this post was submitted on 04 Mar 2024
-1 points (0.0% liked)

Linux

48212 readers
1961 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Appimages totally suck, because many developers think they were a real packaging format and support them exclusively.

Their use case is tiny, and in 99% of cases Flatpak is just better.

I could not find a single post or article about all the problems they have, so I wrote this.

This is not about shaming open source contributors. But Appimages are obviously broken, pretty badly maintained, while organizations/companies like Balena, Nextcloud etc. don't seem to get that.

all 23 comments
sorted by: hot top controversial new old
[–] d3Xt3r@lemmy.nz 2 points 8 months ago* (last edited 8 months ago) (2 children)

I'm a Flatpak user myself, but a lot of those arguments against AppImage are outdated or invalid. Here are my counterpoints:

Usability issues

GearLever solves all the problems mentioned.

Updates

There are AppImages out there that self-update , but GearLever also solves the update issue. And if you don't want to use GearLever, there are other updaters like AppImageUpdate.

The lack of repositories
Appimages don't even have a central place where you can find them, not to mention download them.

This is blatantly wrong - AppImageHub exists for this very reason. There are also GUI frontends like AppImagePool which makes it easy to discover/download/install them.

Lack of Sandboxing

That is a fair point, however, AppImage never claimed to be a sandboxing solution, and for some use-cases this can even be seen as an advantage (any Flatpak user would've at some point run into annoying sandboxing limitations - such as password manager and browser integration, or themeing woes). But there are other sandboxing options out there, such as using containers, and IMO, using a proper container is a better option for sandboxing. Or even better, use a VM if you're actually running an untrusted app.

Random location
[..] A necessary step would be mounting the entire /home non-executable. This is no problem for system apps, or Flatpaks, but where do you put Appimages now?

There would need to be a standard directory to put such files in, which is normally the PATH. But this is also the easiest attack goal for malware, so PATH would be non-executable as well.

I completely disagree with making the entirety of /home as non-executable, when $HOME/.local/bin is recommended by the XDG standard as a place to store executables. As long as $HOME/.local/bin is in the XDG spec, I'll continue storing my executables there. If you disagree, go argue with the XDG guys.

Duplicated libraries

This is a fair point but "they include all the libraries they need" is the entire point of AppImage - so mentioning this is pointless.

If users would really install every Software as Appimages, they would waste insane amounts of storage space.

Then it's a good thing that they don't right? What's the point of making hypothetical arguments? Also, this is 2024, storage is cheap and dedicating space for your applications isn't really a big deal for most folks. And if storage space is really a that much of a concern, then you wouldn't be using Flatpak either - so this argument is moot and only really valid for a hypothetical / rare use-cases where storage is a premium. And again, in such a use case, that user wouldn't be using Flatpaks either.


Finally, some distros like Bazzite already have the above integrations built-in (GearLever/AppImagePool), so you don't even need to do anything special to get AppImages integrated nicely in your system, and there's nothing stopping other distros adding these packages as optional dependencies - but it's kinda moot at this point I guess since Flatpak has already won the war.

Personally, I'm pro-choice. If AppImage doesn't work for you, then don't use it, as simple as that. Stop dictating user choice. If AppImage is really as bad as you claim, then it'll die a natural death and you don't have to worry about it. What you really need to worry about is Snap, which has the backing of Canonical, and some dev houses new to the Linux ecosystem seem to think packing stuff as Snap is an acceptable solution...

[–] aksdb@lemmy.world 1 points 8 months ago* (last edited 8 months ago)

I agree with you on all but one point: I detest the argument that "storage is cheap".

While true, it's of no value to have 10 times the storage when all your apps grow 10 times in size. You can still only do as much as before but had to upgrade in between. This also means, it leaves behind people who simply can't afford an upgrade and who have an otherwise running system.

On top of that, we live in a time where we should not waste resources, since the world already suffers enough.

I am therefore still a fan of optimizing software to be as efficient as possible.

That being said: carefully used AppImages solve one such issue for me. Not every application I use needs constant updates. I want to stay at a specific version. That's easy with AppImages.

[–] Pantherina@feddit.de 0 points 8 months ago (1 children)

GearLever](https://github.com/mijorus/gearlever) solves all the problems mentioned.

Sceptical but I will try it for sure.

It makes appimages less worse than Flatpaks though, so its only "badness reduction" for me.

There are AppImages out there that self-update , but GearLever also solves the update issue. And if you don't want to use GearLever, there are other updaters like AppImageUpdate.

The first is what I mentioned, such updates can be perfectly done by a central package manager. Did you ever try to seal off a Windows install using Portmaster, where every installed app needed network access for their individual update services? Just no...

Ans to the repos, yeah maybe, havent looked if they are as secure as a linux repo. But the concept of "it is acceptable to download software from random websites" allows for malware to fit in there. Only if you will never find a .flatpak file it is possible to be sure its malware.

But there are other sandboxing options out there, such as using containers, and IMO, using a proper container is a better option for sandboxing. Or even better, use a VM if you're actually running an untrusted app.

All worse than bubblewrap. Containers are either manual af (like with bubblejail) or if you refer to Distrobox/Toolbox, unconfined by default. They have no portal integration and no GUI configuration apps. So it may work somehow but probably worse, more resource heavy and there simply already is something better.

Same for VMs. Keep an eye on Kata containers, but this is about least privilege, not some QubesOS system that will not run in a tablet, for example. Android uses containers, is damn secure, and runs on phones.

