From Newsgroup: alt.os.linux

So try it our for first time. Install a program and run it.
It goes and downloads python, ffmpeg, vulkan, pytorch blah blah
all stuff what I already installed.
I'll walk down to high street coffee shop while it is faffing around.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On 09/04/2026 12.31, Nomen Nescio wrote:

So try it our for first time. Install a program and run it.
It goes and downloads python, ffmpeg, vulkan, pytorch blah blah
all stuff what I already installed.
I'll walk down to high street coffee shop while it is faffing around.

Yeah, the flatpak will not use system installed binaries, it will be
pulling it's own dependencies from the flatpak repositories, but the
benefit is that any Linux distro will be able to run the same flatpak
program, no matter if you have python 3.9 installed, I may have python
3.12 and some other maybe even python 3.13...

The alternative is that your distro compiles the application as a fully
native binary, then most of the packages are already installed that it
depends on. But see from the bright side, next flatpak you install may
not have to download a flatpak version of ffmpeg, vulkan, python,
pytorch (as long as it depends on the same version as the program you installed).

Flatpak, appimage, snap are just tries to remove the maintenance work
program distributions, so that the developers don't have to compile one
for ubuntu x, ubuntu x+1, ubuntu x+2, mint y, mint y+1, mint y+3, fedora
z, fedora z+1, ... and so on
and this is why it is what it is...
--
//Aho
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On 2026-04-09 15:27, J.O. Aho wrote:

On 09/04/2026 12.31, Nomen Nescio wrote:

So try it our for first time. Install a program and run it.
It goes and downloads python, ffmpeg, vulkan, pytorch blah blah
all stuff what I already installed.
I'll walk down to high street coffee shop while it is faffing around.

Yeah, the flatpak will not use system installed binaries, it will be
pulling it's own dependencies from the flatpak repositories, but the
benefit is that any Linux distro will be able to run the same flatpak program, no matter if you have python 3.9 installed, I may have python
3.12 and some other maybe even python 3.13...

The alternative is that your distro compiles the application as a fully native binary, then most of the packages are already installed that it depends on. But see from the bright side, next flatpak you install may
not have to download a flatpak version of ffmpeg, vulkan, python,
pytorch (as long as it depends on the same version as the program you installed).

Flatpak, appimage, snap are just tries to remove the maintenance work program distributions, so that the developers don't have to compile one
for ubuntu x, ubuntu x+1, ubuntu x+2, mint y, mint y+1, mint y+3, fedora
z, fedora z+1, ... and so on
and this is why it is what it is...

At the cost of more resources needed at the users machines. Bigger hard
disks (stuff that is installed several times), more RAM needed (you may
need two or three versions of the same library loaded), and probably
more CPU.
--
Cheers, Carlos.
ES🇪🇸, EU🇪🇺;
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On 09/04/2026 21.54, Carlos E.R. wrote:

On 2026-04-09 15:27, J.O. Aho wrote:

Flatpak, appimage, snap are just tries to remove the maintenance work
program distributions, so that the developers don't have to compile
one for ubuntu x, ubuntu x+1, ubuntu x+2, mint y, mint y+1, mint y+3,
fedora z, fedora z+1, ... and so on
and this is why it is what it is...

At the cost of more resources needed at the users machines. Bigger hard disks (stuff that is installed several times), more RAM needed (you may
need two or three versions of the same library loaded), and probably
more CPU.

Yeah, those alternative universal package types ain't resource friendly,
in that way they are more like the everything baked in applications in microsoft windows which can be run on most ms-windows versions.

Not so long ago I would have said, get yourself a bit more ram, but now
thanks to LLM's there is a shortage of ram chips, so now it's just about minimize your memory usage.
--
//Aho
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

Carlos writes:

At the cost of more resources needed at the users machines. Bigger hard
disks (stuff that is installed several times), more RAM needed (you may
need two or three versions of the same library loaded), and probably more CPU.

