Fedora atomic is recommended here and the recommended way to use atomic distros is to use verified flatpaks. How should I use/install apps that do not have verified flatpak version? Should i just install them in containers? Would it be a good idea to do this for things like joplin, signal and steam? I am actually linux newbie(i use fedora kinoite) and not that much tech-savvy but i feel like i might have issues if i will use these apps in containers (especially steam, is it possible to allow apps in container to access my other partitions so i can download big games or will i need to create steam container in every partition(is this even possible) or something like this?).
What are you trying to accomplish here at large? That’s my primary question.
But to address your other questions:
Check if the app in question has a website and how they recommend installing it. Any app package they support and release their app in is the way to go (even if it means its not Flatpak).
Follow above advise. But for Signal, there is no official support from them on Fedora, only Debian/Ubuntu based distros. So I would not recommend installing the Flatpak Signal.
You can install Steam that works for you, no harm in that. A container is not needed for everything. But hence my primary question above.
I disagree unless OP’s threat model is particularly high. The norm on linux for ages has been community built and distro built packages. It’s only relatively recently that developers have started shipping their packages to users more directly. I would prefer an official version, but the Signal flatpak is well used and has a lot of eyes on it. I think it’s fine for most. Also see this relevant thread: Best way to install Signal on Fedora?
What kind of containers? Flatpaks are containerized by default and permissions can be managed using Flatseal. I don’t believe they’re particularly strong from a security perspective but I would expect them to be enough to keep your average proprietary apps away from important files etc.
It’s Signal. A sensitive app for your sensitive info. Its only wise to use the official package to use and install - only where available.
1 Like
So you would also advise against using Molly?
It’s not something I actively recommend to people who may not know what they’re doing or who are new to these things.
Know your audience - is the key.
I’m going to second @JG in saying that, first and foremost, the answer to your question is “it depends”. What is your threat model? What tradeoffs are you willing to make?
I am a Fedora Atomic user and in most cases, if there isn’t a verified Flatpak, I just use the recommended installation method from the developers. I also use toolbox for command-line utilities sometimes, but most of what I use in that department I just compile and install myself.
If you’re going to install Signal desktop, I would suggest doing so in some sort of Debian container/VM since that is the only officially supported desktop platform. That being said, I’m also of the camp that prefers avoiding Signal desktop entirely in favor of strict mobile use. (Related: Is Signal Desktop considered safe to use?)
For Steam, I suggest looking up games you play in your search engine with something to the effect of “<game> flatpak issue”. If your threat model affords you the possibility of using the non-Flatpak version of Steam, you might find this preferable if there are any particular discrepancies in how you like to play your games (for example, modding Stardew Valley is (was?) different between Flatpak and non-Flatpak. Though it should be possible on either, I had a very hard time with getting it to work with the Flatpak version… which ultimately led to me switching off of it).
You very well might have issues regardless, to be fair. I recently had multiplayer in Stardew Valley completely unusable because of a glibc update fixing a security issue that was being misused by… quite a lot of programs, from what I hear. (See: Linux - Galaxy API not loading with glibc 2.41 | Stardew Valley Forums)
Again, it depends on your threat model, but if you aren’t at particular risk of targeted attacks, I think you’re probably best off doing whatever “just works” in this situation. I think if you’re in a situation that really warrants running steam in a container you might be better off rebasing to secureblue (which provides commands to install steam and restrict flatpak permissions for you - very user friendly IMO).
Beyond your threat model, another question to consider: you identify yourself as a “linux newbie” and “not that much tech-savvy” - that’s perfectly fine, but the question is, are you interested in changing that? Identifying yourself as such might bias answers towards “easy” at the cost of “effective”. If you’re willing to face some challenges and learn a few things, though, it might change the advice people have to offer. It also might not! Just something to consider.
Since it uses Electron, it suffers the same problem as Chromium browsers: their sandbox not working or requiring hacky replacements.
I generally try to follow recommendation around atomic distros. I chose it because i like the idea of that i mostly can’t easily make it unusable and even if i somehow do something like this i can just use previous snapshot(also like stability and kinda rolling release fedora have). As i remember it is recommended to use flatpaks if available, than containers and than layering. At first i thought that all flathub apps are from developers but then figured out they are not. I am not very comfortable with using 3rd party app especially for something as important as note taking or communication app or something like tor. Also as i understand containers(and flatpaks that are basically containers too as i understand) help with keeping my system clean and not cluttered and if i would need to delete something i would just delete container and don’t need to deal with leftovers (that is what i disliked in windows a lot).
But as i understand developers rarely write instructions for immutable distros. Do you layer them? Or do you mean that you just do this recommendations in toolbox or distrobox containers?
I think you misunderstood. I meant, if the dev makes their app available for Linux that can be installed on your distro, then your distro is supported, Atomic or not.
If the recommended method to install fizzbuzz is:
dnf install fizzbuzz
The atomic equivalent is almost certainly rpm-ostree install fizzbuzz (as you said, layering). If it doesn’t have a GUI[1], you can also use toolbox if you want. If you use toolbox the command doesn’t change, you just need to create the toolbox and enter it.
i.e.
toolbox create fizzbuzz
toolbox enter fizzbuzz
sudo dnf install fizzbuzz
When it comes to toolbox vs layering, I generally prefer to layer. Most packages I install are things I use constantly, and separating them out into toolbox containers makes them less accessible and sometimes breaks them, so it doesn’t really make sense to. I also find the few toolbox images I use don’t actually stop running every time I exit them, and that annoys me.
“Download and unzip fizzbuzz.tar.gz”
I haven’t had a situation where you can’t just do that. This is what I would recommend for Tor Browser, for example, since that is the normal method of installation for Linux. (though you might also consider Tails for Tor specifically)
Compile it yourself
Rarely the only option, but shouldn’t be any different on atomic.
Bear in mind a lot of Flatpaks also leave things behind when uninstalled. After uninstalling, the store page in Discover can tell you if data/settings are still on your system.
In general, what you consider cluttered/clean may differ from me. But in my experience, most programs leave any data in predictable places that I can easily remove if needed.
Also consider that rpm-ostree makes it easy to see which packages you layered. A list like that helps with cleanup, IMO.
I have also been able to run GUI programs in
toolbox, but I find it tends to be a poor experience. ↩︎
If it’s a desktop or laptop with FDE, I think there’s more chance to be hit by meteor than someone to access your PC data. Unless you are targeted by the state or highly skilled hackers, in which case you have bigger problems, and probably shouldn’t use this OS at all.
In many PG forum threads, it is not recommended to install browsers as flatpaks (because browsers have their own isolation system).
So I wonder what is the best way to install a browser (I am thinking in particular of Brave and Mullvad) on an atomic version of Fedora :
- Should I follow Fedora’s recommendation to use flatpaks first?
- Or should I use another method, and if so, which one (layering/toolbox) ?
Layer your browser.
Browsers should be layered (just like Firefox is by default). I don’t think Tor Browser is available as an RPM, though, so for that in particular I defer to my earlier statement:
There is torbrowser-launcher
The answer is it varies.
Flatpak (Only officially verified if possible) or
rpm-ostree or
Toolbx/Distrobox
For example, you may have a chromium browser officially verified available as a flatpak. Should you install that way? Probably not.
Depending on the application that you are installing it may be better installed on a certain way. Browsers are on this “funny” category that installing from a distro repo or even from the tar.xz with some Linux kernel security module that provides mandatory access control seems a bit more secure. Assuming that it is maintained properly by the project owner with a very good frequency.