Current Best Practice Flatpack or Aur?

Ok
I’m not new new, but I need this like, the simplest terms

When attempting to install a new piece of software, if I see both AUR and flatpack Versions, which version should be best to install?

My current understanding is that flatpacks are created and maintained by the original software developer, whereas AUR is often NOT, (usually created and maintained by some wonderful, thankless, person whom I have the utmost respect for, that just felt it needed to be done)

As an end user, what would be best practice here?

1 Like

The best1 order in which to look for software:

  1. Official Arch repos
  2. The AUR
  3. Appimage
  4. Cloning from gitlab/github and building it yourself
  5. Flatpak (mostly for :pirate_flag: stuff)

Notice the absence of Snaps from the list… I’d rather not use the software than install snapd.


1 Based on subjective criteria, may not actually be best for everyone.

12 Likes

Fully Agree on Snap, but why is flatpack such low priority compared to AUR?

Most of the time, there is no need to use Flatpak at all. Most software, especially if free and open source, is available on the AUR.

The AUR has the advantage that it is a fully transparent system. You build the package on your machine, so you can know where the software is sourced from and exactly what goes into the package. That’s very safe.

Flatpaks have two disadvantages: 1) they are statically linked (which means they 1a) take up a lot of disc space, and 1b) may contain older versions of dependencies which may have security flaws not yet fixed), and 2) you don’t know where the software is sourced from (you have to be very careful where you download the flatpak from, to make sure it’s a trustworthy source).

True, anyone can upload anything to the AUR, so if you are not careful, on very rare occasions, you can find something untrustworth or even malicious there (usually, it is a malicious command in the PKGBUILD file). But if you’re careful and inspect the PKGBUILD file, that’s not a big concern.

8 Likes

There is no absolute answer to this question. It depends on the situation and your preferences.

My personal preference is the AUR over the flatpaks due to the transparent nature of AUR packages.

This is not true. flatpaks may or may not be created by the developer/publisher and the same is true of the AUR. It is probably true that it is more common for a developer/publisher to create a flatpak than an AUR package.

4 Likes

Ok thank you for the explanation!
I appreciate you taking the time

Like @dalto already wrote, it’s not true. Take PHPStorm by Jetbrains, for example. The Flathub page is mentioning: “NOTE: This wrapper is not verified by, affiliated with, or supported by JetBrains s.r.o.”

Kresimir’s arguments against Snaps/Flatpaks are one thing I’ve grown fond of reading. 0% bluff, 100% facts. :pray:

3 Likes

My question would be why would Flatpak be so low compared to Appimage. IMO, Flatpak is FAR more desirable than doing things the Windows way. Download this random binary from this random location…and just TRUST that it’s what it says it is and hasn’t been infected. It won’t be run with any security, or any sandboxing, so you just need to be trusting that it’s not actually malware!! Nope, give me Flatpak ANY DAY over that.

I am pretty sure he wasn’t implying that you should download appimages from random locations.

Not to mention that the same issue exists with flatpaks…they can come from anywhere. You can add any repo you want.

flatpak is still a binary format which can have malware in it the same as any other binary. Not to mention that unless you manually modify it, the flatpak itself defines the level of sandboxing it receives so trusting that blindly doesn’t help anything.

In the end, regardless of which software package format you use, you still need to make smart , informed decisions about your own security.

3 Likes

Is flatseal something you would recommend for managing the permissions for flatpaks?

It’s useful if you like gui apps (I’ll be honest, I do), although to be technical, everything it does IS possible with just Flatpak itself, just via cli.

1 Like

From the security standpoint, Flatpaks and Appimages they are about equally risky. I placed Appimage above git, simply due to convenience: some software takes ages to build, though building the program yourself from a git repository is, of course, much safer. If security is a big concern concern, just switch the points 3 and 4.

Appimages have all the downsides of Flatpaks, except they are slightly more convenient to use, hence I ranked them a bit higher.

In practice, the only use I have for Appimages is when I need an old version of some program. And, in my opinion, the only practical use for Flatpaks is :pirate_flag: (though, of course, this is risky on multiple levels and I do not advise it).

