As a user, the best way to handle applications is a central repository where interoperability is guaranteed. Something like what Debian does with the base repos. I just run an install and it’s all taken care of for me. What’s more, I don’t deal with unnecessary bloat from dozens of different versions of the same library according to the needs of each separate dev/team.
So the self-contained packages must be primarily of benefit to the devs, right? Except I was just reading through how flatpak handles dependencies: runtimes, base apps, and bundling. Runtimes and base apps supply dependencies to the whole system, so they only ever get installed once… but the documentation explicitly mentions that there are only few of both meaning that most devs will either have to do what repo devs do—ensure their app works with the standard libraries—or opt for bundling.
Devs being human—and humans being animals—this means the overall average tendency will be to bundle, because that’s easier for them. Which means that I, the end user, now have more bloat, which incentivizes me to retreat to the disk-saving havens of repos, which incentivizes the devs to release on a repo anyway…
So again… who does this benefit? Or am I just completely misunderstanding the costs and benefits?
I’d agree with mainly the developers. And maybe sometimes me, when there isn’t a packaged version available.
But you’ll certainly lose the benefits your distro’s maintainers provide. They coordinate all the software and make sure it works together. Give it some polish, keep things updated, patch things when there’s a vulnerability. Strip tracking libraries and change default settings so it fits into your distro’s politics. And a flatpak doesn’t use the distro’s libraries which get maintained painstakingly by the maintainers. And distros oftentimes promise to maintain software for a certain timespan and not abandon it. (Of course in case you use a distro that does these things properly.)
You’re now at the mercy of whoever made that flatpak.
And like mentioned in this post you now have multiple sources of software and you have maybe 3 things to keep up to date instead of 1 that does this on its own.
And if there is a vulnerability in some library like there was with webp this week… The distros are likely to do something about it. And if you have several independent other versions of that library on your system, maybe you’ll stay vulnerable until a developer chooses to release a new version with a new or patched library. Some library package managers will show you open vulnerabilities while programming. But I’m unaware of such a thing being included into flatpak, snap etc. Your distro will have a mailing list or something like that.