this post was submitted on 08 Mar 2024
0 points (NaN% liked)

Linux

48077 readers
707 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

How does it stack up against traditional package management and others like AUR and Nix?

top 50 comments
sorted by: hot top controversial new old
[–] Shareni@programming.dev 0 points 8 months ago (1 children)

How does it stack up against traditional package management and others like AUR and Nix?

I only used AUR for a few packages (<5 at a time). It's to be avoided and only used if the other options are a massive pain (unless it's an official package).

Then I left Arch and eventually landed on MX. During that time Nix with home-manager has slowly replaced flatpak, and I don't even have it installed anymore. Nix is better in every way, except for ease of use.

Flatpak has great gui integration (for gui tools). You can click through everything, and the updates are unified. It usually works perfectly fine if you just need to install a few programs.

With nix, there's a lot more setup, but there are many benefits. You end up with a list of packages, and that's really useful because you can take a fresh install, install nix and home manager, and then run a single line to reinstall everything. You can rollback updates, pin specific versions, install packages from a repo (if it has a flake.nix with outputs), and also configure them. I'm using the unstable branch, and it's giving me bleeding edge packages on Debian. And there's no risk of outdated system libraries, like with flatpak, because it provides everything.

[–] Guenther_Amanita@feddit.de 0 points 8 months ago (1 children)

That all sounds great, thanks!
Do you have any tips for an "easy" start, where everything is already pre-configured?

[–] Shareni@programming.dev 0 points 8 months ago* (last edited 6 months ago) (1 children)

Nope, and that's the worst part of nix. I'm actually planning on writing a short startup guide, but I need to solve a few more issues first.

But, this should help you out until then:

The home.nix should be automatically generated, and that's where you put all of your packages. I left a few as an example.

NixGL is needed to use openGL (nixGL lutris for example). It works in most cases, but I couldn't get alacritty or kitty to work. There are some ways to have packages automatically use it, but I still haven't tried them out.

Flake allows you to select the correct nix repo (stable/unstable), appropriate home-manager version, and add outside packages like nixgl. It's technically not necessary, but I wouldn't go without it. Here I'm using the unstable repository, check the relevant docs if you want to go with releases instead.

The equivalent of apt update && apt upgrade is nix flake update && home-manager switch --impure. I like cd-ing into the nix dotfile directory (all of the files are in there and symlinked to ~/.config/ locations), but you can also use command line arguments to point to the flake.

nix flake update updates the package definitions to what's in the repo

home-manager switch install them, and also updates any configs it's managing. The --impure is only needed if you're using nixgl (bad build commands depend on system time).

nix-collect-garbage to force a clean up of unused packages

https://search.nixos.org/packages makes searching for packages a lot easier

https://mynixos.com/search?q=home-manager+ same, but for finding options to configure packages through home-manager

Comment if you need help

update: removed nixGL from flake and home, installed it through nix-channel in order to not use --impure during home-manager switch

[–] Guenther_Amanita@feddit.de 0 points 8 months ago* (last edited 8 months ago) (1 children)

Thanks! I saved the comment for later.

What advantage do you see in Nix compared to Distrobox?
I personally enjoy DB because of its simplicity.
I just open BoxBuddy, create a new container from the dropdown-list, and then just start using my Debian or Arch container on top of Fedora Atomic for example.

The two main benefits I see in Nix are the reproducibility and the big repo. But in case of the repository size, Debian and Arch (+ AUR) are extremely big aswell.
Are there any other big benefits, that I can't get with Distrobox, but with Nix?
Just as a small side note, I'm no power user and tend to use my PC more like a casual guy.

[–] Shareni@programming.dev 0 points 8 months ago* (last edited 8 months ago) (1 children)

I haven't used distrobox, so take this with a grain of salt:

  • reproducibility: if you copy my nix files, the flake.lock will ensure you have the exact same results as me

  • declarative package management: you make a list of packages and the declarative nature forces you to keep it up to date at all times, that's how you install/remove them. On arch you need to -Syu the package and remember to add it to an installation script (I never did). This also allows for easier maintenance because you don't need to go through random dependencies to find an unused package you've installed (~100 packages on the list == almost 2000 packages installed). If there's a distrobox version of a Dockerfile, you can do the same but it will most likely have the same disadvantages.

