KDE and GNOME seeks $100k to turn Flathub into a Store for the Linux desktop

I used to think Flatpaks were a huge pain the butt, but over the last few years, I moved to using them for all third party software that I run on my Fedora Linux workstation. Zoom, Slack, Spotify, Steam, Discord, Obsidian all run without issues and they get consistent updates. I am convinced now that they are one of the best ways to ship commercial software on to Linux desktop. Flatpak has been a key part of me becoming 100% Windows free for my PC gaming. Not having to run a desktop KVM to switch between my work workstation and my Gaming PC has been super great.

&gt; As we also open the ability for applications to be uploaded in binary form, which is essential for low-friction compatibility with popular language-specific build systems such as Electron&#x2F;Node, Rust, Go, etc - we also reduce the ability for users to scrutinise the source in the Flathub build system that was used to build their application.<p>...and their solution is running an antivirus scanner rather than stepping back and realizing that they&#x27;re shooting their own feet clean off. And it&#x27;s based on an absurd premise! Seriously:<p>&gt; binary form, which is essential for low-friction compatibility with popular language-specific build systems<p>What? No it&#x27;s not! Worst case, build in a container with the official tools. Best case, package the build tools like every other distro and <i>enforce</i> source availability and build reproducibility. I mean, NixOS is a bunch of volunteers doing (a better version of) what you&#x27;re claiming is impossible!<p>(Granted, I assume the claimed reason is a lie and the real reason is to support proprietary software, which is... maybe reasonable, but pretending otherwise isn&#x27;t.)

Opinions on Flatpaks&#x2F;snaps notwithstanding, it&#x27;s encouraging to see KDE and GNOME collaborating on projects like this. IMO desktop GNU&#x2F;Linux has benefited greatly from moving away from offering LXDE&#x2F;LXQT&#x2F;Mate&#x2F;Enlightenment&#x2F;Cinammon flavors and towards a more digestible subset (GNOME only, GNOME&#x2F;KDE&#x2F;XFCE, etc) of polished desktop environments. Pipe dream, but it would be incredible to see all of the passionate, talented folks working together on one definitive GNU&#x2F;Linux DE.

I&#x27;m an Ubuntu user and the first thing I always do in a new system is removing the Ubuntu Store, completely removing snapd, and installing the Flathub Store.

I&#x27;m very in favour of improving the state of application distribution on Linux. Targeting an abstraction like Flatpack seems like a no-brainer if there are no regressions in experience to the end user.<p>I am not sure if this is the case, but in theory I love the idea that the app sandboxing can allow the Flatpak engine to be a source that can prompt users for permissions access (e.g. &quot;app would like to access your location&quot;).<p>Last time I tried Flatpack I experienced a lot of integration issues, from GTK theming issues to applications missing features due to sandboxing.<p>Would love to see a high level medium-dive explainer on how Flatpack works to alleviate some of my concerns; predominantly around the limitations of sandboxing.<p>e.g.<p>Can OBS have unimpeded screen recording access? How does OBS compare in Flatpak compared to natively installed.<p>Can VSCode access any part of the FS without any performance overhead, what about language servers and that sort of thing?<p>Can applications like Discord that feature a voice-activated mic work? Can Discord access what game you&#x27;re currently playing on Steam and set that as its status?<p>Originally, I thought Flatpack was much like old win32 applications where if you put a dll dependency next to the executable, it will use that rather than the system one. I got really scared of Linux app sandboxing engines when I tried Snapd and it started making virtual network devices and my system theme wasn&#x27;t applied to the application - seemed very convoluted.

I haven&#x27;t been the biggest fan of flatpak and generally wish software would either be packaged as an rpm or an AppImage, but the OP makes a pretty strong case for why it&#x27;s a good idea (because existing options are too niche, and have no ability to incentivize developers who need to get paid for their work. This leads to Linux desktop having far fewer applications available to them compared to windows and mac.)<p>I do hope the command-line UX around flatpaks (installing, updating, etc) improves a lot though as currently it leaves much to be desired.

Flathub could become the killer &quot;app&quot; for the Linux desktop. No need to juggle dependencies and third party repos. The software you need in an instant.

I feel like one thing that is still holding Linux Desktop and any initiative like this back is that we don&#x27;t have really high quality linux laptops on the market.<p>We have some people like System76 doing great things, but not in Europe and for all their great work its not the highest quality stuff from China with some serious limitations.<p>For all the things the European Union funds, from chip manufacture, HPC and many other project from large to medium to small. Why have we not seen a made in Europe Laptop&#x2F;Desktop&#x2F;Phone for the bureaucrats and engineers who do things like running states and building weapons and so on.<p>A fair amount of EU money goes into a lot of these distributed system and internet projects. And I&#x27;m not complaining, but we are spending a lot of time trying to make our system secure from everything other then direct attack. The fireware in the new notebook doesn&#x27;t seem better then in the one before, in fact worse in some way.<p>We have most of the software, we have most of the things needed to do these things. An Open-Source computer for Europe (and anybody) would be a real counter-point to most of the other models out there.<p>In such an environment a real AppStore for Open Linux desktop could actually be a really good thing.

