[Question] Why does everyone seem to dislike containerized packages?

jrgd, 10 months ago (edited 10 months ago)

There are a few obvious security implications with the rise of containerized packaging. One of the first is the move away from true centralized, least trust packaging. With traditional packages, you are trusting your distro maintainer (be it Debian, Canonical, RedHat, Arch, SUSE, etc.) To provide patched versions of software from their trusted repository mirrors to your computer. This does a few things like limiting the amount of places that you need to download software binaries from, as well as having other potential benefits like checksum validation on downloaded packages.

Most containerized package platforms including Docker, Snap, Flatpak tend to have a centralized set of repository mirrors, but anyone may compile and publish their own software to it. Flatpak is kind of the exception to this. Some distros (i.e. Fedora) publish their own sets of repos with flatpak packages. This is because Flatpak allows for more than one source repo for packages. I do believe Docker, Podman allow for the same as well. Snap infamously doesn't allow any repos other than Canonical's proprietary community repo.

Most of these containerized packages solutions also offer varying levels of sandboxing, which is a good set of security features that could benefit individual hosts from potentially vulnerable software. One could argue that flatpaking Firefox or other browsers and jailing them to limited capabilities and filesystem access is a good thing given the potential for malware propagation through such applications.

In particular though, most containerized solutions aren't generally hated by online user communities except Snap, which has both been among the most restrictive as well as furthest behind in features, performance parity, and general user experience. Snap was for the longest time significantly far behind Flatpak for user land applications and still wouldn't be my first choice for server applications compared to Podman or Docker due to just not being nearly as flexible as the other two.

The performance of the platforms can vary compared to native. For the desktop-oriented platforms (Snap, Flatpak) they generally perform insignificantly different from native packages, although Snap packages that are built compressed have had horrific IO performance for the loading of package files (leading to atrociously slow startup times of applications in the past). This is supposedly better now, though I have no intention of installing Snapd to find out.

As a note for culture, people particularly also dislike Snap because of how badly Ubuntu (Canonical's Linux distro) is depending on it, including having Snap automatically reinstall after removal and dropping many packages from apt only to throw redirects in to pull the snap package when requested from apt. This is why de-snapped derivatives of Ubuntu are also popular.

As for package sizes, they tend to be a bit bigger than native, as well as the added cost of a second set of libraries. Many users online don't get the 'why' when their first package from Flatpak is nearly a 3 GiB download, despite the following packages will hardly be any different in size from native packages. In a way, these packaging solutions do remove an advantage of the singular set of libraries. If you use netbooks, SBCs, IoT devices, or other similar minimal storage devices, you might feel this impact. However most systems will only have a marginal increase of storage utilization overall from a second set of libraries being installed.

ISOmorph, 10 months ago

I’ll add my 2 cents to your very well written comment.

My biggest gripe with flatpaks notably, is the more difficult integration into the system. I use about a dozen flatpaks, and for every single one I had to tinker with flatseal to give them the correct access permissions, that I had to research online. One specific flatpak coulnd’t even work with those additional permissions. Half of those flatlaks also will not follow my system theme and their GUI looks broken or out of place.

jrgd, 10 months ago

Given my limited usage of system themes to one that has flatpak packages (Materia) and tendency to go through the permissions of new flatpaks and tighten them anyway, those are good points to mention. For theming, it is definitely a trouble point depending on the platform and theme used. Especially when combining Qt5/Qt6 apps, Fltk, GTK2,3+, and GTK4 applications together, things may get even more messy than consistent theming on native applications. Having comprehensive theme packages for the theme you use almost completely resolves this problem. Though I doubt predefined customization isn't something that will be popular with some users given that ricing your Linux desktop to the extreme is a huge selling point of the Linux desktop for many.

I did forget about how especially with Flatpak and Snap how there is no actual guarantee that the default sandboxing permissions will actually be any good or even usable on many applications, which is an issue that partially comes from when community maintainers end up publishing packages for developers rather than developers or dedicated platform testers publish a given package (a common practice for many applications on the Flathub repository).

PuddleOfKittens, 10 months ago

Half of those flatlaks also will not follow my system theme and their GUI looks broken or out of place.

This always struck me as weird: the entire point of flatpak is to be isolated and not integrate into your system, why would you expect it to integrate with your theme?

I know they try anyway, but it just seems like a conceptual problem to me. They want to solve packaging by pretending it doesn't exist.

phi1997, 9 months ago

I think it's a vocal minority complaining

TimeSquirrel, 10 months ago

They feel like unmanageable warts growing on the side of your perfectly maintained software packaging system.

