Article doesn't mention my biggest problem with flatpaks, that the packages are not digitally signed. All major Linux distros sign their packages, and flathub should too. I would prefer to see digital signatures from both flathub and the package's maintainer. I don't believe flathub has either one currently.
this post was submitted on 02 Jun 2025
149 points (96.9% liked)
Linux
7632 readers
226 users here now
A community for everything relating to the GNU/Linux operating system
Also check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
It is possible to sign a flatpak, but yeah distributors need to actually do that and flathub should require published flatpaks to be signed.
What would they sign it with? How do you verify the signature?
I have no idea why you're being down voted. The whole thing with flatpacks is that they come from a large number of individuals, maybe the author of the software, but often not from a central organization you can trust. That's the fundamental difference to distro repos, who can just have a single anchor for trust.
Mindlessly signing something doesn't increase security in any way. Then requiring it just means hassle to having to add keys to be trusted every time you want to install anything. Malicious actors can just create a key and sign the package as well. That's the whole reason it isn't required in the first place.
Mozilla, for example, would sign Firefox's flatpak with a PGP key that they would disclose on their website. You verify the signature using the RSA algorithm (or any other algorithm for digital signatures. There are a bunch.) Or, you could just trust that your connection wasn't tampered the first time, then you would have the public key, and it would verify each time that the package came from that same person. Currently, you have to trust every time that your connection isn't tampered.
Major flatpak providers (Flathub at the very least) would include their PGP public key in the flatpak software repo, and operating system vendors would distribute that key in the flatpak infrastructure for their operating system, which itself is signed by the operating system's key.
that they would disclose on their website
Wouldn't it make more sense then for them to simply host the Flatpak themselves? I kind of thought that was the whole idea of Flatpak.
Best to do both, really, so a record of using a consistent public key is created.
Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can't get to the signing key you've prevented the attack.
F-Droid seems to manage it just fine. It's even got reproducible builds.
I wish it opens a prompt asking a list of permissions when open for the first time. Like, VSCodium always needs local file system access, VPN clients always need network interface permission, etc.
Yeah, we have Flatseal, but it should be automated by the publisher to have a list of prerequisite permissions.
Android is very underrated
Hmm. This hard on the heels of Sebastian Wick's comments that core Flatpak development had largely stalled (2025-05-14).
I wonder what happened here. There seems to be a disconnect. TA does acknowledge Wick's talk; it's hard to reconcile the two messages, though.
hey still better than snaps
Still worse than tar.gz
Flatpak is quite fucking far from perfect, and will always remain so due to its flawed design and UX approach.
Pretty sure the culprit here is Fedora’s packaging which adds an opaque systemd timer to run auto-updates, but the thread immediately next to this one on my homepage just happened to be a nice case-study in Flatpak fuckery: https://lemmy.world/post/30654407
Of course, the proposed changes in the article do nothing to fix this sorta problem, which happens to be the variety that end users actually care about. Flatpak is an epic noob trap since it pretends to be a plug-n-play beginner friendly tool, but causes all sorts of subtle headaches that newcomers inevitably don’t have diagnostic experience to address.
The problem of there being a separate runtime for each video driver version was explicitly discussed in the article:
If you are part of the huge part of the population who happens to own a Nvidia GPU, it's a whole other can of worms. There are Flatpak runtimes that target specific Nvidia driver versions, but they must be matched with a compatible version installed on the host system, and it is not always a process as smooth and painless as one would hope.
An improvement idea that is floating around is to, basically, just take a step back and load the host drivers directly into the runtime, rather than shipping a specific version of the userspace drivers along with the application. Technically, it is possible: Valve's Linux runtime is pretty similar to Flatpak architecturally, and they solved this problem from its inception by using a library called libcapsule to load the natively installed host drivers into the Steam Runtime. This is the reason why it's significantly rarer that an old Steam game fails to launch on a new GPU, compared to the same scenario on Flatpak!
Ah - I totally missed the Nvidia-related bit! Thanks for flagging that.
