I tried using Ubuntu 18.04 recently. While snap seem like a good idea, the main issue I have is that there seems to be no way to know who publishes snaps. A list of approved vendors would be useful.
Sure, there are some 'Verified Accounts', and Opera has one. But the main app for Slack, Spotify, Telegram Desktop or BitWarden come from unverified accounts. And some of these are not sandboxed, like the Slack app. Having BitWarden, a password manager, use an unverified account seems totally crazy.
I like snaps but I ve stopped using them because they auto update Windows10 style. In the snap forums a lot of people asked for the ability to disable updates in order to update only when you want. Integration with the software and updates app in Ubuntu would go a long way here. But no snap devs have refused that (unless you are an enterprise customer and use a proprietary extension). So if you have snaps their update process is totally separate from other apps in your Ubuntu desktop and outside of your control barring some time settings for soft auto update exceptions hidden in the CLI interface.
The developers don't want to maintain old clients...backward compatibility proved too expensive. Apple proved autoupdate is the way. Browser vendors did the same.
I don't think people expect old clients to be maintained, but I generally don't like auto-updating. I don't want my computer to use CPU, disk I/O, or network bandwidth for updates except when it's convenient for me. Also, in some cases it can be worth it to stick with an older version if a newer version introduces a bug or something.
My OSX auto uptate is disabled. I'm still using Yosemite. It asks nicely occasionally if/when I want to upgrade. It does not install updates in an annoying way lke Windows does.
But at the very least, Apple lets users disable automatic update (and always have, always will). The default is automatic updates, but it's far from forced.
We only recently added the "verified accounts" feature.
Many of the apps you listed are actually from verified accounts but we're in the process of validating them. We should have all the major ones done soon.
I don't understand using a browser that is developed by a for-profit company which happens to be their only product. Because of current owners, I would never use Opera.
Firefox is pretty good guys. You should check it out. And also donate.
disclaimer: no association with Mozilla/Firefox in any way.
Chrome is the other outlier here. Apple and Microsoft have no real reason to spy on you when you use Safari or Edge and Firefox is operated by a not-for-profit entity. Google and Opera's entire business model depend on surveilling their users.
> I remember when opera used to have an IMAP client built in and you could open up an IRC chat tab, it had so much cool stuff!
Don't really understand those two comments. You're saying it hasn't gone to shit yet but then you're describing the features from Opera 12, before Opera switched to the new Chrome-based browser they ship now without any of those features.
I was a long time Opera user back when it had all those cool features, and dropped it when it dropped them. Many of its long term users did the same and many of their internal devs left too. I'd say Opera very much went to shit in 2013.
> Mozilla is the single most toxic thing in software culture in the past fifteen years, imo.
Curious about this view; I've been a bit lost since the Opera exodus, looking for a decent alternative. Mozilla's got some problems, but they're the best I've found sofar. What's toxic about them?
Snaps and flatpaks are just a vector for malware. They're worse in every way than a traditional package manager. I'm all for packages which containerize their software (we already chroot a lot of software like this), but snaps/flatpaks are just dumb. There's no substitute for your package maintainer personally auditing and preparing the package for you.
> There's no substitute for your package maintainer personally auditing and preparing the package for you.
This is true, but it's not a feasible approach for software like Slack, Spotify, and VSCode that gets updated /weekly/. These aren't packages like 'libgit' that you could validate once and leave the same until you ship the next OS release. Some of these apps completely stop working if you fall behind by too many versions. Having people running older versions is also a huge pain in the ass as a developer, because those users inevitably email support, complain online about how the product is bad, etc. and only after lots of emailing does it turn out they're using a year-old version. (Full disclosure: I maintain Mailspring and switched to Snapcraft /very/ enthusiastically to have an auto-update mechanism that works across linux distros!)
> This is true, but it's not a feasible approach for software like Slack, Spotify, and VSCode that gets updated /weekly/. These aren't packages like 'libgit' that you could validate once and leave the same until you ship the next OS release
Package managers don't prevent this at all. If you host the repository then you can update as often as you'd like. Some whole distros (arch) do just this.
You can update as often as you like, but that does not ensure users will get that update, nor does traditional packaging make it safe to install the update (no rollbacks, maintainer scripts run as root and have full access to the filesystem, library mismatches, etc).
I'm all for debs and rpms, but they seem best suited to providing the base system.
> Snaps and flatpaks are just a vector for malware.
That depends entirely on your perspective. If you're happy using packages entirely from your distribution and from no other sources, then sure, carry on as you are.
