Flatpak Primer

I’m still working to get my head wrapped around the flatpak vs. rpm discussion and I’m trying to understand how flatpaks work. Is it correct to suggest that flatpak “brings” its own libs with it, so it’s siloed and “more secure” because of that? If so, does that mean if multiple apps use the same libs but are installed “flatly” then there would be much more space consumed? Or, is there almost like a “shared” flatpak lib dir? If so, wouldn’t that just make it an rpm install?

If all this is adequately covered by an only FAQ or wiki, could someone point me to it because I haven’t been able to find one…

Thanks, everyone!

1 Like

Flatpaks have both bundled libs and can leverage shared runtimes also installed via flatpaks.

Flatpaks use vastly more disk space than rpms.

Flatpaks are partially sandboxed depending on how they are configured. Flatpak permissions are not very granular.

If you don’t want to read the docs, an easy way to see how they work is to install a couple of flatpaks and flatseal. You quickly see how much disk space they consume and flatseal will show you how the permissions work.

Other then the bandwidth consumed, there is very little harm in installing some flatpaks. You can easily remove them all if you want to.

To give you an idea, I have 3 flatpaks installed. flatseal, librewolf and zoom.

Name                                            Version                 Branch          Installed size
Flatseal                                        1.7.4                   stable            2.6 MB
LibreWolf                                       92.0.1-1                stable          225.4 MB
Freedesktop Platform                            20.08.15                20.08           740.5 MB
Freedesktop Platform                            21.08.4                 21.08           557.0 MB
Mesa                                            21.1.7                  20.08           313.2 MB
Mesa                                            21.2.2                  21.08           375.5 MB
ffmpeg-full                                                             21.08            10.8 MB
openh264                                        2.1.0                   2.0             778.2 kB
GNOME Application Platform version 40                                   40              979.8 MB
Zoom                                            5.7.31792.0820          stable          141.3 kB

flatpaks have 2 differing install modes. --system which makes the packages/libraries available to all, and --user which makes the package only available to the user installing them.

In --user mode everything is restricted to the users home directory tree so things are containerized and almost 100% self contained. Yes this means duplicated libraries/etc. for many packages.
In --system mode some is installed system wide and if already available is not duplicated.

A start on documentation is here.

If you have the flatpak app installed and enabled the repo then “man flatpak” will give you a lot of info as well.

A lot more info is available at https://www.flatpak.org


Thanks, @dalto and @computersavvy

So, as for disk space, flatpaks are “bulkier,” but possibly more secure due to the sandboxing nature; what about memory usage? I’ve seen many anecdotal points about flatpaks being slower, but my thoughts were that because all the libs are “in one place,” they should actually be faster. No?

I have a few installed already and have always found Flatseal to be genius!

Do you happen to know, @computersavvy, if flatpak installs default to --user or --system?

It should be similar.

They aren’t actually all in one place but even if they were, that wouldn’t have any material impact on performance.

On Fedora it defaults to system for me. flatpak list will show you if they are system or user.

1 Like

Fair enough… It would seem Fedora’s default is, indeed, --system because that’s mine, too.

Using own libraries consumes more memory in general due to not using shared libraries.
Also own libraries mean a lot of potentially outdated libraries with known vulnerabilities.

Moreover, security benefit is mostly theoretical and depends on the vendor implementation.
Many vendors do not use isolation, and it can be silently disabled upon the package update.



EDIT: …and Flatpak Concepts :: Fedora Docs


Thanks, @augenauf; I checked those sources out before I posted and just didn’t think they provided a comprehensive discussion of how flatpaks use resources and shared libs.

Good points, @vgaetera; I appreciate your thoughts!

That’s where the Wiki page may be incorrectly stating that flatpaks are isolated/sandboxes without access to the host system.

1 Like

I think there may be a distinct difference in security due to the way installed. If installed as user they likely are more secure than when installed as system apps, if for no other reason than the libraries are also user owned as is the app itself and everything is installed under the users home directory.

I don’t think that increases security in any tangible way. Having everything be installed in the users home directory isn’t more secure.

1 Like