Recently I ran numerous tests on Flatpak and snap in an attempt to determine which would be more useful in my environment. After about a week of testing, I have arrived at a pretty ‘surprising’ set of findings. They are certainly not what I expected to uncover. If you are interested in reading the ‘full monty’ you may access it here:
Keep in mind that snap sandboxing doesn’t work atm on systems without full apparmor support = systems other than ubuntu.
With sandboxing support both snaps and flatpaks are significantly more secure than default firejail profiles.
Snaps and sandboxing on Manjaro [Solved]
Good to know. Perhaps @Madyson.Armstrong30 you can help me (us) understand the added benefits above those of firejail. I didn’t find those enumerated anywhere…
Good read, and thank you for that. Fedora is going in the direction of using Flatpak as the package manager in near-future versions, along with immutable filesystem and atomic updating, etc., possibly in Fedora 30. That’s what is presently used in their Atomic Workstation version, though package management is in-transition at the moment.
So I’m glad to see your conclusions between the two, since I have never used Snapd. CentOS & Red Hat already have similar (atomic) projects in the works and I think maybe their combined “weight” will outweigh Canonical’s Snapd.
Reading that I thought I had grime on my monitor, on closer inspection it was the speckled background of the page. Oh well, at least my laptop screen is very clean now.
Snap repo is controlled by Canonical, hence why I choose flatpak, and why I think down the road snap will be the historical equivalent of betamax.
Wow, very interesting.
In snap/flatpak sandboxes are fine grained for specific app, there is no access to your host except what app is supposed to use. Moreover access can be granted dynamically through document portals. Also there is no way to accidentally run your app without sandbox.
In firejail there is one size fits all approach trying to support every distro and every workflow and config users may use. It’s generally based on blacklisting known sensitive things which doesn’t help when user has unusual configuration. There is also whitelist support but it’s limited to a few top directories and requires enormous amount of work to manually select every binary, library, dotfile specific app may need now or in the future among many distros. Also it’s easy to accidentally run app unsandboxed , i.e. through listening bus socket.
There is also question of firejail security itself which is a big setuid program that may be used for malicious purposes.
Of course the price to pay for better security is worse system integration (theme,fonts) and installing app outside distro package manager.
Still using firejail is better than nothing but if someone prioritise security then flatpak/snap is better choice.
@Madyson.Armstrong30 there certainly are always trade-offs to be made. Thank you for providing your insight.
I just started using Flatpak as a replacement for AUR (because I only use AUR for proprietary softwares like VS Code). And seems like an interesting thought if you only have a few proprietary softwares to be installed.
Is it a good judgement to use Flatpak/Snap as a replacement for AUR wherever possible? (I am 100% sure AUR cannot be replaced by Flatpak, but still…!)
I always feel AUR could be less secure than the traditional repos. Maybe I missed something. I would like to know what you all think.
IMO, there is no answer to this question. There are pros and cons to using each method. With the AUR you can read the PKGBUILD and understand exactly what it is doing where a flatpack is more of a black box. Ultimately, you need to decide how much to trust the source in either case. flatpacks are larger, don’t always integrate properly and need a separate updating mechanism. On the other hand, they provide sandboxing and generally are bundled with compatible libraries.
My personal experience is that some flatpacks work better than others. I tend to get my software from AUR unless there is a reason not to. For me, the convenience of a single update path and the more consistent integration make AUR a better choice.
When I tried using the flatpack version of vscode on another distribution I had quite a few problems with plugins installing and working.
Hmmmm. That is good to know! Thanks @dalto. I just started using Flatpak today.
OK. That is something that I overlooked. So how does the update happen for Flatpaks then? I am guessing Pamac will not notify. Would installing gnome-software help with that? Do you know by any chance?
How do appimages fit into this discussion, and are you using them.
I’m using a couple appimages on my 16.04 UbuntuGnome 3 setup. DigiKam didn’t package it in such a way that you could launch them using a launcher. Rather I have to go to the file and double-click. It lauches a bit slowly but runs fast.
The Bitwarden folks packaged their appimage so that it does work with launchers.
My hatred of apt and snap were big motivators for me to try Manjaro.
This conversation is helpful.
I use a couple of AppImages. One is my note taking application, StandardNotes. It is self-updating and the AUR package was often broken.
I find AppImages convenient when you use mostly repo software and want to supplement a small number of applications without bringing in a ton of dependencies.
There was an appimage launcher in the repos that handled adding desktop entries automatically.
That being said, it is probably worth noting that digikam is in the repos and bitwarden is in AUR.
Where do appimages stand regarding the sandboxing safety issue?
I am not an appimage expert but I don’t think they provide any sandboxing. I think they are just bundled with every thing you need included.
But another thing to keep in mind is Flatpak/Snap (mostly Snaps) has a lot of apps which are directly maintained by upstream developers/owners. So that is definitely a plus.
So are the AppImages, all the ones mentioned above are provided by the publishers/developers.
What about the updates for all the appImages apps? I don’t know which is why I am asking.
But my understanding is you don’t get Auto updates for a lot of AppImages. Isn’t that right?