That being said, based on the maintainers’ past stances, I’m pretty pessimistic on them actually implementing a fix like that. They’re very much against the general practice of poking holes in their sandbox security perimeter.
That solution sounds like a no brainer. I assume it's easier said than done (and maintained) ?
I really think if flatpaks were built upon nix, it would resolve these problems. It would however bring a new problem: people would have to learn forsaken nix 💀
It's not clear that it would, because the root problem is locking a package to a particular version of the nvidia drivers, which nix would not solve. Unless I am missing something?
Flatpak doesn't have a UI? It is a packaging format.
Flatpak: a system for building, distributing, and running sandboxed desktop applications on Linux.
Flatpak application: an application installed via the flatpak command or through a graphical interface, such as GNOME Software or KDE Discover.
Runtime: also called platform, an integrated environment providing basic utilities needed for a Flatpak application to work.
Flatpak bundle: a single-file export format containing a Flatpak application or runtime.
From https://docs.flatpak.org/en/latest/introduction.html#terminology
You might be thinking of AppImages, which are more of a pure file format.
Are you talking about theming?
I’m talking about the executable binary flatpak, which is the interface used to execute and manage applications distributed in the Flatpak bundle format.
https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak
Guess my next GPU will be AMD
it's been a dream, honestly.
I've had them for a long time and never had problems with any.
ok, that's cool. thanks for sharing.
i started experimenting in the world of immutable distros. it's very cool stuff going on in this space. but it relies very heavily on Flatpak, and i worry that Flatpak isn't up to the standard it needs to be in order to be this intrinsic to this paradigm.
i hope they can step it up.
I, too, am experimenting with immutable Doritos.
I'm running Bluefin, so far I'm quite pleased. Anything needing deeper access or only available in package form, I've been able to run in boxes.
Edit: I'm leaving it
Thanks for sharing your experiences! As much as I absolutely love and favor 'immutable'/atomic ~~"Doritos"~~ distros over their traditional counterparts, I can't but accept the reality that it's not (prime-time) for everyone (yet). Though, I do wonder what put you off (specifically). Would you mind sharing it?
Anything needing deeper access or only available in package form, I’ve been able to run in boxes.
I assume you're referring to distroboxes and not to (GNOME's) Boxes used for running VMs.
Howdy! Hmmm, not sure I understand the first question. What put me off? So far I really like Bluefin. Most of my Linux experience prior to this was with Ubuntu, I've been tinkering with it since it's second or third release. I also played with some lightweight Xfce based distros for a bit, I think it was the original damnsmalllinux?
At any rate, I daily drove Ubuntu for a year or so, every few years. I always faded away for various reasons, ending up back on Windows.
I've always had some flavor of Debian on a spare machine laying around somewhere though. My extremely unimpressive home server has always ran Ubuntu.
I toyed with arch on an old Chromebook, but that wasn't for me at all.
I got a steam deck when they first came out, and that reinvigorated my desire to play with Linux on the desktop. But that still didn't push me over the edge into installing it on my main machine.
I bought a framework 13, my first brand new laptop... Ever. Always went used or hand me downs. I decided it was time, I'm ready to go full Linux. I'm sick of all this win 11 crap.
So I did a lot of research, asked some questions around here, and ended up on bluefin. My main desire was stability. I'm not afraid of poking around in the command line, I'm fairly comfortable there for basic stuff. But my installs always seem to slowly acquire and accumulate... Issues. As I use them. Little things that build up, little issues that become show stoppers. I've never successfully (as in, without any issues at all) upgraded from one version of Ubuntu to the next.
Maybe that's all Ubuntu's fault? (I don't care for it anymore, it's not like it used to be) Or maybe it's just a Linux thing? Or maybe I'm just more destructive than I realize?
At any rate, atomic/immutable seemed like the way to go for me. The second I heard about it, I was skeptical, but the more I thought about it, the more it seemed like it would solve my issues.