3 Likes

I actually find flatpak easier to use. Appimages GENERALLY just don’t work for me. Also they don’t (automatically) integrate into the menu. Also they don’t install in a logical location (since they can be run anywhere), so Appimage I loathe more than snap actually. OK, maybe that’s a bit of an exaggeration.

1 Like

I guess that’s just a consequence of us having different uses for Appimages/Flatpaks. For me, they are not used for the type of software I’d like to have integrated into my menus. It’s mostly for when I need some old proprietary program to do a task and then discard it.

And if I’m worried about safety, I just boot up a live image of the OS, download the Appimage, run it there, and do what I have to do without any risk to my installed OS. And when I’m done, the Appimage gets deleted. For this use, it is more convenient than a Flatpak.

I have nothing against Flatpaks on their own, it’s just the whole alternative package management system on top of distro’s own package management system that I find a bit too much.

In any case, it’s been probably over a year that I needed an Appimage or a Flatpak for anything. Pretty much all of the software I use is in the AUR (or the repos).

The only exception, i.e. a program I use on a regular basis that is not in the AUR, that I can think of the top of my head (apart from the stuff I programmed for myself, of course) is JSesh, which is a Java app, so I just download the .jar files and run it.

3 Likes

1: I’ve learned a lot, thank you everyone
2: I love that EndeavourOS is one of the few communities I’ve ever been a part of where this sort of discussion does not devolve into an argument and flame wars. I love you guys

10 Likes

If you use appimagelauncher it will both automatically integrate them into the menus and move them to a central location.

Personally, I don’t use it because I prefer to manage those things myself but it is an option if that is something you want.

Another reason I tend to prefer appimage over flatpak is theming. With appimage, it can inherit system theming. With flatpak it relies on the theme being available as a flatpak which the ones I generally use are not.

As for me, I just use 3 of them, firstly the eos repositories, then flatpak and snap, it is simple and have no huge update procedures, and also I think using AUR might bring you eventually a multilib system…

“Thinking” without knowing causes a great many issues.
This general question is very boring - and the answers are, indeed, blatantly obvious.

If you have a good binary method, use that.
AUR is clear and transparent.
Flatpaks CAN be a great choice. Appimages are also very nice (I think nicer than flatpaks - I get Joplin-appimage via AUR and it’s very sweet).

Snapd is pushing hard - for many softwares it’s the ‘only’ choice (especially if you are daft enough to use Google and google Linux Install Plex-HTPC because - as everyone knows - ‘Linux’ means ‘Ubuntu’).

There are exceptions for so many rules… Hence the benefit of intelligent discussion (revealed by reading the thread before making inane posts).

The AUR has been feeding me Plex-HTPC for a while now - interesting method - the AUR pkgbuild downloaded the Snap, stripped it of the crud, and installed a good working copy - a binary installation.

However, recently this got messed up. I will not blame AUR for this, rather the individual user. The AUR alerted me with comments and I purged the package.

However, someone is now putting Plex-HTPC out in Flatpak and so I switched.
Plex HTPC tv.plex.PlexHTPC 1.32.2 stable system
Along with Shortwave… sometimes Flatpak is great.

A couple of times I looked into Flatpaks - and ended up with crud that didn’t work. Flatpaks are often much worse…

However, if you go reading too much Reddit you will become aware of how ‘dangerous’ the AUR is, and how ‘dependency hell’ arises from it’s use.

I remember these phrases from my days using Linux Mint and needing to use PPA’s and other repositories for getting less than antique versions of many softwares.

Interestingly, since leaving Debian and LTS Noobuntu variants, I never experienced these issues - not once.

I would like to say that I would never, ever use Snap - but the truth is that I don’t really care that much. If it was a final option, I’d probably give it a go.

Fortunately, it never has been a necessary option - thankfully the two ‘Snap’ packages I have installed come via AUR as binary installs.

So really, the ‘Current Best Practice’ is really to have some intelligence.

There’s no substitute for intelligence, and following rules (albeit very well thought out rules) made by folks much more intelligent is a poor substitute.

Read all, try to understand all, and when you need something - just ignore the rules and work it out yourself!

Go AUR! :mega:

Edit: Don’t get flattened by the pak!

1 Like