Flatpak is kind of bringing the BSD mindset of base system versus end-user apps to Linux.
Back in the glory days of FreeBSD, one would have system libraries managed by the FreeBSD team, and then whatever libraries the ports system used in /usr/local/lib which were used for end-user applications. Everything not provided by FreeBSD came from ports and was installed in /usr/local (/usr/local/bin; /usr/local/etc; /usr/local/lib; etc) so you would have two versions of gcc, for example.
With Flatpak, you have your stable, or rolling base, whatever you are comfortable with. In my case, Debian. And it is fully separate from the end-user applications. This is something that I’ve really missed since coming to Linux from BSD. I can keep Firefox bleeding edge without having to worry that the package manager is also going to update the base system, giving me a broken next boot if I run rolling releases.
Conversely, I don’t have to wait for backports from my underfunded, understaffed distro’s security team, or ride Firefox ESR.
End-user applications are in containers. So what ffmpeg in the VLC flatpak has an exploit, VLC can only access your ~/Videos directory anyway. It’s not going to read your PKI certs or send your ssh keys off somewhere.
Use flatseal to manage permissions of each app.
It’s not perfect, but it’s a step in the right direction.
FWIW, OpenBSD has done this for years with Chrome and Firefox, which only have ~/Downloads access.
If you run KDE Plasma 5.27 or later, flatpak permission settings are included right from the system settings. A built-in flatseal, in case anyone didn’t know. https://i.imgur.com/PSdt6iy.png
One huge thing I don’t understand about Flatpak is how, like the article says, everything is shoved into GitHub. Why? What is the rationale behind making each application its own repository just to store a couple modules and a YAML file?
I do like Flatpak though. It works for what I use it for, and it does a good job at keeping the applications I install through it separate from my system, so I can be sure that my package manager isn’t going to brick everything with an update (not like that has ever happened though).
When I was packaging Flatpaks, the greatest downside is
No built in package manager
There is a repo with shared dependencies, but it is very few. So needs to package all the dependencies… So, I personally am not interested in packaging for flatpak other than in very rare occasions… Nix and Guix are definitely better solutions (except the isolation aspect, which is not a feature, you need to do it manually), and one can use at many distros; Nix even on MacOS!
nix on MacOS doesn’t even have Chromium. all my kekw
… :'(
flatpack convert a well-design operating system linux to a sub-optimized system like our favorite microsoft window 😂