I’m currently using Fedora 40 as my OS, I’ve been mostly downloading all my software through flatpaks since, some while back on the website, all linux software downloads would link you to flathub.
I’ve recently noticed that, the website does still links flathub BUT also links for actual Linux installations too of some software, and that, the Knowledge Base Archive has been unlinked from the website due to being outdated (which contained an article about Linux Sandboxing that suggested flatpaks)
so, what exactly is the best approach to Flatpaks? should you try to have nearly all you can on flatpaks or it doesn’t matter? (I did read somewhere in the forum that, if the goal is to have everything on Flatpaks that you should use Silverblue instead)
When I was using Fedora, my approach was to keep proprietary software in flatpak because of sandboxing, and use everything else from distro repositories unless it’s missing or a very old version. This way I had less issues with OS integrations like wrong fonts in Firefox flatpak.
After moving to Ubuntu, I don’t really care much about where does software comes from as both debs and snaps works well.
As a Fedora user you actually have 3 choices in many cases:
Fedora’s official repositories (traditional / rpm packages)
Flatpaks From Flathub
Flatpaks From Fedora’s official flatpak repository
I don’t have a simple and definitive answer for you but here are two things you should understand about flatpak and flathub.
Flathub is a repo that has some verified and vetted software, it also has a lot of unofficial software that is submitted and maintained by individuals form the community who are not affiliated with the developer or with flathub. In the case of unofficial software, you should be cautious and vet it yourself to the extent you can, or choose a different option.
Flatpaks are intended to be andboxed. But sandboxing depends on the packager/publisher of the individual flatpak so you shouldn’t count on all (or even most) flatpaks being properly sandboxed at this point in time.
Personally, I don’t have a super defined strategy. Typically if its (1) proprietary or (2) something I’m just testing out and will probably uninstall, I opt for flatpaks. If its something that needs or would benefit from deep integration with the OS I tend to opt for traditional packages. Beyond that I don’t really have a super strong preference one way or the other.
I use Arch on my desktop as a base for the applications I run. 99% of them are Flatpaks. Even the Gnome apps that came when I installed the DE, I replaced them with their Flatpak alternatives. That’s how sold I am on Flatpaks.
On the flip side, my apps just run. I don’t have to worry about conflicting dependencies or any issues with system libraries. If I catch a bug 9/10 times it’s an upstream bug, not a distro bug. But the 1/10 times it’s a Flatpak bug, it can be a bit difficult to find an answer due to limited support. But good thing is I currently don’t have an issue that is too much of a blocker that I have to abandon the Flatpak in favor of the repo package.
Nevertheless, I wish more and more people got a taste of the brilliance of Flatpaks.
In the same line from the original question, for Flatpak applications running in Fedora are you creating SELinux profiles for them or just assuming that the sandbox level of those applications are secure enough?