I recently moved my work machine from Windows to Linux and chose Debian Trixie + KDE Plasma for the stability. The advice is that if stability is your priority, you should try to avoid breaking Debian. I understand that adding third-party sources can cause dependencies conflicts, and must be avoided at all costs. I also understand that Flatpaks, AppImages, Snaps, and Docker/Podman images are safe because they don’t interfere with the system dependencies. So far, so good. What I don’t understand is what happens with other ways of installing software (eg .deb, tarballs).
I know it’s a contentious subject but if stability is the priority, how would you rank different methods? I may be wrong but my take is:
Debian repository > Flatpak > Appimage > Docker/Podman > Snap > tarball
To be avoided: .deb for Debian > .deb for Ubuntu > PPAs
Eg Viber is available as an official AppImage (with certain bugs), unofficial flatpak (with other bugs), and an official .deb for Ubuntu (which is probably a bad idea for Debian anyway). Viber support told me they don’t support my OS.
My first recommendation was more geared towards nostalgia and control. In my own installs I break Debian all the time with outside packages and esoteric user tracked dependencies.
I don’t like flatpaks or appimages because they broaden the web of trust the system relies on to an absurd degree. Appimages can be better as long as they’re compiled against stuff you have and the code they’re based on has decent ways of failing when you don’t. My trust is in the best practices of the maintainer there. Flatpaks are no better than downloading random docker images though.
You can’t just trust people. The open source world relies on being able to ferret out infiltration and bad actors and exists at a time when millions of intelligence agents and assets are operating in service of the state and simply dumped out into the private sector.
We are hoping the “wisdom of crowds” will counteract millions of highly trained operatives. It hasn’t worked out so far.
I share your concerns about trust. With flatpaks we can still read the source and commits, but not many will or can do this every time they install and update software anyway. In this sense, we have little choice but to trust the verified developer and the community, who may of course be compromised too, regardless of distribution method. I suppose with flatpaks we have to check permissions and make them as restrictive as possible.
I’m pretty sure flatpaks don’t require that the source of any of the weird shit in them be open.
It’s also probably worth it not to hold open source up above closed source in terms of security since neither of us is conducting a meticulous audit of the stuff we run.
Regardless, my point was to figure out what works for you. When I ran Slackware I got comfortable doing manual dependency management so breaking Debian by doing a bunch of manual installs is fine for me.
If you feel most comfortable with using flatpaks or appimages then use those.