Snaps, Flatpacks or Debs: Package Management hell

Fragile package Snaps, Flatpacks or Debs? No idea what I'm talking about? These are the three competing package management, hm, 'standards'(?) currently supported in Ubuntu Linux.

Ubuntu draws from the Debian repositories upstream to assemble and add to the distribution, as do a slew of other Linux distributions from Mint to Puppy and many between. The default package format for all of these is the .deb. So why do we need the others?

Flatpack is emerging as a cross-distribution solution touted as a Linux 'standard'. Although you can opt to manage software using Flatpacks in Ubuntu, that's not where the main argument is right now; it's .debs versus Snaps.

The trouble with .debs comes with 'dependency hell'; you try to install something and it claims dependencies on other libraries, or particular versions of other libraries for compatibility. You try to install the dependent library and it clashes with a newer version you already have. Uninstall that for the older one, and a bunch of other software on your machine breaks.

The other problem is security. A .deb is not bound by security restrictions beyond that of the user permissions under which it was installed. Some .deb executables can be negligent, reckless or cavalier in their approach to security.

So Canonical is attempting to push it's own alternative format for package management to address these concerns, taking a leaf out of Apple's 'walled garden' approach to building a standards-compliant (even if its' their own) repository of Ubuntu-safe software

The Snap format has a theoretical advantage over the well-established .deb.

All dependent libraries are bundled within the Snap, ensuring that you're running exactly what the developer tested and supports. While Snaps are larger, updates are done with deltas, not huge downloads. Snaps are also ring-fenced; if you remove one, all of its data and dependencies go with it. And in theory Snaps are confined, so you don't have to blindly trust trust the snap publisher, it doesn't own your system (although some special Snaps aren't isolated, needing a special install, and some snaps use interfaces which are inherently insecure, such as X11).

But all is not clear cut with Snaps. In an unpleasant reflection of Windows 10, Snaps always update automatically, the best you can do is delay it. Snapped apps may not handle well having an upgrade happen underneath them while they're running. Criticised as slow, bloated, potentially insecure owing to out of date dependencies and a pain to use with unofficial repositories, the die-hard advocates of .debs and the Apt installer framework point to the advantages of the established system.

They will point to smaller package sizes (debs don't need to bundle their dependencies), better theme integration for GUI apps, and the fact that .debs effectively get 'peer-reviewed' by the wider community, not just the publisher. APT is fast, lightweight, allows for easy patching of system libraries and has a vast usage across distributions and third-party repos.

I've frequently pulled in executables and system libraries from Mint in order to fulfil a specific application need. Okay, I need to know how to troubleshoot compatibility and source the right versions from reliable sources, but if the equivalent Snap doesn't work or doesn't exist, what do you do?

There are lots of spurious arguments about updates and schedules and sourcing third party packages. Third party Snaps are as much of a liability for security and compatibility as .debs and you can side-load them outside of the Canonical repositories the same as third party .debs. They can all get bug fixes and security updates at any time.

As Canonical ploughs on with its' SNAP architecture for package management to try to reduce the inconsistencies with .debs and the whole apt infrastructure (a laudable aim), it's amusing to see that  Snap versions of Calculator, Characters and Logs apps which shipped in the last few releases have been removed from the default install of 20.04 and replaced with the respective apt versions!

Right now Snap is a niche Ubuntu-only solution, which is something the wider Linux community dislikes. There's no guarantee it won't be abandoned in favour of Flatpak - remember what's happened with Unity and Canonical's other in-house inventions. The jury is still out. RC

Comments