• unix_joe@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 years ago

    Flatpak is kind of bringing the BSD mindset of base system versus end-user apps to Linux.

    Back in the glory days of FreeBSD, one would have system libraries managed by the FreeBSD team, and then whatever libraries the ports system used in /usr/local/lib which were used for end-user applications. Everything not provided by FreeBSD came from ports and was installed in /usr/local (/usr/local/bin; /usr/local/etc; /usr/local/lib; etc) so you would have two versions of gcc, for example.

    With Flatpak, you have your stable, or rolling base, whatever you are comfortable with. In my case, Debian. And it is fully separate from the end-user applications. This is something that I’ve really missed since coming to Linux from BSD. I can keep Firefox bleeding edge without having to worry that the package manager is also going to update the base system, giving me a broken next boot if I run rolling releases.

    Conversely, I don’t have to wait for backports from my underfunded, understaffed distro’s security team, or ride Firefox ESR.

    End-user applications are in containers. So what ffmpeg in the VLC flatpak has an exploit, VLC can only access your ~/Videos directory anyway. It’s not going to read your PKI certs or send your ssh keys off somewhere.

    Use flatseal to manage permissions of each app.

    It’s not perfect, but it’s a step in the right direction.

    FWIW, OpenBSD has done this for years with Chrome and Firefox, which only have ~/Downloads access.