And at the cost of the quality assurance and security protection
provided by Debian.
--
John Hasler
john@sugarbit.com
Dancing Horse Hill
Elmwood, WI USA
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On Thu, 9 Apr 2026 15:27:34 +0200, J.O. Aho wrote:

But see from the bright side, next flatpak you install may not have
to download a flatpak version of ffmpeg, vulkan, python, pytorch (as
long as it depends on the same version as the program you
installed).

It seems to me, it would have to do that regardless. Because it cannot
simply depend on version numbers to ensure the version has the patches
it needs.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On 10/04/2026 00.28, Lawrence D’Oliveiro wrote:

On Thu, 9 Apr 2026 15:27:34 +0200, J.O. Aho wrote:

But see from the bright side, next flatpak you install may not have
to download a flatpak version of ffmpeg, vulkan, python, pytorch (as
long as it depends on the same version as the program you
installed).

It seems to me, it would have to do that regardless. Because it cannot
simply depend on version numbers to ensure the version has the patches
it needs.

Say the application needs a special patch applied to python which the
python developers don't include in their python flatpak, then need to
include your custom python within the applications flatpak, then it will
of course not depend on the official python flatpak, but will itself be larger, so from download point of view it will not make a change.

Sure a flatpak can change what patches, options it want to use, but is something depending flatpak will notice at least when they build their
package and test it, before they release it, if the application flatpak
works, it should always work, as the package they depends on will not be afterwards changed, if changed it has a new version number.

There are other options that been tried and haven't got any major
traction, like building only static binaries (sure a lot larger on disk
than dynamic linked), each application is installed with full dependency
chain in it's own directory structure (extreme disk space usage).

I don't think we will see an end to try to unify binaries for all Linux distributions, but no matter what there will be issues and won't be as
good as native dynamically linked and optimized for your cpu.
--
//Aho
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On Fri, 10 Apr 2026 08:29:03 +0200, J.O. Aho wrote:

Say the application needs a special patch applied to python which
the python developers don't include in their python flatpak, then
need to include your custom python within the applications flatpak,
then it will of course not depend on the official python flatpak,
but will itself be larger, so from download point of view it will
not make a change.

The point being, trying to share components between flatpaks would
defeat the purpose of their being self-contained.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On 2026-04-10 10:30, Lawrence D’Oliveiro wrote:

On Fri, 10 Apr 2026 08:29:03 +0200, J.O. Aho wrote:

Say the application needs a special patch applied to python which
the python developers don't include in their python flatpak, then
need to include your custom python within the applications flatpak,
then it will of course not depend on the official python flatpak,
but will itself be larger, so from download point of view it will
not make a change.

The point being, trying to share components between flatpaks would
defeat the purpose of their being self-contained.

A set of flatpacks from one distributor of flatpacks might. Assuming
that you update all the flatpacks at the same time.
--
Cheers, Carlos.
ES🇪🇸, EU🇪🇺;
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On Fri, 10 Apr 2026 04:42:47 -0400, Carlos E.R. <robin_listas@es.invalid> wrote:

On 2026-04-10 10:30, Lawrence D’Oliveiro wrote:

On Fri, 10 Apr 2026 08:29:03 +0200, J.O. Aho wrote:

Say the application needs a special patch applied to python which
the python developers don't include in their python flatpak, then
need to include your custom python within the applications flatpak,
then it will of course not depend on the official python flatpak,
but will itself be larger, so from download point of view it will
not make a change.

The point being, trying to share components between flatpaks would
defeat the purpose of their being self-contained.

A set of flatpacks from one distributor of flatpacks might. Assuming
that you update all the flatpacks at the same time.

Flatpack is an extreme version of static linking. Like static linking, it makes development
easier, but maintenance much harder.

It means that each flatpak maintainer has to (hopefully) figure out how to backport security
fixes. SInce some won't bother, it leaves users with less secure systems.

It only takes one flatpak maintainer to use an unfixed root level remote code vulnerability
to destroy the security of every system that uses that flatpak.

Regards, Dave Hodgins
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On Fri, 10 Apr 2026 08:54:49 -0400, David W. Hodgins wrote:

Flatpack is an extreme version of static linking. Like static
linking, it makes development easier, but maintenance much harder.