LemurOnRails, 10 months ago

I only have one AppImage app, because dev releases it this way (or docker, which I avoid too). I do not need flatpack and snap and avoid them, packages are ok.

PabloDiscobar, 10 months ago

First, most of the people I saw discussing it support flatpak, not packages. They support flatpak like they support a football team. example here: "Mostly because they're uneducated fools".

It's all about reputation. There are people I trust, like Steam and there are perfect strangers from the internet. Who do you trust the most between "debian VS mastakilla_51"?

Wake me up when a flatpak app is thought with clear boundaries and doesn't just request access to my whole home directory. Until then I much prefer to have a team of packager maintaining a reputation, dedicated to their job and producing fine, reliable apps.

The Audacity fiasco was a perfect example of that. The apps was bought by someone, then telemetry was introduced into the flatpak and no one saw it. Instead, the distro maintainers noticed it and deactivated the telemetry. This is how we saw the thing.

Be very careful of what you lose when you say goodbye to distro packages, don't take it for granted. If you walk the flatpak way you will have access to a mountain of unverified software built by a random person of the internet having access to your full homedir. It's like installing freewares on Windows, you end up with a lot of crap on your computer. A packages repo is not like freewares for Windows.

Yes, I know, you think flatpaks come with sandboxing. It does not, because most of these packages use /home as the sandbox anyway and people click yes. Pick some flatpaks and see the access level their require. Most of the time it's /home. This is a terrible trend and I wished more of the flatpak supporters mentioned it when they praise the tool. Some people don't care. I do.

Cryptocurrency does nothing to help you since it gives a very strong incentive to criminal to scan your homedir. Scammers will use shiny software, flatpak it, add their "secret sauce" and publish it. If you had to install a cryptowallet, would you install the one from the debian repo of the one from mastakilla_51?

Until this whole jungle is sorted out: thanks, but no thanks.

cinaed666, 10 months ago

https://github.com/obsproject/obs-studio/pull/2868

This is a good example of this kind of evangelism for the hot new packaging standard gone wrong.
A pull request was made for a half-baked appImage version of OBS by appImage creators.
They refused to support it, and the OBS developers refused to merge it because they have no appImage knowledge.
Drama ensued.

I do like how nixOS is tackling this issue, but I don't really care enough to switch away from Arch.

PabloDiscobar, 10 months ago

ouch

This thread is closed, but I'm going to make a final reply before I ban you and your associate from our organization for your inflammatory, incorrect, and downright rude comments. Actions have consequences. Any time anyone asks us why we don't support AppImage, I'm going to point them to this thread, and how it was you, personally, who irrevocably burned all bridges with our development team.

And then he harassed the OBS team claiming that "users want appimages"

Limitless_screaming, 10 months ago

Why should the GUI application be a system package? Why shouldn't we have the good permission system that Android has? Why is the distro packaging every piece of software out there a good thing? Why is a couple of packages using more space a big deal to you?

I never can understand those people who are just against the idea of flatpaks. On the other hand, I can see why you'd be against it for the state in which it is right now.

PabloDiscobar, 10 months ago

Let's all use snaps then!

"No, I didn't mean Snaps, I meant Flatpak"

Annnnd we are back at square one. flatpak is just another distro, with the limitations of a distro. You are basically asking for a unique distro to rule them all.

Limitless_screaming, 10 months ago

That's not what I am asking about; fragmentation is another separate problem. What I am asking is why would you be against the idea of flatpak, if you use snaps, then you're with the idea of flatpak (to some extent).

PabloDiscobar, 10 months ago

I already posted something on the subject

https://kbin.social/m/linux/t/207700/Question-Why-does-everyone-seem-to-dislike-containerized-packages#entry-comment-901794

e_t_, 10 months ago

I don't like it when a project's website only says "here, run this Docker container" and doesn't have manual setup instructions. I don't want to just run a black box Docker container, I want to know what the knobs are and what they do.

SFaulken, 10 months ago

Mostly because they're uneducated fools, that haven't any actual idea what the hell they're talking about.

Unless you're pulling sources, and building everything yourself, everything you get from most major distributions is "pre-compiled".

People hate anything new, they fear change, and they like drama, that's all it is.

jrgd, 10 months ago

It is disingenuous to simply state that people think new = bad. There are definitely both advantages and disadvantages to the current containerized packaging platforms / formats at the moment. Some of which, some people may see as greater positives, negatives than others.