Snaps (not sure about flatpaks and confinement) are far better than the "curl ...|bash", PPA and other installer type vectors, even from your perspective.
>Snaps (not sure about flatpaks and confinement) are far better than the "curl ...|bash", PPA and other installer type vectors, even from your perspective
A bad thing compared to other bad things does not make the bad thing good. If you're missing a package on your distro, bug a package maintainer to build it, or step up and volunteer.
Yeah, because that's totally how software distribution should work. What's so wrong with the vendor just compiling and distributing an application? Why must this be needlessly complicated?
Yes, that is totally how software distribution should work. Vendors cannot be trusted, this has been proven over and over and over again. Having a dispassionate third party do the packaging keeps malware out of your computer. This is why we have browser extensions and android apps that spy on you. This is why we have a snap which was mining cryptocurrency on your computer a few weeks ago. This is why Mozilla can add spyware to Firefox. Vendor publishing is fundamentally broken.
And upstream issues such as this one should be fixed in upstream not patched endlessly with every other distro. That's the approach promoted by Arch Linux.
If you don't trust upstream why are you running their code?
I don't think it's reasonable for such a small group of people as Debian developers (or any other maintainers) to review each change looking for potentially malicious code. Especially in codebases as big as Firefox.
Well, you're free to believe that a platform that places you at the mercy of third party comrades who dictate what you can and cannot install or distribute "for your own good" is a good idea.
We're not talking about some shady organization in some ivory tower. Package maintainers are people whose names and email addresses are available to you. Distros are also always looking for volunteers, you can volunteer and steer things the way you want. And if not, then there are dozens of other distros to choose from whose maintainers may agree with you more.
Without the "fragmentation" the problem of third parties censoring applications would be even worse and it still wouldn't be any easier to deploy anything. If you want a proprietary centralized service loaded with malware, there are already plenty of those to choose from on other systems, complete with their own gatekeepers.
Neither MacOS nor Windows prevent you from installing any application you desire[0], direct from the vendor. That has only recently begun to change thanks to app stores, which bear a remarkable similarity to package repos.
[0]Ok, there are some hoops regarding unsigned drivers.
I passionately disagree. Package managers are inflexible conflict causing garbage and repos are appstore-like walled gardens which often contain out of date software, when they have what you're looking for at all.
Snap and Flatpak aren't much better, though. Give me AppImage any day.
The repository system on Debian, Arch, Fedora is clearly not a walled garden like Apple or Microsoft's app stores. Any site can host a repository that you can add to your package manager's sources, and you're free to install .deb/.rpm packages from any source you want, not to mention tarballs or compiling from source code. Also, there's no motive for lock-in like mainstream app stores have.
Only if those sources keep things up to date with the changes in the main repository, and every other repository the user uses, so as to avoid conflicts.
> not to mention tarballs or compiling from source code
Seriously? You may as well say iOS is open because you can root it.
The reason for the conflicts are rarely if ever at the package layer, and more often than not with upstream changing dependencies on a .x update.
This leaves the distro maintainers two choices: either recompile/restructure the whole distro to placate one upstream, or freeze said upsteam on an older version and suffer their social media wrath.
Or because it's a new feature release instead of just bugfixes. At least in e.g. Ubuntu, SRUs aren't accepted unless they're security or bug fixes, which makes it impossible to get newer features back to stable releases. Snaps provide a way out of this by removing the ability to break other applications with an update (since there are no dependencies).
noone is going to prep packages for dozens distros with different distribution mechanism.
too complicated|time consuming - why Linux doesn't have first world apps.
How do I get my favorite app included as a user? As a publisher? The maintainer has his own schedule. What if I have a closed-source app? I presume it's just better than PPA and *.deb-s (which would be acceptable if all desktop Linux was based on Ubuntu).
There is AppImage (https://appimage.org/). I have no affiliation with it whatsoever, but if you're not going to have a verified Snap account, I think you're better off offering an AppImage from your website. And it seems like some companies are thinking about something like this (https://github.com/itchio/itch/issues/683).
If your Snap account is unverified, there seems to be no way to know who created the snap. It looks like I can create an account with the name of any company and distribute stuff in their name, including malware.
With something like AppImage, your users know that the AppImage is actually coming from you if you host the file on your domain. Then again, AppImage has its own drawbacks. But at least, if Slack put an official AppImage on its homepage, I'd be able to download it. Installing a Slack snap from the account of "Felix Rieseberg" doesn't sound to good to me (https://snapcraft.io/slack). If you dig around, you can see that Felix Rieseberg does work at Slack, but for this big a company, that just looks fishy IMO.
yeah. that's wishy-washy dreamworld.
