TOOT Chalec

My first public article/blog post:

Flatpak - an insecurity nightmare

https://orowith2os.gitlab.io/posts/Flatpak-an-insecurity-nightmare/

Thanks to @TheEvilSkeleton for reading over it :)

My experience is that when an app from flatpak does not work anymore on your distro, neither distro maintainers nor flatpak mainteners consider it in their scope to try fixing that. If the app is also provided by the distro, one option is to switch to it, but if it is an LTS distro, it will be an older version and you may not be able to reuse any stored data made with the flatpak version. So my advice would be: don't use flatpak for any app where losing all your data would be a problem.
replies
1
announces
0
likes
0

@avron @TheEvilSkeleton

Funny, I'd advise the exact opposite. If you flatpak everything, unless an app EXPLICITLY asks for access to specifically those app configuration files, they can't modify other apps. Not even with full filesystem=host permissions. Traditional packages are exempt for obvious reasons.

And fixing the applications *isn't* the package maintainer's job. They just build and/or wrap it in a neat little bundle that you can install and run. The upstream developer should be fixing their app, ideally moving to something newer they can support (Flatpak!)

Migrating your data isn't that hard too, it's just moving a few files. Not too big of a deal. Just don't expect it to migrate everything automatically, nor should it in the first place tbh.

Based on advice from upstream developpers, I once had the foolish idea to use flatpak in order to have a newer version of the app. At some point, it stopped working but it was only on my distro so they said "not our problem". Then I wanted to move back to my distro's version and it would not recognize anything stored by the new version, so I had to start from zero. I will not forget that lesson soon.

I guess flatpak has technical benefits (and drawbacks) and I am pretty ignorant about that, but this is not the issue here.

I forgot one perhaps key point: I use a stable distro, so packages have been tested for a while, apps should not break and maintainers just care about security updates. If one uses a rolling release distro, things may break at any time anyway.