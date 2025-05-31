At the Linux Application Summit (LAS) in April, Sebastian Wick said that, by many metrics, Flatpak is doing great. The Flatpak application-packaging format is popular with upstream developers, and with many users. More and more applications are being published in the Flathub application store, and the format is even being adopted by Linux distributions like Fedora. However, he worried that work on the Flatpak project itself had stagnated, and that there were too few developers able to review and merge code beyond basic maintenance.↫ Joe Brockmeier at LWN
After reading this article and the long list of problems the Flatpak project is facing, I can’t really agree that “Flatpak is doing great”. Apparently, Flatpak is in maintenance mode, while major problems remain untouched, because nobody is working on the big-ticket items anymore. This seems like a big problem for a project that’s still facing a myriad of major issues.
For instance, Flatpak still uses PulseAudio instead of Pipewire, which means that if a Flatpak applications needs permission to play audio, it also automatically gets permission to use the microphone. NVIDIA drivers also pose a big problem, network namespacing in Flatpak is “kind of ugly”, you can’t specify backwards-compatible permissions, and tons more problems. There’s a lot of ideas and proposed solutions, but nobody to implement them, leaving Flatpak stagnated.
Now that Flatpak is adopted by quite a few popular desktop Linux distributions, it doesn’t seem particularly great that it’s having such issues with finding enough manpower to keep improving it. There’s a clear push, especially among developers of end-user focused applications, for everyone to use Flatpak, but is that push really a wise idea if the project has stagnated? Go into any thread where people discuss the use of Flatpaks, and there’s bound to be people experiencing problems, inevitably followed by suggested fixes to use third-party tools to break the already rather porous sandbox.
Flatpak feels like a project that’s far from done or feature-complete, causing normal, every-day users to experience countless problems and issues. Reading straight fromt he horse’s mouth that the project has stagnated and isn’t being actively developed anymore is incredibly worrying.
This is already a bad situation – the software Redhat is trying to push everything towards is in maintenance mode a la X11? seriously? – but if you dive into it a bit it gets so much worse. Flatpak sandboxing very badly breaks browser internal sandboxing, to a point that I don’t think an up to date Firefox or Chromium based browser running in Flatpak can be called adequately secure. Zypak helps with Chromium based browsers to a point, but the real issue is that breaking namespaces gets rid of a lot of horizontal sandboxing between tabs. What’s more, it looks like this could all be avoided by providing a way to bypass Flatpak sandboxing, as is possible in Snaps… Or by using a normal MAC framework for the external sandbox, again as in Snaps. But those are not things that will happen if Flatpak is in maintenance mode.
It’s extra annoying because Flatpak has become pretty indispensable IMO for apps not in distro repositories, or for e.g. keeping some proprietary app from snarfing up your browser history – things where super high security sandboxing is not really necessary, but a modicum is useful.
Edit: to be clear I would say Flatpak is still a good idea in its essence. But it was absolutely stupid IMO for Red Hat to put all their eggs in this basket as the future of desktop Linux.
If RedHat is pushing it but there’s no real community of organically grown volunteer developers supporting it (Gnome, Flatpak, systemd, etc), might want to be a little bit wary about using it. Once the IBM money for these projects dries up, then you are looking at the soon-to-be-next-dead IBM technology, a la Lotus and many, many other things.
That’s a good perspective I think.
RH/Fedora also aren’t the only corporate Linux trending in a worrying direction. In OpenSUSEland, Tumbleweed has been getting no security updates for over a week, with very little communication from the devs. And in Ubuntu, manual drive setup with LUKS has been broken since 24.04, which is not great – supporting encrypted multi-drive setups out of the box should be an absolute baseline for an “easy” distro IMO, filesystem encryption at rest is not optional in this day and age.
I’m not sure what exactly is happening, and as someone who works in IT I want to be lenient towards other tech people, but the Tumbleweed situation in particular is very bad. A cynical part of me wonders if post-COVID brain damage is causing an outbreak of poor decision making.
>”In OpenSUSEland, Tumbleweed has been getting no security updates for over a week”
A week isn’t overly long to wait. You know those German engineers, they are more likely to shut down the whole production line than let one buggy package get to the end users.
This would be less of an issue if they hadn’t missed three critical vulnerability updates for Firefox.
I’m pretty sure those three critical updates were from a recent pwn2own gathering rather than exploits in the wild, and a number of distros probably weren’t overly concerned about pushing that update at lightning speed.
The mic problem in audio is not due to pulseaudio, but to a design flaw in flatpak. Snap doesn’t have that problem, having two different interfaces, one for playing audio (not privileged) and another for recording (privileged).
