Choosing between Flatpak and RPM

Software supply chain impacts from using flatpak is a concern. Packages from the fedora project and rpmfusion have garnered a level of trust that contributes to it’s brand value immensly. The infrastructure that is in place for a package to be included in a fedora repo automates some of this. There will always be room for improvement but I am using fedora in large part because of the reputation fedora people have for being concerned about security and privacy and the response that occurs when an incident happens.

Flatpaks from fedora have been advertised as having been built from the same rpms as are in the same version’s yum repos so supply chain can be considered identical.

Flatpaks from flathub bring a very large seperate software supply chain into view. Runtimes from freedesktop are even a bit of a newcommer as it takes a lot to build trust into a brand. But every app brings in additional dependencies that are not written in-house and there is no easy way to vet them that I know of. Also all the isolation flatpaks offer are set by the app. An administrator or user can adjust them but current apps give themselves much more privilege than the minimum necessary though there may be exceptions.

I have not seen an analysis of any app. Sounds like an interesting project so I will continue to pursue it. But if the amount of storage consumed is any indication, it is going to be a lot of work. For instance I installed a fairly minimal fedora so there was just enough to run libreoffice, firefox and thunderbird. One test case was installing libreoffice, firefox and thunderbird as rpms. The other was the same base system with flatpaks, no additional rpms needed as they were all part of the base system for both test cases.

flatpak version:
Filesystem        Type      Size  Used Avail Use% Mounted on
devtmpfs          devtmpfs  4.0M     0  4.0M   0% /dev
tmpfs             tmpfs     3.9G     0  3.9G   0% /dev/shm
tmpfs             tmpfs     1.6G  1.2M  1.6G   1% /run
/dev/mapper/rvg-r xfs        22G  6.5G   16G  30% /
tmpfs             tmpfs     3.9G  8.0K  3.9G   1% /tmp
/dev/vda2         ext4      974M   64M  843M   7% /boot
/dev/vda1         vfat      639M  7.1M  632M   2% /boot/efi
tmpfs             tmpfs     792M   24K  792M   1% /run/user/42
tmpfs             tmpfs     792M   12K  792M   1% /run/user/9999

rpms version:
Filesystem       Type      Size  Used Avail Use% Mounted on
devtmpfs         devtmpfs  4.0M     0  4.0M   0% /dev
tmpfs            tmpfs     3.9G     0  3.9G   0% /dev/shm
tmpfs            tmpfs     1.6G  1.2M  1.6G   1% /run
/dev/mapper/os-r xfs        22G  3.5G   19G  16% /
tmpfs            tmpfs     3.9G  8.0K  3.9G   1% /tmp
/dev/vda2        ext4      974M   64M  843M   7% /boot
/dev/vda1        vfat      639M  7.1M  632M   2% /boot/efi
tmpfs            tmpfs     792M   24K  792M   1% /run/user/42
tmpfs            tmpfs     792M   12K  792M   1% /run/user/9999

base:
rpm -qa | wc -l
891
Filesystem       Type      Size  Used Avail Use% Mounted on
devtmpfs         devtmpfs  4.0M     0  4.0M   0% /dev
tmpfs            tmpfs     3.9G     0  3.9G   0% /dev/shm
tmpfs            tmpfs     1.6G  1.2M  1.6G   1% /run
/dev/mapper/os-r xfs        22G  2.1G   20G  10% /
tmpfs            tmpfs     3.9G  8.0K  3.9G   1% /tmp
/dev/vda2        ext4      974M   64M  843M   7% /boot
/dev/vda1        vfat      639M  7.1M  632M   2% /boot/efi
tmpfs            tmpfs     792M   24K  792M   1% /run/user/42
tmpfs            tmpfs     792M   12K  792M   1% /run/user/9999
1 Like