For 20 years Ive been using Linux - noone bothered packaging A-level apps for Linux, definitely not closed source ones. That's been enough of a trial run I would say.
And your games are spying on you. Many of these games employ invasive anti-cheat systems which shake down your computer and send a bunch of data to their servers. This shit doesn't fly with distro packages.
Yeah, they definitely wouldn't be in distro packages, but I want to play them nonetheless. That means I either have to run software which isn't in my distro repo, or switch to Windows.
Ubuntu is an outlier, not a representative of all of Linux. Linux is open source, you can make a distro that does anything you want, including spying on others. This doesn't make the distros that don't any worse.
Actually they don't. I use Linux Mint Cinnamon for 5 years and find it a very convenient operating system, better than Windows (at least 7 — I hear nothing good about Win7 except its Linux support) and OSX (at least Snow Leopard) in almost every respect, except commercial app support. I very reluctantly reboot into Windows for things like Office, Lightroom and CorelDraw. Maybe Visual Studio.
edit: btw, I agree with you on the "attitude" thing. There should be more commercial options on Linux desktop.
It was a subjective assessment to be sure, but one shared by many. You can tell because of how few users it has, though I'm sure someone will pop up and blame the fact that it doesn't come pre-installed on PCs as the reason, without consideration for the concept that if people actually wanted to use it, it might.
eh, i disagree. even if linux distros were objectively better than windows in every possible way (not speaking to the truth of that claim) if computers shipped with windows the vast majority of people would use windows.
But the vast majority of internet users do use Google search and other Google products like Gmail. That's how Chrome became popular — because Google will spam you with ads for Chrome at every available opportunity.
And how did Google get popular despite Microsoft owning the OS? And for that matter, IE? My point is, people tend to use software they like. The reason Linux Desktop, despite decades of evangelism, hasn't taken off is that people don't like it. It's that simple, but the evangelists keep deluding themselves because making it better will require them to do hard things, like work together.
Those are just package managers trying to be less crap than currently existing package managers. Vendors still aren't expected to create and deploy the application directly to the user.
As a technology, I've had far better experience with snap over flatpak. It does bother me though with snaps that it all seems tied to a proprietary store. Does anyone know if it's possible to run the server side components yourself.
Unfortunately true. Although, with the built-in mouse gestures and ad blocking without having to maintain extensions that bog things down, ask for their own updates, etc.; I still find it to be the least bad browser available. Vivaldi is too slow and Otter Browser is not quite there yet.
I wish they would've considered going open source instead. Sure, their rendering engine was far from perfect, but it had its advantages, even to Chrome at the time.
Same for OmniWeb… still though, I imagine they just had too much of an uphill battle keeping up with the other big 4 engines that it was untenable to maintain Opera's renderer
As with all things Chinese, the story is never entirely clear. Propaganda from both sides of the Firewall obscure a lot. However...
---
Qihoo 360 may be the owners of StartCom, and WoSign, who behaved so badly both Chrome and Firefox have decided their certificates can never be trusted again.
Got to figure that it isn't an accident that they bought a (large) interest in Opera.
And there's the confusing story of the Chinese government sanctioning Qihoo 360 themselves over privacy violations to do with webcams.
They tend to be a company mired in controversy.
(They also have the controlling share in Golden Brick Capital).
---
Beijing Kunlun Tech aren't that well known in the West. They started out as online gambling, however they also bought out Grindr, and now a controlling stake in Opera.
They don't seem to have a huge amount of direction, besides blasting adverts and trying to eak out a profit wherever they can. Which they seem extremely successful in.
Successful enough that Zhou Yahui ended up paying $1.1billion to settle a divorce with his wife quite recently.
---
So, basically, ownership is split between a gambling tycoon, and a company with an awful reputation around security and privacy who have a vested interest in a browser, and how they can influence the web from it.
Opera, if you are watchng this thread, could you please update the outdated documentation on the command line option? [1]
This command line format was valid until 5 years ago, when Opera switched to Chromium. Currently Opera only works with Chromium’s command line format and the documentation does not mention about this. I noticed this problem when I was answering a SO question [2] so I contacted Opera but there is no response.
Can anyone who has released commercial Linux software comment on providing giant static binaries to distribute apps? I always found this the easiest way to adopt a 3rd party app on Linux, but I don't know how difficult it is in practice if the app is humongous and complicated.
The problem with package managers/installers/setup scripts/etc. is that they turn file systems in a mess and that filesystems tend to be different between linux installations, even of the same distribution.