The core is stable, and unless I purposely dig into it, it'll stay stable. Theoretically. Flat packs can come and go, but when I need my machine for something, it'll be there and waiting.
I've only had it for a couple months now, and so far I love it. Recently I had to install zoom on it, there's a flatpak. It's... A little buggy, in some weird ways. Sluggish at times.. But stable enough for what I need.
Most recently I installed OBS flatpak so I could screen record zoom. I expected issues, but I only had one tiny one, and a quick Google had me change one setting, and I was off. No issues. Felt good.
I'm running gimp and audacity, rythmbox, and others I can't think of. So far so good.
I AM having a reoccurring issue with Firefox, suddenly it will crash every new tab I open until I restart it. But I haven't looked into that yet, been too busy. That's pretty annoying when it happens.
And yes I meant distro boxes, the one that basically installs a simultaneous version of another distro, and it shares your home folder? Works pretty well for what I need thus far, which was just to run git to compile some project files.
But I'm also running boxes, the VM. I have a couple highly specific, and therefore identifying so I won't be sharing them here, windows apps that I need. One can't run in proton, the other is connected to a delicate shared database I'd rather not corrupt, so I'm just doing what I have to do. At the end of the day, a computer is a tool, and I'm gonna do what I gotta do to do what I gotta do. But when I can ditch windows completely, I will.
Sorry for the wall of text, hopefully that answers your questions 😅
Edit: oh one last thing. I do wish I had gone with a kde variant. I recently learned that you can still do some of the compiz window management tricks in plain kde. I miss those.
Hehe :P , thanks for sharing your experiences!
Uhmm..., please allow me to elaborate upon my first question, as I don't feel it's quite answered yet.
You noted the following in an earlier comment:
Edit: I’m leaving it
Which led me to believe that you left Bluefin for some reason. But after reading your great wall, it doesn't seem as if you actually left it. So..., I'm mostly confused at the moment :P . Would you mind elaborating in hopes of (at least) alleviating this confusion?
Oh! Lol I see the confusion. I meant I'm leaving the typo. I'm on my phone for 90% of Lemmy stuff. My phone autocorrected distros to Doritos. It was funny so I left it 😅
Sorry lol
Pretty fundementale broken IMHO. Its a security nightmare
Its a security nightmare
How so? Doesn't its sandbox offer superior security (under most circumstances) over most other solutions? Even in its relative infancy*.
The sand boxing is a distraction and doesn't matter if you downloaded malicious code
But how is it a security nightmare? Or did you mean "distraction", but chose to use "nightmare" for -I suppose- exaggeration (or similar/related reasons)?
doesn’t matter if you downloaded malicious code
Hmm..., please help me understand: say, I installed a flatpak that included malicious code. But, it required some permission to enact upon its maliciousness. Which, it never received. And thus, if my understanding is correct, it couldn't enact upon its maliciousness. How didn't Flatpak's security model not matter in this case? Apologies if I sound obnoxious (or whatsoever)*, but I'm genuinely trying to understand your case.
Flatpak doesn't verify signatures like normal package managers do
So the issue isn't that you downloaded a flatpak that included malicious code. The issue is that you downloaded a legit flatpak and ended up downloading malicious code because flatpak doesn't verify what it downloads
Ah okay, thanks for the clarification! I haven't delved deep into that aspect yet. But I've recently become aware of this unaddressed attack vector. And it is definitely something to worry about.
Unsure if it's solved anytime soon. But, if it is properly addressed and solved at some point in the future, would that (completely) redeem Flatpak's security model? Or, at least make it superior to what's found elsewhere?
They don't seem to give a shit about security. I think the well is poisoned. Best to just use apt
They don’t seem to give a shit about security. I think the well is poisoned.
Nah, I wouldn't go that far. That's like way too dramatic.
Best to just use apt
I will whenever apt doesn't (majorly) rely on backports for its security updates AND actually sandboxes its own packages. Zero Trust, FTW!
When a critical security bug is open for years on a project with plenty of funding to fix it..