Ubuntu 23.10’s New Software App Will Demote DEBs (Apparently)

Ignacio@lemmy.ml to Linux@lemmy.ml – 225 points –
Ubuntu 23.10's New Software App Will Demote DEBs (Apparently) - OMG! Ubuntu
omgubuntu.co.uk

A new ‘app store’ is expected to ship as part of Ubuntu 23.10 when it’s released in October — and it’ll debut with a notable change to DEB support.

169

You are viewing a single comment

I never found out what's wrong with APT.

I do wish APT supported installing certain packages locally. Other than that, I'm more likely to use it than Snap/Flatpak/etc

Aren't you sorta trusting whoever wrote any package you install with root? I mean, you should have that attitude anyhow as packages have a huge attack surface so privilege escalation bugs are way more common than remote execution but still, flatpak and snap at least offer a bit of a sandbox which might improve...

Depends on your distro and what's available in the repo. With default repos you're more trusting the distro developer to vet packages.

I trust debian for that. It's been a while since I used Ubuntu so I don't remember how their repos are set up but the debian team is notoriously conservative with their repos.

The track record has been very good as far as i know with thousands of packages over the years so I doubt if there is a real problem to be solved here.

APT is not good at managing dependency hell. This is a common problem for all package managers that don't typically bundle dependencies. You can get 30000 open source packages from trusted sources having a maintainer working on each to all share the same dependencies for an OS release. That's what Debian does. However it's a lot of work and that works increases significantly when you try to do it for a piece of software across OS releases.

Read - it's difficult for LibreOffice or Mozilla to ship a new version of their software that works on several Debian or Ubuntu releases. It's also difficult for maintainers to do that.

You could of course include dependencies in debs, but then you're increasing the security attack surface of the OS, because there's no sandbox around those bundled dependencies. Bundling dependencies requires sandboxing to be safe. Otherwise whenever there's a security hole in one library in package X, package X might patch it, but the same library might exist in another 50 packages on the system unpatched.

This is a solved problem. It was done in Android, iOS, BlackBerry 10 and probably others. All OSes that had to deal with more than 30000 packages, open source or proprietary, from trusted or untrusted sources. Bundle non-system dependencies and confine in a sandbox. Snap's been doing this ever since it was called Click. Flatpak didn't have the sandbox part for a while if I'm not mistaken. I'm not sure what its current sandbox state is.

There are other issues with APT/deb but managing dependencies without sandboxing is probably the most fundamental one since dependency management is one their fundamental purposes.