  • home-manager allows you to configure packages (usually not worth it though)

  • no need to export packages, when you install them they're immediately available in your main distro

  • combine these and you have an extremely simple setup to distrohop, or work on multiple devices. You can also for example break off certain packages in a separate module, and only install them on a certain machine.

  • I'm guessing updates are easier, and if it breaks something, you can easily rollback to a previous generation. It will not only revert to the exact same packages you used previously, but it will also revert any package configs it controls. And on top of that it lets you pin a package to a specific version, and upgrade everything else.

  • cross-platform: you can take your list and install the same packages on win/mac natively. They don't need to run linux in a vm like a container would

  • less storage used?

  • temporary package installs. For example I only needed arandr for 30 seconds to set up a new monitor, so I just nix shell nixpkgs#arandr and it created a shell with that package. When I was done I just closed the terminal, and didn't need to think about it anymore. The package was completely removed the next time I ran nix-collect-garbage.

  • you need a package that's in no repository, but it has a flake with all of the compilation dependencies? You just cd into the repo, nix develop, and you've got a temporary environment with everything you need to start following the compilation instructions

But in case of the repository size, Debian and Arch (+ AUR) are extremely big aswell.

Arch has a lot of packages, but there are some that I had to install through aur which I don't like. Nixpkgs have so far had everything I needed, except for nixgl (although I couldn't get a few of them to work). Also, you can chose between "stable" and unstable repos. Arch doesn't have a frozen version with updates every ~6 weeks, and no other release based distro comes even close in either quantity or freshness.

That's what I can think of for a casual user. There are a lot more benefits for professionals to be honest, and I wouldn't suggest nix at all if home-manager didn't massively simplify the whole process. Getting to those few simple files from above was a massive pain, and it's made even worse by the official nix guide suggesting outdated methods, and most of the support threads being for nixos. With them, you can get going in like 10 minutes even if you don't know anything.

[–] Guenther_Amanita@feddit.de 0 points 8 months ago

Thanks for your great explanation!
How up-to-date are the packages, compared to Flatpaks?

IIRC, I used Nix a while ago to install a program, which was supposedly hard to build for Linux and crashed all the time as Flatpak. Sadly, the Nix version was almost a year old and also not great.

But I think I'll take a look into it again. I began using terminal apps a lot more and also became a huge fan of image based distros, and I think Nix packages have similar benefits as immutable distros.

[–] Lemmchen@feddit.de 0 points 8 months ago

Does anyone know how they handle spoofed malware? I can never figure out whether I can trust the packages from flathub. I always have to check the official website of the particular software first.

[–] Jesus_666@feddit.de 0 points 8 months ago* (last edited 8 months ago) (1 children)

On the one hand I like the basic idea, on the other hand I think that some fundamental problems aren't fully solved yet. There big use case are passkeys and direct password manager integration – neither mesh well with the idea of software that isn't allowed to talk to most of the system.

I'm certain that this will be resolved at some point but for now I don't think Flatpak and its brethren are quite there yet.

[–] Pantherina@feddit.de 0 points 8 months ago

passkeys

Dont know, may already work? Keyword adaption

direct password manager integration

Not sure what that means, but probably native messaging, a biig missing portal.

Flatpak has an Inter-process-communication permission, so software could absolutely be opt-in allowed to talk, while keeping security for the rest. Apps cant see each others ~/.var/app/org.app.name/ storage though, never.

[–] scratchandgame@lemmy.ml 0 points 8 months ago (1 children)

I personally think it is trash..

[–] Pantherina@feddit.de 0 points 8 months ago (1 children)

Just putting "personally" in front of an unfounded statement doesnt make it better

[–] scratchandgame@lemmy.ml 0 points 8 months ago (1 children)

Why it is unfounded?? The sandbox is still a lie (flatseal is impractical security since it makes you become a security researcher overnight), apps are not properly filesystem-unveiled. But a new level of complexity.

[–] Pantherina@feddit.de 0 points 8 months ago (1 children)

Could you explain "filesystem-unveiled"?

Apps are not updated to support portals for "compatibility" or just lack of maintenance. Flatpak needs to follow their approach if they want to have many apps being supported.

Desktop Linux doesnt have the marketshare to dictate that all apps need to adopt portals. In the meantime, flathub.org has a rating system and verified checks, this is simply not well shown in KDE Discover and not sure about GNOME software.

[–] scratchandgame@lemmy.ml 0 points 8 months ago* (last edited 8 months ago) (1 children)

Could you explain “filesystem-unveiled”?

