I am new so I was at a roadblock in my head.
My package approach going into debate:
one) Endeavour&Arch repos
two) AUR
three) Flat (snaps is out of the question)
four) appimage in wild
five) compile targ.gz myself (I suck at this)
My mindset after the debates: SAME.
Trust issue: moot. AUR gets the edge. The reason is not every Flatpak offered by Flathub is made by the app creator (i.e. official) nor is it sourceable. That’s about it for me besides the proprietary.
Things people said that stuck in my brain:
all proprietary you should flatpak
“big” apps you should flatpak. this debate didn’t cover browsers.
electron-based you should flatpak (seems smart).
Things that stuck in my brain because they had the ring of truth:
*sandbox feature of flatpak incidental and over-rated and over-sold but not necessarily ineffective
*proprietary you should sandbox/flatpak…my AUR webex and zoom fell out of date so I like this idea.****these are proprietary apps so what’s the difference? sandbox gets edge.
arguments I shrugged off:
*AUR is just amateurs who package it because they wanted it in the first place so flats safer. no core team curation=
*flatpaks always up to date, AUR maintainers fall behind.
*there are no PKGBUILDs there are only “recipes” (I heard this a lot)
based on what I learned I dumped out of date AUR proprietary Zoom and install the Flatpak. I got rid of the flatpak librewolf and install AUR librewolf-bin.
result: trade off!
no argument was a slam dunk. Ninety minutes of reading + two ibuprofen, in the end I think the AUR edges Flatpak in my brain by a modest measure, the most important to me is the transparency and many eyeballs.
With my very superficial, non technical understanding of these different sources of software, I use flatpak for specific programs that I would like to seal off using flatseal (e.g. steam, browser, proprietary communications apps, etc) with the rest I get from the official repos, and only go to AUR when they’re not available in the official repos. With my available free time, I’m trying to learn how yay works, but it looks like my study backlogs are just growing bigger and bigger.
Regarding this, make sure you have food in your stomach before taking an ibuprofen. Seen one too many stomach ulcers.
My personal preference for installing software in Arch/EndeavourOS is
official repositories, using pacman
Flatpak
AUR binary, using yay, but only if it has high votes and high popularity
AUR source, using yay, but only if it is not too new
AppImage: usually I manually install in my /opt and then write a .desktop launcher file in .local/share/applications
Snap
About AUR, if you are a technical user, I recommend always to have a look to PKGBUILD: this file contains the instructions for building a package file and for security reasons, I often read it carefully when I install new software.
My Arch systems rely almost exclusively on the official repos. I have maybe one t or two items from the AUR. I have no need for any containerized package format (no Flatpack, Snap or Appimage, ever).
I had beer in my stomach so that worked out. Heliopylori (sp?) I’ve had wreak some havoc before. Appreciate the tip about ulcers. and your flatpak use.
Endeavour forums were part of my 90 minutes of wheel-spinning. I considered all sides. Fascinating debate. You are high profile, I read many of your posts. Agree AUR when no official package. I think I may get in the habit of keeping all proprietary in Flatpak.
I know (edit: that I didn’t hear it from you.) The 2-month old out of date AUR Webex package sealed the deal for me.
Except webex doesn’t come in appimages or flats so maybe just (gasp) plug W10 back into the mobo on those meeting days. Yuck.
List about 30 bugs fixed since the version in the AUR. Most of the bugs looked to be user interface related. Have you tried the webex-bin 43.5.0.26155-1 from the AUR? Did any of the bugs fixed since that release affect your use of the software? Two months out is a fairly short period. If you have not experienced any of the bugs fixed since that release, I am not sure why the software is not sufficient.
I used the webex-bin with no problems.
But lotsa conflicting POV’s regarding 2 months out-of-date AUR packages, even in this thread. Some say unsafe and too long out of date, while you claim no, the devil’s in the details (strictly cosmetic fixes that haven’t been done yet because they are not pressing).
Maybe I should be viewing it from the middle?
It performed nicely for the job it had to do last week, yes.
But is 2 months unmaintained ‘best practices’ (thus a CVE)? or is there a such thing in the AUR wild west?
Here’s what I know is on me that, as a new user, I have NOT taken time to investigate upstream like I think you did. I didn’t even get in the habit of looking at code in the PKGBUILDS til a few days ago.
I don’t know yet where the ‘err on the side of caution’ exists yet on Arch and it’s kind of cool to learn.
Thanks for your reply.
The last year shows the package has been updated five times:
2023-05-16 New upstream version: 43.5.0.26155
2023-02-14 New upstream version: 43.2.0.25211
2022-12-14 New upstream version: 42.12.0.24485
2022-10-22 New upstream version: 42.10.0.24000
2022-07-14 New upstream version: 42.7.0.22904
I would hardly call this unmaintained. It looks like the update frequency hovers between 2 to 4 months. If this trend continues, the next update should happen this month or next. I would not be too concerned.
Cisco appears to release new versions every month, fixing small bugs each month. If you are really concerned, you can always use a virtual machine to run an instance of Ubuntu and install the native .deb release of Webex there and keep it updated every month. That would certainly be easier than running Windows on the occasions you need Webex? Maybe not? Just a thought.
Exactly. The details will tell you what you want to know. Look through the bugs fixed and see if any appear to be a security risk to you. What I mean, is that say a security fix came in for the Windows client, since that does not concern you as a Linux user, then all is still good. Also, if a security fix came in for a feature you do not use, then it also is of little relevance. The details shall set you free.
wow, I love it. I saw what you did in the link. You went from the regular AUR package page to the View Changes tab. I clicked on many entries, including the ones you did…while I can’t claim to interpret what I’m seeing…I said it once and I’ll say it again I L-L-LOVE the transparency. From tree to commit there is submenu after submenu deep inside each individual fix.
—for my far-less-than-journeyman knowledge of linux the picture becomes clearer the deeper I go into the fix.
Devil’s in the details—they have set me free —that’s not to say it wasn’t a lot of research–it was.
I’m starting to see the Arch way is a very cerebral way. can abide.
—that’s not to say it wasn’t a lot of research–it was.