Podman winning is good. Red Hat consistently does things right, for example their quay.io is open source, unlike Docker Hub and GitHub Container Registry. The risks of not using rootless containers weren’t blown way out of proportion, because rootless containers really are much more secure. Not requiring a daemon, supporting cgroup v2 early, supporting rootless containers well and having them as the default, these are all good engineering decisions with big benefits for the users. In this and many other things, Red Hat eventually wins because they are more open-source friendly and because they hire better developers who make better engineering decisions.
> In this and many other things, Red Hat eventually wins because they are more open-source friendly and because they hire better developers who make better engineering decisions.
We must be talking about a different Red Hat here. Podman, with breaking changes in every version, that is supposedly feature and CLI complete with Docker, but isn't actually, is winning because it's more open source friendly or better technically? Or systemd, written in a memory unsafe language (yes, that is a problem for something so critical and was already exploited at least a couple of times), using a weird special format for it's configuration, where the lead dev insults people and refuses to backport patches (no, updating systemd isn't a good idea) won "because it was more open source friendly"? Or OpenShift that tries to supplant Kubernetes stuff with Red Hat specific stuff that doesn't work in some cases (e.g. TCP IngressRoutes lack many features), is winning "because it was more open source friendly"?
No, Red Hat are just good at marketing, are an established name, and know how to push their products/projects well, even if they're not good or even ready (Podman is barely ready but has been pushed for years by this point).
>Or systemd, written in a memory unsafe language (yes, that is a problem for something so critical and was already exploited at least a couple of times)
What memory safe language 1) existed in 2010 and 2) is thoroughly portable to every architecture people commonly run Linux on and 3) is suitable for software as low-level as the init?
Rust is an option now but it wasn't back then. And Rust is being evaluated now, even though it's not quite ready yet on #2.
Go, although with it's GC it's debatable to what extent it's suitable for very low level software.
And honestly the language choice was only the tip of the iceberg, it took years of people adapting before systemd became usable. And it still doesn't handle circular dependencies better than arbitrarily which is ridiculous, literally one of it's main jobs is to handle dependencies.
In the end, it seems what happened is that christel sparked a huge misunderstanding between freenode staff and Andrew Lee by making misleading statements to both parties and lying to hide the fact that she had sold freenode to get herself out of financial troubles.
Nix doesn’t guarantee binary reproducibility. It does help with reproducing build inputs and the build process, as do the tools used to create Flatpak applications and runtimes—flatpak-builder and BuildStream. Nix can build packages in a sandbox, but the same is true of flatpak-builder and BuildStream.
The Freedesktop SDK has a CI pipeline (run on schedule, not on every change, because it is expensive) that tests reproducibility, similar to r13y.com. Currently everything is reproducible except a few components.
There are also many respects in which Flatpak is objectively better than Nix (other than sandboxing, which is an important one). For example, Flatpak guarantees atomic updates with restarting merely the updated application. NixOS only guarantees atomic updates with a reboot (`nixos-rebuild boot`); `nixos-rebuild switch` can still break your running system, though the Nix store is safe and problems will not persist after a reboot, which is still a huge improvement over traditional package management. Still, using containers allows giving stronger guarantees.
Another example is that flatpak-builder and BuildStream are substantially faster than Nix. Evaluating Nix expressions is quite inefficient, even if they are convenient to write. Worse is the cascading rebuilds that come with the Nix approach when dependencies like compilers and glibc are patched or updated. Rebuilding after significant updates to gcc and glibc has advantages, such as benefitting from newer compiler features, but it is very desirable to have the option not to do that.
Also, Nix’s languages lacks domain abstractions for building packages, which makes tools to generate and update derivations have to rely on assumptions about their format or be unnecessarily complex. In comparison, flatpak-builder and BuildStream use JSON and YAML. The result is less expressive but more convenient, consistent, efficient, and simple to manipulate.
Similar to nixpkgs-update, Freedesktop SDK uses a simple auto-updater[1] for BuildStream and Flathub apps can use the Flatpak External Data Checker[2] for a bot to open merge requests or pull requests to update dependencies in the runtime and in application manifests.
OSTree uses a content-addressable store for all files, giving Flatpak deduplication for free. Nix gets deduplication only with an expensive process (`nix store optimise`) that involves scanning the Nix store and replacing duplicated files by hard links.
Yet another advantage of Flatpak is that due to dependencies being “flat”—that is, apps can depend on runtimes and have extensions, but there are no complex dependency trees—there is no need for dependency resolution. This also reduces the amount of metadata that needs to be downloaded. This makes installing and updating software with Flatpak very fast, which is unfortunately not at all true with Nix.
So, there are tradeoffs, and overall Flatpak has the better of them. Employing Nix to manage dependencies or to build apps would cause Flatpak to lose many of its advantages.
Thank you for the detailed and informative answer. Sorry for my cocky style, I am by no means knowledgeable on flatpak and I passed judgement prematurely.
Nonetheless, I have some questions, comments:
> Nix doesn’t guarantee binary reproducibility
Yeah, it’s true, but no general build tool can, since language build tools themselves are usually non-deterministic.
> For example, Flatpak guarantees atomic updates with restarting merely the updated application. NixOS only guarantees atomic updates with a reboot
That latter is only true of NixOS; for an ordinary package you can just start up actually both the old and updated version at the same time without any trouble. And in the OS config case, it is more of a linux deficiency - it does restart services when possible, but that is orthogonal to this discussion as I believe flatpak doesn’t do anything similar.