[non executable stuff]

This is about protecting against malware. Linux Desktops are built on a different logic. Any unconfined software can download a binary to localbin, copy a random desktop entry from usrshareapps to your local folder, edit the exec line and add that binary to it.

Or just manipulate your .bashrc, change the sudo command to read input, save to file, pipe input to sudo. Tadaa, sudo password stolen.

That concept of "users can change their home but not the system" is poorly pretty flawed. So any directory that is writable without any priveges is insecure, if you dont trust every single piece of software you run.

Agree that Snaps are a problem. Its only really problematic when repackaging is illegal though, of course annoying but the Spotify flatpak is a repackaged snap. Same as with appimages.

I should write the same about snaps, but I feel they are covered WAY better.

[–] thiccckk@lemmy.world 1 points 8 months ago (1 children)
[–] Pantherina@feddit.de -1 points 8 months ago

Dont spam please

[–] thingsiplay@beehaw.org 1 points 8 months ago

AppImages are great and easy to use and they can be very easily archived. Today I tried to archive a Flatpak package (yuzu) and it was a pain, complicated and gave up in the end. I end up archiving multiple versions of the AppImages and continue using the Appimage for this emulator. Also sometimes Flatpaks do not work correctly, and I (and any other user) have to figure out what settings and configuration, rights and other stuff is needed to setup with Flatseal. Recently I solved the open links issue with Flatpaks, and found out a certain portal was required to be installed. Also sometimes the theming is not correct too.

All in all, I use Flatpak still and AppImages too, each for their own reasons. The lack of repositories and not needing an installation for being functional is not a problem with AppImages, because that's the entire point of it. They can be automatically generated and ready for download, regardless of any repository, directly on Github from the developers. There is even a program, RPCS3 (a ps3 emulator), which can check and update itself and list all changes since last update.

If you download AppImages from shady places, then off course its shady and insecure. Just like installing any software without knowing what you are doing is insecure. So that's not a point against the format itself. The argument "Duplicated libraries" is hilarious, if we speak about AppImages vs Flatpak, because Flatpak has duplicated drivers (especially with Nvidia, I know how bad it is because I had Nvidia cards before) and desktop environment versions, just because certain versions of the application needs it.

I don't understand these evangelism for packaging formats. Flatpak, AppImage, native system packages and other formats have their own uses and are all useful and not bad.

[–] delirious_owl@discuss.online 1 points 8 months ago

Feather Wallet is a great example of AppImages done right

[–] delirious_owl@discuss.online 1 points 8 months ago

AppImages can be signed. Flat pak is the lesser option for security

[–] thiccckk@lemmy.world 1 points 8 months ago

I use Appimage this is a tool which make it easy to install Appimage and update it

https://github.com/ivan-hc/AM

[–] hperrin@lemmy.world 0 points 8 months ago* (last edited 8 months ago) (1 children)

I agree with this, but as an app developer, can I just say, Flathub’s documentation is an absolute abomination. It is so bad, that I’ve tried 3 times to publish an app and have given up each time. I can build a local Flatpak just fine, but getting it on Flathub is just so convoluted and bad.

AppImages are ridiculously easy to build and distribute, just a pain to actually use. And even then, they’re not that much of a pain.

[–] db2@lemmy.world 0 points 8 months ago (1 children)

Try getting Creality Print to run without manually updating components of the appimage. I'll wait.

[–] hperrin@lemmy.world 0 points 8 months ago (1 children)

This has nothing to do with my comment.

[–] db2@lemmy.world 0 points 8 months ago (1 children)
[–] jjlinux@lemmy.ml 0 points 8 months ago* (last edited 8 months ago) (1 children)

Bro, a developer (which I am not) voiced his opinion. What's the need for the toxicity? Isn't it better for everyone if we all ask questions or provide our opinions respecting others? This is the reason why ANY difference of opinion ends up turning into a heated and useless argument. If you have something to counter what he said, by all means, bring it to the table. @hperin didn't say anything out of place.

[–] db2@lemmy.world 0 points 8 months ago (1 children)

I think you're both on something either really good or really bad. I added to the sentiment about appimages and you're both too busy sniffng your own farts too actually read the very short thing I wrote. You'd rather create a narrative in your own head about what a big meanie I am. So be in it then.

In conclusion, screw both of you, you're blocked. I have only marginally more patience for stupid than Linus does and you're both well past that. Have a nice day.

[–] FuglyDuck@lemmy.world 0 points 8 months ago (1 children)

One specific implementation by a terrible company that can barely manage to check quality control on their actual products isn’t a very good example of appimage’s problems.

Not saying they don’t have problems. But having seen creality’s version of Marlin, I gotta say, I’d be willing to bet they rebranded something, but using vastly out of date versions.

Probably should switch to simplify3d, prusa or cura.

[–] db2@lemmy.world 0 points 8 months ago (1 children)

While you're not wrong, the problem I was referencing is an outdated library embedded in the image. It makes the whole app crash and it could happen to any app.

[–] FuglyDuck@lemmy.world 0 points 8 months ago (1 children)

That’s a creality problem. Not an appimage problem.

They’d have a just as shitty flatpak or whatever else they used; because that’s how the company is.

[–] db2@lemmy.world 0 points 8 months ago (1 children)

Are you trying to tell me creality is the only one who would ever embed a library in an appimage? Isn't that supposed to be half the point, that it comes with what it needs?

[–] FuglyDuck@lemmy.world 1 points 8 months ago* (last edited 8 months ago)

No. I’m telling you that they won’t maintain it properly.

Not when it’s a reskinned cura fork. There marlin (printer firmware- nominally more important) versions are old too… last I checked, by years.