made Android, it was web based. Their “perfect sandbox” ironically has no internet toggle. They won tons of marketshare, and iOS is not different here, both restrict apps to containers and have permission systems to reach out of these containers to access sensors, files and other data.

      Desktop operating systems are way older and have no such concept. We have mandatory access control with SELinux and Apparmor, but those are (I think) more complicated than Flatpak.

      Flatpak is a solution for multiple problems of Desktop Linux Apps at once.

      1. isolate apps with a real permission system
      2. make apps run anywhere
      3. have a single platform to target, so we dont need packagers anymore (for most GUI apps) and can file bugs upstream
      4. separating apps from the system: stable distros can have modern apps (similar to Windows) and Apps dont affect the stability of the OS at all. Also config files of such apps are in their container, not bloating your “oh so good xdg basedir”

      These are all extremely important points for a healthy, modern and secure Linux Desktop.

      But there are also issues to every point:

      1. most apps are not adapted to this model, which means they need broad static permissions like Pulseaudio, home or even host, allowing surveillance or trivial (even documented) privilege escalation. This is basically how apps like Flatseal work. Pulseaudio has no portal, do apps can listen to your mic whenever they want.
      2. Apps that “run everywhere” will not have distro-specific optimizations. The system needs to run on old LTS kernels to be universal, which means you miss out on tons of optimizations. Developers could just not care, but this depends on the app.
      3. Flatpak is more complicated than Snap (or even Appimage, if you leave the manual signing, monitoring vulnerable libraries and having a manual repo out). So it is not a great experience for “the Linux packaging model”. GNOME Builder is a good IDE for it but afaik only for GTK apps.
      4. No issues here. This is the core princible of “immutable” distros like Fedora Atomic Desktops.

      If you have issues with flatpaks, you need to be more specific. Maybe it is a packaging issue, or you expect an app to do stuff that is not