Means its filesystem access is restricted.

For example, chromium on OpenBSD use the unveil(2) system call to restrict itself to /tmp and $HOME/Downloads .

Many popular flatpak applications have filesystem=host. This is equal to restrict all filesystem access and then unveil the whole filesystem.

Apps are not updated to support portals for “compatibility” or just lack of maintenance. Flatpak needs to follow their approach if they want to have many apps being supported.

Desktop Linux doesnt have the marketshare to dictate that all apps need to adopt portals. In the meantime, flathub.org has a rating system and verified checks, this is simply not well shown in KDE Discover and not sure about GNOME software.

If they can't even enforce portals, flatpak is a new level of complexity.

So I said it is trash.

[–] Pantherina@feddit.de 0 points 8 months ago (1 children)

Good that Chromium does that, but this means if it doesnt use portals many things will be broken.

The host access is not actually everything

These directories are blacklisted: /lib, /lib32, /lib64, /bin, /sbin, /usr, /boot, /root, /tmp, /etc, /app, /run, /proc, /sys, /dev, /var

Exceptions from the blacklist: /run/media These directories are mounted under /var/run/host: /etc, /usr

Portals need a change in the app code that is not huge but differs from other packaging formats on any distro and OS. So it sucks that its so slow but that has a reason.

[–] scratchandgame@lemmy.ml 0 points 8 months ago (1 children)

The host access is not actually everything

Not as restrictive as chromium's unveil.

For home it even restrict to the downloads folder, not accessing the whole home directory.

[–] Pantherina@feddit.de 0 points 8 months ago

Yes that only works for browsers and would completely break image viewers, document editors etc

[–] OsrsNeedsF2P@lemmy.ml 0 points 8 months ago (1 children)

People need to realize that before Flatpak, distributing a small-time Linux app was a nightmare. Appimages were your best option if you wanted to avoid distro specific builds, PPAs and AUR, etc. Ever since packaging 2009scape on Flathub I haven't looked back. It auto updates. People can find it from software centers. It works on all distros. It connects straight to upstream's CICD. It even forced us to adopt XDG compliance so we could sandbox it better.

Yes, Flatpak has downsides like the download size (on disk it doesn't matter because it gets compressed and the runtimes are shared, same as literally any other package manager). But overall, I hugely welcome it over the options we had before. Much love to the Flatpak and Flathub devs!

[–] Pantherina@feddit.de 0 points 8 months ago (1 children)

Flatpak shooould just download the diffs

[–] OsrsNeedsF2P@lemmy.ml 0 points 8 months ago (1 children)

They should, actually. Google released a tool for downloading only the diffs on binaries a few years ago

[–] Pantherina@feddit.de 0 points 8 months ago

They use ostree afaik, so "they should" as in "I think they do"

[–] daniyeg@lemmy.ml 0 points 8 months ago (2 children)

purely as an end user i hate how much it downloads with each update and how much it uses the disk space although that's much less of an issue. i know it's solving a real problem and relieving a lot of the headaches of developers maintaing packages for each distro's specific package standard, but it's simply not the software distribution solution for people without at least well enough internet.

i wouldn't use any distro with flatpaks as its main way of delivering software and i would in almost all cases always choose alternatives even if it's outdated. i don't necessarily hate flatpak itself but for me i don't want to spend money on extra data cap and wait 30 minutes for a small update for my game launcher to finish.

the appimage of one of the applications i was interested in was 3 times less than the average flatpak update so redownloading the appimage every time would be better. if i installed more packages yeah the math would be better but it's still wasted data per update no matter how small it actually is. i found out after a while of using flatpak that i wouldn't just update and was stuck with outdated software anyway.

load more comments (2 replies)
[–] rotopenguin@infosec.pub 0 points 8 months ago (1 children)

My main problem with Flatpak is that it hands temporary /var/run/1000 file links to programs instead of real filenames. That would almost be bearable, if Flatpak also took responsibility for keeping those links from breaking sometime after your next reboot.

If I say "here is a path that an app is allowed to use", flatpak should just allow an open() in there to work. It should not lie about the name of files in there. An app should be able to open a file there, remember that name, and count on being able to access it again in the future.

Other than that, Flatpaks are the bees knees. I love finding something I want to do, finding a solution in the flatpak store, and click-click I'm already doing shit. Finding Windows software is absolute garbage next to this.

