Flatpak builds are not reproducible and why that's a practical problem

jerm · March 27, 2024, 2:46pm

Guix >>>

lepras · March 27, 2024, 3:04pm

jerm · March 27, 2024, 3:28pm

dngray · March 28, 2024, 8:32am

There’s also this counter article

jerm · March 28, 2024, 9:21am

They fixed some stuff..

from HN:

None of that debunks the 2020 article. It sounds like they kind of fixed some of the stuff a year later, but it’s still largely broken. Am I missing something?

Yeah, they “partially agree” for some point, and “partially disagree” for some other point. Does not sound like they “debunk”.

EDIT: response to FUD

jerm · March 28, 2024, 11:04pm

anon79740302 · May 25, 2025, 9:53pm

While I am by no means an expert on the matter, as far as I can tell, anti-Flatpak sentiment generally hinges on the perfect-solution fallacy sprinkled with misleading vividness (“a security nightmare”, anyone?).

However imperfect it may be, it’s still the best we’ve got right now. Incidentally, the now-recommended secureblue project pretty much arrives at the same conclusion.

At the very least, can we get rid of the references to the questionable (and likely outdated by now) flatkill.org? @dngray

On a slightly unrelated note, there’s this passage in the Linux overview, under System Counting:

This option is currently off by default. We recommend adding countme=false to /etc/dnf/dnf.conf just in case it is enabled in the future.

Properly speaking, there’s no way to disable it globally. Further reading:

asanyan · May 26, 2025, 3:51am

Disagree, you can install distro packages instead and sandbox them.

crossroads · May 26, 2025, 4:56am

Good overview of current status and possible improvements

anon79740302 · May 27, 2025, 12:56pm

Hm… Is there any how-to on the matter you would recommend?

Well, that does sound concerning. Time will tell, I guess.

asanyan · May 27, 2025, 7:14pm

Look into bubblejail. There’s a guide in the community wiki for extra configuration

anon79740302 · May 31, 2025, 8:21pm

Alright, I finally got a round tuit…

A couple links for future audiences, since none were provided:

Yeah… Ain’t nobody got time for that. And even if Bubblejail is technically superior to Flatpak, the latter should be readily available on any major distro out there. Moreover…

Using distro packages generally means having to trust additional people (maintainers), whereas Flatpak apps are much more likely to be provided by developers themselves.

That said, I do not mean to dismiss Bubblejail outright, and may take a closer look at it eventually – if it ever lands in Fedora repositories.

asanyan · May 31, 2025, 10:09pm

It’s neither hard nor does it take much time.

You make a default profile with most stuff that you need and is safe to share and then use it as a template. If anything it takes considerably less time than to tweak every single flatpak with flatseal. And with bubblejail there’s no risk of accidentally launching something with excessive permissions and not realizing it.

At least there’s some curation with distro packages. Plus, half of the reason to sandbox your apps is to reduce trust in the developers.

There’s an unofficial package, though I haven’t tried it myself

Topic		Replies	Views
Could Ubuntu be a reasonably secure "just works" alternative to Fedora? Questions software	79	7390	November 4, 2025
To use flatpak or not use flatpak? Questions software	6	2112	June 9, 2024
VLC not updated for over a year on Linux - is it an issue? Questions software	5	895	June 22, 2025
Blog Post: Fedora Must (Carefully) Embrace Flathub [but Flathub must make some security improvements before that can happen] General	0	244	July 22, 2025
Ubuntu --> Fedora? General	28	3272	December 16, 2023

Related topics