I just installed Debian with the KDE desktop and I’m looking to see what kind of packages are available in the Discover store by default as they are not labeled i.e., Snaps/Flatpak. Should I install Flatpak? Thanks I don’t to break anything
I just installed Debian with the KDE desktop and I’m looking to see what kind of packages are available in the Discover store by default as they are not labeled i.e., Snaps/Flatpak. Should I install Flatpak? Thanks I don’t to break anything
if you haven’t added the flathub repository to your new debian kde desktop install, discover will only show you packages from debian’s repositories that were automatically configured during installation… even if you’ve added the flatpak ‘backend’ from inside discover–flathub still has to be added to your sources (see step 3 in link above).
once you have multiple sources of an application (for instance, ‘vlc’), discover will add a ‘sources’ pulldown (top right, next to the ‘install’ button) where you can choose debian system package or flatpak (or snap, if configured).
which source you use is entirely up to you. on my own debian desktop, i usually stick with debs if it has what i’m looking for, as i’ve chosen debian and have accepted their pace at which new software is added. if i wanted ‘bleeding edge’ i would have installed something else entirely on it. but you can certainly go ‘all flatpak’ if you wanted to.
Okay thanks. I’m thinking of sticking with deb packages also at the moment because a lot of apps on the flathub website say “Unverified”
Those are usually either wrappers for proprietary stuff, for example the Chrome flatpak is unverified because it’s not from Google themselves but rather somebody grabbing the official deb/rpm and rebuilding it into a flatpak (this is also how a lot of e.g. AUR packages on Arch work, basically), or open source stuff for which the dev/packager simply didn’t care enough to do the verification stuff that Flathub wants you to do (doesn’t actually seem that hard, but one might simply not have been aware of it or something).
Don’t recall people particularly complaining about the unverified badges before Mint started hiding unverified flatpaks by default, though; suddenly after that “everybody” started noticing them.
Yeah true, but if you’re choosing Debian then I can see why there is caution about “unverified” flatpaks.
Ultimately if they’re not verified then you’re taking it on trust that they’ve been repackaged by a good actor and not a bad actor. We have no reason to believe there are malicious flatpaks are on flathub and verified only really meansnit was packaged by the originating project itself. But it is still a separate chain of packaging and security from the official one in a distro.
And Flathub doesnt need to be the repo used. Fedora for example created its own repo so it could verify its own flatpaks in the same way as its other system repos. Other distros do not seem to be following that path.
Personally I take the risk on flatpaks in the same way I will take risks on the opensuse OBS (or AUR in arch) - if i need/want the software and it’s not in the main repos for my distro I will generally take it off flathub rather than add an OBS source I dont know well. (If its small software I might build from source myself).
I don’t really run much of any unverified ones myself anyway, though tbf the unverified proprietary wrappers on Flathub are at least somewhat more trustworthy than the AUR equivalents (at least it doesn’t get to run stuff as root during installation, like Arch packages (or any distro packages really) do), though in both cases you are giving them access to your $HOME so that’s something to be always considered.
I’m not really sure why Fedora Flatpaks still exists… I mean yes it sounds good as an idea (distro gets to ship sandboxed apps alongside conventional packages) but there’s still the upstream devs vs downstream packaging conflicts, and for new users it’s annoying at times because… reasons (the package you thought was coming from Flathub was actually pulled from the Fedora repo because it’s in there too, etc.), seems like effort duplication on top of the existing effort duplication that was/is downstream packaging but still.
Some distros do have their own flatpak repos as well but smaller than what Fedora is doing, https://appcenter.elementary.io/ for example (but a substantial of that stuff is primarily only available from there, though you can build it yourself), though again I’m not sure much of any other distros would want to implicate themselves with that because… all the reasons.
Flathub is a separate chain of packaging from the distro itself so there are legitimate reasons to avoid it if one is heavily paranoid though.