Linux’s RPM/deb split could be replaced by Flatpak vs. snap

Linux developers are going to have more than one choice for building secure, cross-distribution applications.

Ubuntu’s “snap” applications recently went cross-platform, having been ported to other Linux distros including Debian, Arch, Fedora, and Gentoo. The goal is to simplify packaging of applications. Instead of building a deb package for Ubuntu and an RPM for Fedora, a developer could package the application as a snap and have it installed on just about any Linux distribution.

But Linux is always about choice, and snap isn’t the only contender to replace traditional packaging systems. Today, the developers of Flatpak (previously called xdg-app) announced general availability for several major Linux distributions, with a pointer to instructions for installing on Arch, Debian, Fedora, Mageia, and Ubuntu.

Though Flatpak has multiple developers from the GNOME community, “Flatpak is the brainchild of Alexander Larsson, Principal Software Engineer at Red Hat,” the announcement said. The technology “allows application developers to build against a series of stable platforms (known as runtimes), as well as to bundle libraries directly within their applications. Flatpak is also standards compliant, offering support for the Open Container Initiative specification.”

Flatpak creator Alexander Larsson.

Credit: Flatpak.org

Like Ubuntu’s snaps, Flatpak developers are promising that apps packaged in the new format will be isolated from each other and from critical parts of the operating system, improving security.

“Flatpak apps are sandboxed. From within the sandbox, the only things the app can ‘see’ are itself and a limited set of libraries and operating system interfaces. This effectively isolates apps from each other as well as from the host system and makes it much harder for applications to steal user data or exploit one another,” the announcement said.

The widely used X11 window system is still “inherently insecure,” limiting the ability to sandbox applications on most current systems, the announcement noted. But that will change. While Flatpak can be installed on systems using X, the emergence of the new Wayland display server “complements Flatpak’s emergence and paves the way for much more complete security model for Linux distributions.”

There are still benefits regardless of the underlying display server. “Flatpak’s sandboxing framework does isolate apps from the host and from each other, whether apps are running on X or on Wayland,” Flatpak contributor Allan Day told Ars today.

Flatpak apps also can’t see host files, processes outside the sandbox, and hardware devices, and they can be optionally restricted from network access, Larsson told Ars. Still, Larsson said the limitations under X11 are significant.

If you’re running an X11 terminal, an “app can use X11 to send fake keyboard events to it and cause it to do whatever it wants,” Larsson said. “Obviously this is a much harder attack to do than just reading some file, but we can hardly call it secure when you can do that. If the app only has access to Wayland, then such attacks are not possible at all because Wayland clients can’t see or talk to each other.”

More technical details on Flatpak sandboxing are available here. On Ubuntu, the X security problems should be solved by the in-development Mir display server. Snaps can run on both Mir and X but will have better security with Mir.

LibreOffice is on board with Flatpak

While snaps can be used to package both server and desktop applications, Flatpak developers say that “Flatpak is designed to run inside a desktop session and relies on certain session services, such as a dbus session bus and a systemd –user instance. So, is not a good match for a server.”