I see it as a system designed to take the packaging role away from the
distro maintainers, and put it in the hands of the developers.

For open-source software, this seems counterproductive. Currently,
open-source developers have no problem supporting 300 different
distros, because it is up to each group of distro maintainers to
package the software to fit in with the rest of their product. If they
had to do this themselves, it would just be impractical.

However, it’s clear the aim is to give developers of proprietary
software something resembling the control they already exert when
packaging their products for proprietary platforms.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On Fri, 10 Apr 2026 17:50:57 -0400, Lawrence D’Oliveiro <ldo@nz.invalid> wrote:

On Fri, 10 Apr 2026 08:54:49 -0400, David W. Hodgins wrote:

Flatpack is an extreme version of static linking. Like static
linking, it makes development easier, but maintenance much harder.

I see it as a system designed to take the packaging role away from the
distro maintainers, and put it in the hands of the developers.

For open-source software, this seems counterproductive. Currently, open-source developers have no problem supporting 300 different
distros, because it is up to each group of distro maintainers to
package the software to fit in with the rest of their product. If they
had to do this themselves, it would just be impractical.

However, it’s clear the aim is to give developers of proprietary
software something resembling the control they already exert when
packaging their products for proprietary platforms.

It's a security nightmare.

Without flatpak, and using dynamic module loading, when a security bug is found in a library
module, the author fixes it in the latest version of the module. Distros then either install the
latest version or backport the patch to fix the bug to the version they are using, test it and
send the updates to their users.

With flatpak, the end user has to hope who ever produced the flatpacks they are using did
that work. If the same module is used by twenty applications, there are twenty flatpaks that
each have to be fixed and tested. If just one of the flatpak authors doesn't pay attention and
doesn't update the flatpak they produced, the end user's are left with vulnerable systems.

It's the same progam with static linking, in that the fix has to be done multiple times. With
static linking, if just one on the applications isn't updated, again, the end user is left
vulnerable.

Using flatpaks, just like using static linking, it makes it easier for developers, in that they
don't have to support multiople versions of other packages, but it makes it much more
work for end users that want to have secure systems.

The dynamic library system was developed to improve security. Reverting to static linking
or switching to flatpaks reduces that security.

Regards, Dave Hodgins
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On 2026-04-11 20:42, David W. Hodgins wrote:

On Fri, 10 Apr 2026 17:50:57 -0400, Lawrence D’Oliveiro
<ldo@nz.invalid> wrote:

On Fri, 10 Apr 2026 08:54:49 -0400, David W. Hodgins wrote:

Flatpack is an extreme version of static linking. Like static
linking, it makes development easier, but maintenance much
harder.

I see it as a system designed to take the packaging role away from
the distro maintainers, and put it in the hands of the developers.

For open-source software, this seems counterproductive. Currently,
open-source developers have no problem supporting 300 different
distros, because it is up to each group of distro maintainers to
package the software to fit in with the rest of their product. If
they had to do this themselves, it would just be impractical.

However, it’s clear the aim is to give developers of proprietary
software something resembling the control they already exert when
packaging their products for proprietary platforms.

It's a security nightmare.

Without flatpak, and using dynamic module loading, when a security
bug is found in a library module, the author fixes it in the latest
version of the module. Distros then either install the latest
version or backport the patch to fix the bug to the version they are
using, test it and send the updates to their users.

With flatpak, the end user has to hope who ever produced the
flatpacks they are using did that work. If the same module is used
by twenty applications, there are twenty flatpaks that each have to
be fixed and tested. If just one of the flatpak authors doesn't pay
attention and doesn't update the flatpak they produced, the end
user's are left with vulnerable systems.

Maybe... maybe that developer has the source of the flatpack (whatever
that is) installed in his machine using some distribution. Assuming that system is updated from that distribution, he only need to package again
his flatpacks, no?

I don't know if it works like that. So I ask, is this correct?

It's the same progam with static linking, in that the fix has to be
done multiple times. With static linking, if just one on the
applications isn't updated, again, the end user is left vulnerable.

