If i think about using flatpaks on endeavouros , will you guys encourage me to do that?

ajucodz · April 29, 2022, 5:20pm

Thank u
I willl stick with AUR.

T-Flips · April 29, 2022, 5:36pm

Well, one could argue, that it is safer to run a proprietary app in a conainerized form like flatpak, where it has only a few / defined “breakout points” - that is - access to only some folders on your disk. Think of spotify or the like. Being installed from the aur - sure, you can look at the pkgbuild and see where the (binary) file comes from and how it gets installed. But how much of help ist this? Do i trust that app? Installed as flatpak, it is containerized, having only access to what it really needs on your disk (your Music Folder for example - but nothing else → “minimum principle”).

Or a browser, if you look at it as an attack surface while browsing the web. If you happen to catch some kind of malware while surfing, it could help if your browser is containerized…

Not advocating here
I just do see a purpose in using flatpaks in some cases.

dalto · April 29, 2022, 5:40pm

The problem I have with flatpak containerization is that it often isn’t granular enough to be useful. You often need to provide access to much more than it needs to get it access to what the one thing you want it to have access to.

T-Flips · April 29, 2022, 6:00pm

Hmm, i don’t know about that. Don’t have used them much myself. But to be fair, that would be at least only a flaw in the implementation - not in the principle of containerization itself

But i guess a big part of that topic is always the question of - trust - . Do i trust the source (flathub, AUR, etc.)? Do i trust the app? I think i have read something like that from you somewhere as well, @dalto, but can’t remember… So just rephrasing your wise words

Scotty_Trees · April 29, 2022, 6:03pm

There’s this weird odd random package called pacseek-bin in the AUR from here: https://aur.archlinux.org/packages/pacseek-bin

It’s maintained by some weird odd random maintainer named moson, TOTALLY don’t trust them at all, but I can’t deny the package they pull from the source ( https://github.com/moson-mo/pacseek ) is a pretty legit and useful little program

(this is just poking a little fun fyi, happy friday! )

moson · April 29, 2022, 6:56pm

This pacseek maintainer idiot I won’t trust at all. Every “bit” is a disaster

In this case though, you can see how the binary is built:
(I first built it myself, put tons of malware in it and uploaded it. Now it’s being done with a github action, which is way more transparent)

github.com

moson-mo/pacseek/blob/main/.github/workflows/release.yml

name: Release

on:
  release:
    types: [published]

jobs:
  release:
    runs-on: ubuntu-latest
    container:
      image: archlinux/archlinux:latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Install go, gcc
        shell: bash
        run: |
          echo 'Server = https://mirror.moson.org/arch/$repo/os/$arch' > /etc/pacman.d/mirrorlist
          pacman -Syu --noconfirm go gcc

This file has been truncated. show original

Mr_Ecks · April 29, 2022, 7:29pm

There are pros and cons. I generally stick to AUR, becouse I do trust that, and I got more control, but when it comes to programs that I really want up to date like Gimp, and in particular Spotify (which is hit or miss in the AUR) I do chose Flatpak.

More choises is not the end of the world, guys/guyettes.

codic12 · April 29, 2022, 9:45pm

No idea, I don’t use flatpaks my package management is either repos of whatever distribution I am using, AUR if I’m using Arch, or otherwise compiling from source (mostly for older versions of software that I prefer to newer versions)

fbodymechanic · April 29, 2022, 11:43pm

We don’t not support them. Or support them. Do what you want, it’s your computer.

Personally I’ll use them, but always second to AUR.

I personally wouldn’t even run snaps on my Windows work computer.

wordler · April 29, 2022, 11:49pm

Trust. Now there is a thing! FUD continues to affect our decisions. If you/we use the AUR then it’s up to us. As a user of an Arch-based distro I prefer to use the AUR than resorting to Flatpaks or Snaps. It fits better with the package management whist using pacman and yay (or whatever).

wordler · April 30, 2022, 12:04am

Snaps & Flatpak. For me it seems like an easy way out. If anyone is interested in how things work in computing, or indeed life, then it’s worth learning about the processes involved. Update and install with a terminal and look at the output. Look and learn. I’m currently messing about with a “from scratch” BSD install on a spare machine. It’s up and running and I’ve already learnt things about Linux/BSD/Unix from it. It won’t be my daily driver, that’s EnOS. If your local store (not you hopefully!) runs out of ready meals can you cook?

ajgringo619 · April 30, 2022, 12:24am

As a former flatpak user, I found it had one advantage over AUR/Snap: I could install the packages on a per-user basis, which kept the root partition out of the loop. This also made a reinstall that much faster as the flatpaks were already there and ready to go (assuming that /home was its own partition/subvolume).

That said, I’ll take the AUR every time.

wordler · April 30, 2022, 12:36am

So yeah keeping the root partition out of the loop means you have control, but maintaining it means what? And as you said, why would you take the AUR every time? Definitely /home on it’s own thing.

ajgringo619 · April 30, 2022, 12:40am

That one advantage was not worth for me in the long-run. Maintenance is not any different than installing it normally, you just use a different repo location: $HOME/.local/share/flatpak instead of /var/lib/flatpak. All you need to do is add a user version of the system repo, then specify that when you install; unless, of course, you remove the system repo, then the default install repo will be the user one…

wordler · April 30, 2022, 12:51am

Are we talking user groups here? I am slightly confused. I get the repo thing, but adding it to the repos follows the usual thing in mirrors. Install has nothing to do with anything, it’s just configs and updating mirrors.

ajgringo619 · April 30, 2022, 1:02am

When you add a Flatpak repo (known as a remote) to your system, you specify whether it’s for everyone (system) or the current user (user). For example, the default Flatpak repo is added like this:

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

This adds the system remote called “flathub”. If you add --user to the aforementioned command, you’ll get a user remote (also called “flathub”). When you run flatpak remotes, you’ll see where each remote is pointing to.

Mirrors aren’t part of the equation here; once you’ve configured a remote, it points to a single location that can’t be changed. Yes, there are other remotes available - Fedora has one, I think there’s still a beta channel as well - but it’s out of your control.

wordler · April 30, 2022, 1:10am

So as I understand it, it remains it’s in a user space rather than in a whole system wide thing? That is is just like an AppImage. It just lives in /home/user/

ajgringo619 · April 30, 2022, 1:11am

Yes, exactly.

wordler · April 30, 2022, 1:22am

Thanks mate! As spoken before if we installed applications without the correct package manager then it is up to up to us. Freedom, but share knowledge!

djwyman · April 30, 2022, 1:38am

The whole it lives in the home directory thing is why they recommend installing flatpaks on the steam-deck since they made the root file system is immutable by default.