$100,000 to build up a system that totally ignores the system package manager? Sounds great!

Richard Brown, who&#x27;s been working on this problem for 10 years at Suse, says he was wrong in 2017. Flatpak is now the clear way to go, if you care about security, app updates, licensing, and multi-distro support (runtime dependencies).<p><a href="https:&#x2F;&#x2F;ftp.fau.de&#x2F;fosdem&#x2F;2023&#x2F;UA2.114%20(Baudoux)&#x2F;containerised_apps.mp4" rel="nofollow">https:&#x2F;&#x2F;ftp.fau.de&#x2F;fosdem&#x2F;2023&#x2F;UA2.114%20(Baudoux)&#x2F;container...</a>

maybe it&#x27;s indeed time to let the system package management(apt,rpm,etc) just manage a solid BASE system, and let Flatpak etc to manage their own application sandboxes on top, kind of like dockers.<p>Appimage is macos flavor, it never needs your sudo to install the package, which is nice.<p>Flatpak is a redhat flavor(kind of), it needs sudo sometimes, but OK.<p>Snap is a ubuntu flavor(kind of), it is like systemd that can overtake the whole system, it can install package and even the whole system I was told, too much as a package manager for me.<p>I don&#x27;t use Snap. Appimage is not as widely adopted as the rest two? I think Flatpak is a great middle ground.<p>It will be really cool if KDE and Gnome work together to build this.

I had to use flatpack to install Bottles, I&#x27;m on Porteus because it&#x27;s the only distrib I found that would fit on a 15 year old 512MB USB stick and then in the RAM directly... Let just say it wasn&#x27;t a seamless experience but I&#x27;m glad I managed to run Cinema4D R20 or MPC Software with Bottles without too many bugs. Anyway Bottles is just fantastic, I tried Wine before but it never worked properly, but having to install a package manager (flatpack) on top of another one (slackpkg) just felt absurd...<p>What about appimage instead, like Krita? To me it&#x27;s sounds like the best way to distribute a linux app in 202X...<p>Managing to make things run on Linux gives a sense of accomplissement, at the same time, I can understand why most people won&#x27;t move to Linux anytime soon given all the complexity involved... or it&#x27;s just me and there was an easier way to install flatpack at first place?

&gt; we also reduce the ability for users to scrutinise the source in the Flathub build system that was used to build their application<p>Wow.

Interesting that this announcement comes concurrently with the news that Ubuntu now expects all official derivatives to drop Flatpak support [0]. Looking forward, can someone tell me how these two policies will play nice together?<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34912760" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34912760</a>

This fills me with dread. I don&#x27;t think the app stores we&#x27;ve seen have been good things for a number of reasons.<p>I hope, if this succeeds, it turns out to be a good thing.

Meanwhile Ubuntu is making sure that none of its flavours has flatpak installed by default.<p>Smells like that old MS attitude to me.

Flatpak is a solution to package management as Docker is to servers. What&#x27;s the predominant reason people use Docker? Because it&#x27;s impossible to get a Python&#x2F;NodeJS monstrosity working properly without it. On rolling release distributions, you don&#x27;t ever need Flatpak. Its predominance is found in stable release distributions like Ubuntu and Fedora. Because they stall packages and their dependencies, it&#x27;ll always be an issue to install new software. If anything, I prefer AppImage a lot more.

I&#x27;m not sure if PopOs uses flathub by default for its PopShop, but I&#x27;ve always had some issues with it and they prevented me from using it and directly using flatpak CLI.<p>- I don&#x27;t know how to see running logs by default (if it&#x27;s possible even) and it&#x27;s a must when you have slow internet - sometimes it just hangs and I need to kill (probably leaving residue along the way)<p>hopefully my issues are my own OR it will get resolved as well.<p>other than that flatpak is amazing.

I think flatpaks are awesome. Especially for commercial software. I do think they are missing an important feature that snap has what snap referes to as classic confinement. For example vscode as a flatpak can&#x27;t really interact with your normal system libraries&#x2F;exectuables&#x2F;etc. That being said I do hope that Flatpaks succeed and becomes the easy go-to option for commercial software to support linux distributions.

&gt;As we also open the ability for applications to be uploaded in binary form, which is essential for low-friction compatibility with popular language-specific build systems such as Electron&#x2F;Node, Rust, Go, etc - we also reduce the ability for users to scrutinise the source in the Flathub build system that was used to build their application.<p>This is unacceptable. Open-source apps should always be built from source on a trusted infrastructure and ideally the builds should be reproducible. Otherwise, one of the main benefits of open-source software -- ability to verify its security -- is completely lost.<p>Fortunately, Flatpak != Flathub. There is also Fedora&#x27;s flatpak repository and that&#x27;s what I&#x27;m using. It doesn&#x27;t have as many apps as Flathub, but their number is growing.<p>I prefer flatpaks to RPMs because of the sandboxing feature. While it&#x27;s not perfect yet, I like that I can forbid most of my apps to access the network and to limit access to the filesystem and other system parts for apps that require network as much as possible. As a result, the trusted base of my system can be reduced significantly (and the base system can then use other method to confine its processes which on Fedora is SELinux).<p>Another benefit of Flatpak over traditional packaging systems is that it&#x27;s a cross-distro package manager and the apps can be installed on any Linux distribution. Even if we end up with multiple Flatpak repositories like Flathub and Fedora Flatpaks with different approaches and philosophies, users of any Linux-based OS can then install apps from any repository they like, and OS developers can focus on the base system.<p>So in general I like Flatpak and I think it&#x27;s a step in the right direction, but I can&#x27;t say the same about Flathub. For me it&#x27;s unacceptable to install anything from Flathub unless they fix their supply chain security flaws.