> Evaluating Nix expressions is quite inefficient
You are right, but the results can be cached. With the experimental flakes it is quite fast.
> Worse is the cascading rebuilds that come with the Nix approach
Well, it is sort of a tradeoff of reproducibility. Also, there is work in progress to minimize rebuilds to only truly necessary changes.
> Also, Nix’s languages lacks domain abstractions for building packages
The language lacks them. The repo has a great deal of abstractions for many use cases, and so a trivial to build package will look almost the same as a JSON. And as you note, it is a tradeoff, but there are plenty of hard to package apps that benefit greatly from the more expressive language. Also, there is plenty of auto-updaters that can automatically create PRs for eg new python packages, since it is more often then not just a version and hash change away, so package description manipulation is possible this way as well.
> OSTree uses a content-addressable store for all files, giving Flatpak deduplication for free
Correct me if I’m wrong, but it is necessary because flatpak uses the docker-like model, in that the same shared dependency is “theoretically” copied in each package, even if it is the same version. So in a way they solve a self-created problem. nix on the other hand simply links the same shared library, no duplicated data.
You can optionally deduplicate when you install multiple versions of eg. libc. Nix can’t really prove whether the two “versions” are the same, and sometimes they may be identical, or identical in part (eg the man pages are the same, but the exe is not), in which case imo really elegantly, it can hard-link one to the other.
But the base state with only one version of a nix channel installed, you simply have no need for deduplication as opposed to the flatpak model, because you only get every package once.
One last point, a nix package may have less overhead, although it is I believe negligible in most cases since vms are quite light nowadays.
So I agree with you on the tradeoffs part, and I again apologize for dismissing the project - I really dislike the same uninformed attitude towards for example systemd or wayland. But I still believe that nix is the one doing something revolutionary.
> The only real problem is that the Gnome Software program lists these programs with a green "Sandboxed" badge when the app may have anywhere from full sandboxing, to literally no sandboxing.
The current mockups[1] for a UI refresh of GNOME Software have the “Sandboxed” badge and the permission details replaced by a context tile giving an overall “Safe”, “Potentially Unsafe”, or “Unsafe” rating, with additional indications and a safety dialog giving the full information. The ratings are determined from the permissions as well as license, whether the runtime is no longer supported, and whether the source is known.
> So now instead of simply backporting a patch to the distibution's openssl library, every single app maintainer of each app that uses it has to do this and provide an update.
That’s false. OpenSSL is part of the runtime[1] and only needs to be updated there.
Ok bad example then, and I didn't know that, but most libs are not part of the runtime :) I just mentioned openssl as an example of a frequently linked library.
> Almost all popular apps on Flathub still come with filesystem=host or filesystem=home permissions
TheEvilSkeleton counts them and 23 out of 50 is not almost all, so that is a technical falsehood, albeit not one that invalidates the author’s point. There are other falsehoods that do invalidate the author’s points. This one, for example:
> Two years is not enough to add a warning that an application is not sandboxed if it comes with dangerous permissions (like full access to your home directory)?
This is wrong because GNOME Software did, before the flatkill author’s 2020 update, add a warning (which is missing from the author’s screenshot) indicating that the app has high permissions and can access all files and folders (it’s still described as sandboxed, which technically it is, just with the ability to escape the sandbox; further changes to GNOME Software to make this clearer are already planned). The author’s screenshot was presumably taken using an outdated version of GNOME Software; they should have checked more recent versions before making claims about what features developers did or did not add.
And here’s another falsehood:
> So I need to run multiple fcitx daemons on my desktop and switch between them as I switch flatpak apps depending on which fcitx libraries are bundled with that app
The flatkill author misunderstood the implications of the bug report (in addition to seemingly misunderstanding where fcitx comes from; it’s part of the runtimes, rather than being bundled with each app). The issue was caused by a change in Flatpak, fixed in fcitx, and there is no need for the fcitx versions to match going forward.
> That would be tough because the developer would have to integrate with flatpak APIs, and I don't think flatpak is big enough for developers to care.
For GTK apps, they don’t need to do anything different, as GtkFileChooserNative[1] is recommended for non-sandboxed apps as well. GtkFileChooserNative has glib call the D-Bus API (which is proxied inside the sandbox) for the FileChooser portal[2]. The backend running outside the sandbox (xdg-desktop-portal-gtk for GNOME/GTK; there are also backends maintained by KDE and wlroots developers) shows a file chooser and makes any file (since March 2020, there is also support for folders) selected by the user available inside the sandbox using the Documents portal.
Also the portal APIs are not specific to Flatpak. They can be used by any sandboxing framework that wants to benefit from the work already done to integrate them.
Some apps don’t use GTK or Qt, some apps (like GIMP) still use GTK 2, which doesn’t have GtkFileChooserNative, and some apps haven’t been ported from GtkFileChooserDialog to GtkFileChooserNative (or can’t be ported yet because of missing features in the latter). And the Documents portal doesn’t work perfectly for all use cases: There are issues with getting notified when a file is modified externally and with getting the path of the file outside the sandbox (to display it to the user, if that’s desired).
Major GUI frameworks agree with you and have already adopted this approach and it is already used by many applications, and this has already been the case for years.