Using flatpaks, just like using static linking, it makes it easier
for developers, in that they don't have to support multiople
versions of other packages, but it makes it much more work for end
users that want to have secure systems.

The dynamic library system was developed to improve security.
Reverting to static linking or switching to flatpaks reduces that
security.

Regards, Dave Hodgins

--
Cheers, Carlos.
ES🇪🇸, EU🇪🇺;
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On Sun, 12 Apr 2026 14:50:40 -0400, Carlos E.R. <robin_listas@es.invalid> wrote:

Maybe... maybe that developer has the source of the flatpack (whatever
that is) installed in his machine using some distribution. Assuming that system is updated from that distribution, he only need to package again
his flatpacks, no?

The main reason for a developer to use flatpak is because he doesn't want to spend the time
updating his program to work with multiple versions of a package.

The flatpak is produced and distributed using the library versions from the distribution the
developer is using at that time. Later the distribution produces newer versions of some library
that has an extra parameter needed, requiring a tiny modification to his program to get it
to compile.

Maybe the develper is good, updates the program and releases an updated flatpak.

Maybe the developer doesn't bother spending the time doing that, since the current version
works and the developer is busy with other things, and hasn't realized that in this case the
security bug is critical due to the way that program uses that library.

When you have a system with flatpaks installed that were produced by many people (the
normal case for flatpak users), it only takes one of those flatpak providers to delay updating
their flatpak for a critical security bug to get your system compromised.

Using flatpaks, breaks the security model of modern linux systems, just like static linking does.

Regards, Dave Hodgins
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On Mon, 13 Apr 2026 13:07:39 -0400, David W. Hodgins wrote:

The main reason for a developer to use flatpak is because he doesn't
want to spend the time updating his program to work with multiple
versions of a package.

That’s not usually the developer’s problem; that’s normally left up to the distro maintainers. So with 300 different distros, you have 300
different lots of distro maintainers, which is entirely scalable and
creates no extra work for the developer.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

W dniu 15.04.2026 o 00:00, Lawrence D’Oliveiro pisze:

So with 300 different distros

But most of them are based only on the 2 main distros: RedHat and
Debian. Mean: they use rpm or apt. Only small fraction use other package managers. This probably simplify programmers life a lot.
--
Jacek Marcin Jaworski, Pruszcz Gd., woj. Pomorskie, Polska 🇵🇱, EU 🇪🇺;
tel.: +48-609-170-742, najlepiej w godz.: 5:00-5:55 lub 16:00-17:25; <jmj@energokod.gda.pl>, gpg: 4A541AA7A6E872318B85D7F6A651CC39244B0BFA;
Domowa s. WWW: <https://energokod.gda.pl>;
Mini Netykieta: <https://energokod.gda.pl/MiniNetykieta.html>;
Mailowa Samoobrona: <https://emailselfdefense.fsf.org/pl>.
UWAGA:
NIE ZACIĄGAJ "UKRYTEGO DŁUGU"! PŁAĆ ZA PROG. FOSS I INFO. INTERNETOWE! CZYTAJ DARMOWY: "17. Raport Totaliztyczny - Patroni Kontra Bankierzy": <https://energokod.gda.pl/raporty-totaliztyczne/17.%20Patroni%20Kontra%20Bankierzy.pdf>
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: alt.os.linux

On Wed, 15 Apr 2026 00:19:48 +0200, 🇵🇱Jacek Marcin Jaworski🇵🇱 wrote:

W dniu 15.04.2026 o 00:00, Lawrence D’Oliveiro pisze:

That’s not usually the developer’s problem; that’s normally left up
to the distro maintainers. So with 300 different distros, you have
300 different lots of distro maintainers, which is entirely
scalable and creates no extra work for the developer.

But most of them are based only on the 2 main distros: RedHat and
Debian. Mean: they use rpm or apt. Only small fraction use other
package managers.

Gentoo is quite different. Arch is also increasing in popularity --
did you know SteamOS is one of its offshoots?

This probably simplify programmers life a lot.

It’s not something that need concern them, like I said.
--- Synchronet 3.21f-Linux NewsLink 1.2