So snaps do for user facing software what docker did for server side software. Good idea in general and since most distributions struggle to stay on top of release quality updates from upstream, a great way to stay up to date, quickly try out some sofware package, or download software that your linux distribution hasn't gotten around to absorbing into their repositories.
Sort of the Linux equivalent of dragging an OS X .app file to your /Applications folder (or to trash for uninstall). There's no good technical reason for application install/uninstall to be more complex than that.
Normal user facing software should not require modifications to the OS to run. The linux practice of packages basically taking a royal dump on the filesystem and generally requiring root access to even get installed is no longer something that is remotely sane to do.
IMHO, operating systems should ultimately be immutable and basically be similar to a snap. You update it as a whole and you don't modify parts of it.
Linux has had a hard time with end users despite decades of "surely this year is the year of linux on the desktop". Never happened. A lot of that has to do with software installation, package managers and upgrades being a convoluted mess that always ends up in somebody doing stuff in a command line terminal to fix.
>Linux has had a hard time with end users despite decades of "surely this year is the year of linux on the desktop". Never happened. A lot of that has to do with software installation, package managers and upgrades being a convoluted mess that always ends up in somebody doing stuff in a command line terminal to fix.
Snap still has a little bit to go to be much better though! The "programs shouldn't mess with the system" mentality includes restrictions to the filesystem. That's a problem because many programs do need to mess with local files (e.g., sending a file in an IM program, working on a file, saving a file...). You get a spooky message about installing such programs with "classic" permissions, and, even then, such functionality suffers. Discord can only access some subset of the filesystem, and Skype straight up crashes when it tries. Also, opening links in Discord doesn't work in the Snap version while it does in the non-Snap version. Rabble!
But the idea is great. Convenience and no dynamic library breakage for some MB of disk space in ${current_year}? Yes, plz!
Yet their web based counterparts work just fine. Discord works great, Skype not so great, maybe because they pour resources into the app thay displays ads.
> Linux has had a hard time with end users despite decades of "surely this year is the year of linux on the desktop". Never happened. A lot of that has to do with software installation, package managers and upgrades being a convoluted mess that always ends up in somebody doing stuff in a command line terminal to fix.
I couldn't agree more, and am glad to see that there are others who recognize this issue. Personally, I'm a fan of AppImage because it doesn't require any of the complicated runtime Snap and Flatpak do, meaning it is about as close as you can get to a universal Linux application today (*NixOS notably breaks them, but other than that...).
the problem is invariably with upstream making assumptions and changes on a whim, not with distros.
As for linux on the desktop, until there is a credible brand offering a credible pre-installed computer, via credible outlets, backed by a credible support service, and MS actually allows them to exist beyond the first revision, then you will have your Linux on the desktop independent of all the effort (or anti-effort) the big DEs etc put in.
Linux Desktop evangelists have been saying that for decades. Rather than fix any of the problems people are actually complaining about and that they can actually fix, they prefer to believe the real problem is one they have no power over so they don't have to take any responsibility for the terrible platform they promote.
Most distros have an integrated app store for the usual suspects (Firefox, LibreOffice, GIMP, etc) but proprietary third party apps like Opera aren't included and are more difficult to install. The less technically inclined generally don't install third party software.
I’m a little behind the times on Snaps, as I mostly don’t interact with Ubuntu via its stock UI. But I’m seeing other users complain about the lack of signing / verified publishers in the (proprietary?) Snap store.
Thoughts on the tradeoffs here? How sandboxed are these apps? Clearly I’ve got some reading to do.
They're sandboxed with AppArmor, which allows restriction to rwx. Checking an app's permissions profile can tell you what it's allowed to read and write. It's like SELinux, but instead of capabilities, it's a list of files. (But everything* on linux is a file*, so that's probably good enough?)
From what I read in the past year it's easier to build a snap (kind of building a docker image) than packaging for a distro: at least two formats (apt and yum) and several variants (at least the LTSes of the main distros). So the target audience could be the developers of the applications, not the users.
I'll be using Opera from the apt repository until they build a .deb. Then I'll see what to do. Disk is cheap but even my 1 TB SSD is not unlimited. My docker images for work already suck up much space.
it sounds like an alternative way to handle package management to me. instead of installing packages directly, they're containerized and run through whatever container system is present
Sure, there are some 'Verified Accounts', and Opera has one. But the main app for Slack, Spotify, Telegram Desktop or BitWarden come from unverified accounts. And some of these are not sandboxed, like the Slack app. Having BitWarden, a password manager, use an unverified account seems totally crazy.