this post was submitted on 08 Jul 2023
237 points (94.1% liked)

Linux

48141 readers
522 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

A new ‘app store’ is expected to ship as part of Ubuntu 23.10 when it’s released in October — and it’ll debut with a notable change to DEB support.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 37 points 1 year ago (4 children)

I never found out what's wrong with APT.

[–] [email protected] 5 points 1 year ago
[–] [email protected] 3 points 1 year ago (2 children)

Aren't you sorta trusting whoever wrote any package you install with root? I mean, you should have that attitude anyhow as packages have a huge attack surface so privilege escalation bugs are way more common than remote execution but still, flatpak and snap at least offer a bit of a sandbox which might improve...

[–] [email protected] 7 points 1 year ago

Depends on your distro and what's available in the repo. With default repos you're more trusting the distro developer to vet packages.

I trust debian for that. It's been a while since I used Ubuntu so I don't remember how their repos are set up but the debian team is notoriously conservative with their repos.

[–] [email protected] 4 points 1 year ago

The track record has been very good as far as i know with thousands of packages over the years so I doubt if there is a real problem to be solved here.

[–] [email protected] 3 points 1 year ago

I do wish APT supported installing certain packages locally. Other than that, I'm more likely to use it than Snap/Flatpak/etc

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

APT is not good at managing dependency hell. This is a common problem for all package managers that don't typically bundle dependencies. You can get 30000 open source packages from trusted sources having a maintainer working on each to all share the same dependencies for an OS release. That's what Debian does. However it's a lot of work and that works increases significantly when you try to do it for a piece of software across OS releases.

Read - it's difficult for LibreOffice or Mozilla to ship a new version of their software that works on several Debian or Ubuntu releases. It's also difficult for maintainers to do that.

You could of course include dependencies in debs, but then you're increasing the security attack surface of the OS, because there's no sandbox around those bundled dependencies. Bundling dependencies requires sandboxing to be safe. Otherwise whenever there's a security hole in one library in package X, package X might patch it, but the same library might exist in another 50 packages on the system unpatched.

This is a solved problem. It was done in Android, iOS, BlackBerry 10 and probably others. All OSes that had to deal with more than 30000 packages, open source or proprietary, from trusted or untrusted sources. Bundle non-system dependencies and confine in a sandbox. Snap's been doing this ever since it was called Click. Flatpak didn't have the sandbox part for a while if I'm not mistaken. I'm not sure what its current sandbox state is.

There are other issues with APT/deb but managing dependencies without sandboxing is probably the most fundamental one since dependency management is one their fundamental purposes.