I would prefer AppImage or nix than Flatpak. It just seems to be yet another package manager but more difficult to use and much slower.

Linux Mint &gt; Software Manager &gt; Search for &quot;Flatpak&quot; &gt; it&#x27;s at the bottom of the list of results &gt; Remove

$100K? that&#x27;s all. Do a kickstarter or a GoFund me and I will contribute too, and I am not a Linux user (yet).

&gt; Outside of the Linux desktop space, actors such as F-Droid provide a home for free and open source Android applications on mobile devices.<p>Some convergence of desktop and mobile is plausible over the midterm so it might be worthwhile to think how that could be orchestrated

Flatpak and snap have proven to be ineffective and security theatre. Sandboxing all user apps doesn&#x27;t work, often the applications are created to not be sandboxed, and the existing sandbox configs are improper.<p>We don&#x27;t need yet another store. What we need is a simple registry of applications that are installed with the scripts to uninstall. We already have this, it&#x27;s a package manager.<p>For soft that doesn&#x27;t need a package manager, we have .appimage.<p>Instead of making it more difficult to package apps for Linux, focus on having few methods that are robustly supported.

On a Linux system, how to secure a system so that users are not able to run binaries they downloaded from the internet?<p>How can application whitelisting be achieved?<p>Does Flathub come with any features that help with that?

Flatpaks are awesome.<p>If you need to tweak them, Flatseal is a great tool.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;tchx84&#x2F;Flatseal">https:&#x2F;&#x2F;github.com&#x2F;tchx84&#x2F;Flatseal</a>

Flatpak has issues (size), but I think I can accept them as a part of the design and believe the other issues (crashes, security) will be solved as adoption grows.<p>Personally, I still prefer my repos with shared libraries when possible. I&#x27;m also able to keep a mirror of the packages to cut down on bandwidth.<p>I haven&#x27;t figured out how to mirror the flatpaks yet, mostly due to lack of effort.<p>I&#x27;m excited, it will be good to have a cross-distro app store.

I&#x27;ve asked them about donations but they said it was not possible, a year or so again.<p>I&#x27;d gladly donate or even keep a subscription to keep Flathub running.

Can anyone comment on whether any of these new all-in-one distribution formats actually try to provide secure sandboxing that is designed to resist deliberate attacks from within, or is their sandboxing just docker-style best-effort sandboxing with a ton of holes that can&#x27;t be relied upon for running untrusted executables securely?

Well, the only part of flatpak I honestly like is bubblewrap, the only reason flatpak even makes any sense to me

I don’t think open source needs a walled garden, but I think people want the walls.

love to see flatpak flourishing, it&#x27;s really great.<p>i like it because it actually solves problem (getting proprietary software like slack) instead of creating ones and&#x2F;or getting in the way (i&#x27;m looking at you snap).

Why do we need this bullshit when we have apt, rpm, pacman and everything?

I wish gnu&#x2F;linux devs would pool their efforts occasionally. We have competing flatpak and snap efforts, with neither being all that good currently. Can we agree on a standard?

I run Linux to avoid shopkeepers (or others in general). I run macOS when I need that help. I run Windows the rest of the time, which is currently not that often.

I wonder when the distros are going to start auto-converting their native package formats to Flatpak so you can use distro Flatpaks alongside Flathub ones.

Maybe Valve could fund them?<p>Anyone have the connections to make this happen?

&gt; Our previous phase of implementing the Flathub appstore functionality was funded by a 50,000 USD grant from Dalio Philanthropies<p>as in Ray Dalio?

I like Flatpak. I&#x27;ve even flatpaked some apps and made them available on Flathub. The only thing that dissapoints me is the fact that it integrates poorly with CLI apps.<p>Off topic: An idea that came to my mind a few days ago is that would have been great to add support for desktop apps to Podman by adding some extension or plugin capabilities to it instead of creating a new whole technology. Probably a silly idea though.

If they can actually prevent piracy, maybe I&#x27;ll actually package my app for Linux.

while I like and use flatpaks, each time I try to use gnome software, I need to kill it and restart just too that it loads

Uh no, I wouldn&#x27;t even hand over a penny to the GNOME project.

Why the hell do you need store when you have pacman&#x2F;AUR

how much to add thumbnails to the file picker?