Is it good to use both Snap and Flatpak? Or just one of them!

Hey, as new to linux,
While i prefer to install apps from rpm
Some apps are only available in Snap and Flatpak

So as linux newbie i have few questions,

  1. If i install some apps from snap and other apps from flatpak,

Will it hurt my machine performance wise?

  1. Or i should only use either Flatpak (or snap) to install this apps

Thanx,

It’s fine to use flatpak and snaps. The only penalty is usage of disk space.

3 Likes

I dont mind Disk penalty

Which one way, i should prefer to install apps?
Rpm > Flatpak > Snap
Or
Rpm > Snap > Flatpak

It is completely a personal preference.

I prefer flatpaks to snaps because snapd has a lot of telemetry built into it.

4 Likes

Flatpak, Snap are containerized apps … in Ubuntu you have Microsoft apps in snaps like Visual Studio Code or simply .rpm in Fedora. You can mix them up as you like. The initial idea seems to put apps in a closed environment moving away from weak opensource dependencies but Fedora is backed by Red Hat so …

I use both and it works fine. :slight_smile:
v/r

Andi

1 Like

What precautions should I take when downloading via flatpak or snap? What is the way to know if there is no malicious code embedded in an app that I download?

The same as everyone else. Do your research.

If it is FOSS you can actually look at the code.
If you trust the developer/source then that is one factor.
if it is packaged and from a trusted source then it usually has been signed and the key provided.

Lots of factors and you have to decide what is acceptable risk for you.

3 Likes

Uninstall could be something. You need to know how you did install in occasions.

Flatpak was developed by Red Hat way back in 2009 followed by Canonical in 2014 with Click and Snap in 2016. Canonical is the commercial entity behind Ubuntu, Fedora is really close to Red Hat. The original idea is contenerized apps reducing dependencies on outdated, obsolete or unreliable libraries. You can mix them with ease, same app is probably a huge problem, look up Wikipedia about Red Hat, Debian the two sole active original Linux distributions, Ubuntu, Fedora, Flatpak, Snap … interesting …

1 Like

Fundamentally, whenever you are using any binary package regardless of format, you are trusting the packager. You are basically giving the packager the ability to install whatever they want to your machine.

With snap and flatpak the packager can be anyone so the first thing you should check is who the packager is. If it is the maker of the software then that is fairly safe if you trust the software itself.

Keep in mind that both snap and flatpak give you the ability to limit the amount of system resources the application can access via sandboxing. However, the defaults are set by the packager so make sure you review them before running the application. Further, even a fully sandboxed application can take malicious actions.

2 Likes

For Flathub, probably the most popular repository of flatpak applications, you can view the manifest files of any* of their application on their github page. Learn how the manifest document (.yml/.json) is used to construct the flatpak. Usually the source of the application is pulled straight from the project’s git repository. You can also view any additional scripts that are used in the construction of that particular flatpak. As for other flatpak repositories or snaps, I don’t know.

* Any application, with the exception of special apps that they host that are built directly by the source developer (e.g. Firefox).

1 Like

For example, this app is published by collaborators right? That is, it is not directly from the source developer, correct? So this is the type of app that could have malicious code in its source?

You can click on the link under Publishers to see who is maintaining the flatpak. But from there, it’s hard to tell if any of them are actually from Postman. So I would assume it’s all third party.

On the GitHub page, you can look at the application manifest file. From that you can see that the source for the application is from the developer’s download page:

url: https://dl.pstmn.io/download/version/9.16.0/linux64
…

filename: Postman.tar.gz

You can also see the exact commands that are used to build the application in the build-commands: section. To me this app doesn’t look suspicious.

1 Like

Ubuntu 22.04 LTS default installation uses extensively Snap including Firefox, Thunderbird, … only solution is confidence.