[–] Pantherina@feddit.de 0 points 8 months ago* (last edited 8 months ago)

Thats basically persistent portals. Would be possible if Distro portals had a button to give the app permanent (static) permission to that dir.

Would indeed be useful and not hard to implement. In the portal window just add a button "permanent" which does

flatpak override --filesystem=$PWD org.app.name

Want to open a discussion or Feature request for your desktops portal?

[–] synae@lemmy.sdf.org 0 points 8 months ago (1 children)

Where's that Chris Pratt meme? --

I don't know what that is and at this point I'm afraid to ask

[–] Pantherina@feddit.de 0 points 8 months ago

Flatpak is a project trying to fix many things at once

  • make apps that work on every distro
  • thus have apps officially supported by the devs, unlike distro packages mostly
  • sandbox apps with an android-like permission system with a rating system
  • use modern standards like delta-downloads, deduplication and BTRFS compression to save storage space
  • make everything nice and user friendly
[–] Montagge@lemmy.zip 0 points 8 months ago (1 children)

I use it but I hate how much space it uses and I hate when I update flatpaks I have no idea how much is going to download.

[–] Pantherina@feddit.de 0 points 8 months ago

https://gitlab.com/TheEvilSkeleton/flatpak-dedup-checker

And it should only download the diffs, not everything.

[–] JackGreenEarth@lemm.ee 0 points 8 months ago (1 children)

Doesn't work properly, apps are bigger and don't always apply GTK themes. I also can't easily edit the desktop file to edit the icons. I therefore only use it as a backup when I can't find an app on the AUR or office repositories, which is very rare.

load more comments (1 replies)
[–] atzanteol@sh.itjust.works 0 points 8 months ago* (last edited 8 months ago) (2 children)

I'm a bit "eh" on flatpak. The only benefit I see is that it's sometimes more up-to-date than what I can get from an LTS package repository. As a heavy CLI user they force me to find and click icons which is irritating (yeah - I know about flatpak run something.I.always.forget but that's even worse somehow).

I've hit occasional issues with applications being too locked-down. Like with Darktable only being able to see things in $HOME/Pictures. But I keep my photography work in a different location so it can't see it. I had to jump through some odd hoops to fix that. Not a problem of flatpak itself per se but something you can expect when dealing with package makers.

I fall back on flatpak if the version available through the standard package manager is too out-of-date for my liking. Other than that I can't be bothered.

EDIT: Okay - for people who think they're being "helpful" by telling me that "aliases are a thing" just stop. I'm not going to workaround a broken system. I'm going to use another one that isn't broken (or less broken).

[–] zephr_c@lemm.ee 0 points 8 months ago (1 children)

If you're going to use flatpak from the command line you're definitely going to need to start aliasing those flatpak run commands. It's still annoying, but at least that way it's only annoying once.

[–] atzanteol@sh.itjust.works 0 points 8 months ago (1 children)

No. I'll use snaps before I start maintaining a bunch of aliases that I shouldn't have to. It's a flaw in flatpak.

[–] Pantherina@feddit.de 0 points 8 months ago (1 children)

No snaps are insecure on other distros that Ubuntu, as they are only isolated using apparmor. Also they are nonfree by design, just no.

[–] atzanteol@sh.itjust.works 0 points 8 months ago (1 children)

They're not insecure. No more so than when I install a package via apt. No more so than when I download some code and compile it. This is propaganda.

[–] Pantherina@feddit.de 0 points 8 months ago (1 children)

They are less secure than flatpaks and there was malware on that store

[–] atzanteol@sh.itjust.works 0 points 8 months ago (1 children)

You think the unverified flatpaks which choose their own permissions are "safe"?

[–] Pantherina@feddit.de 0 points 8 months ago (1 children)

You have the option to add the verified subset only, and you can always check permissions before starting an installed app, and it will not start before.

[–] atzanteol@sh.itjust.works 0 points 8 months ago (5 children)

I'm sure everyone does that.

load more comments (5 replies)
[–] Pantherina@feddit.de 0 points 8 months ago* (last edited 8 months ago)

Try this aliasing script I made

No idea if it still works lol, but should tbh. I think its even pretty well done.

  1. Lists your installed flatpak apps
  2. Searches for already added aliases
  3. Convert the appname to be the last part, remove - _ and make uppercase letters lowercase
  4. Alias to bash, fish, zsh

Only thing missing is handling duplicate apps I think.

load more comments
view more: next ›