Is there some way to slow cadence of flatpak releases?

I am currently using Blufin (stable channel) and it is great solution. I’ve been using Linux for 20 years (mostly Ubuntu, but also Suse and Red Hat and derivatives). I can diagnose problems and search the web for solutions for problems (or report bugs). I love Blufin and I think it is perfect for my needs.

But now I am also thinking to install Blufin on my family laptops and desktops. I need way more conservative solution. Currently I use Ubuntu LTS on those computers. Like I see, Blufin GTS is more appropriate then Blufin/stable in this case for stability reasons. This is perfectly fine for system level applications.

But now I am thinking about user level applications. On Ubuntu I install native deb packages as user applications. Applications can get little bit older over time, but stability is perfect, no major issues for years. Blufin uses flatpaks as user applications. Which is great and bad at the same time. The great is, applications are multi-distribution like and problems are solved in relatively quick way. I love flatpak idea (multi-distribution support, applications independence from other apps and host system, sandboxed…), but I see some important issues:

1. Flatpak applications from Flathub do not support staged rollouts. When new version is released it is pushed to all of the users (Blufin checks for new version twice a day). I think from stability point of view new version of program should be pushed first time to 0,5% of people, then increase to 1% in couple of hours, then 5% in few more hours, then 10%… and in few days get to 100%. What I see on bug trackers, when issue appears a lot of users are affected. Then I see suggestions to rollback to previous flatpak version using terminal etc (fine for me, but not for family users).
2. Flatpak idea is to cut off middle man (package maintainer). To my experience package maintainers do not only package software, but they do some testing, to make sure programs are working fine before releasing to wider audience. Flatpaks are in a lot of time packaged by application developers and flatpaks I use mainly released as open source software. What I see a problem is QA, like no testing (flatpak app does not even starts) or lack of serious testing. I see “just push” mentality and if problem appears (and it does), then we will fix it. I maybe old school, but this is completely unacceptable for average Joe and Jane (my family users).
3. When issue appears (like app does not even start) the ‘we will fix in next minor release’ mentality is perfectly acceptable by maintainers. I also see ‘we are waiting for a upstream fix’ and it is perfectly fine users are waiting for solution for few days etc. Because application developers are in charge of releasing the software we are in the mercy of there free time and will to fix an issue. Actually, I am old school, the process should be: a) immediately revert the changes and minimize number of users getting into the problem, b) immediately fix issue for current users, c) take some time to investigate the issue and implement proper solution and d) do proper testing and e) push solution to users again.
4. In couple of months I have had flatpak issues with three applications I am using on daily basis:

• Password Safe password manager
• Calibre e-book program
• Signal secure messenger
  in all of this three cases the same story: program does not even start or produces severe errors for ALL of the users and fix takes few days to weeks to fix.

5. I have also witnessed application developers pushing new ‘major’ versions and remove some features users rely on, because migrating from e.g. Gtk 3 to Gtk 4 is more important to them then providing feature parity. In this case “over night” program does not work like it used to. Or application developer decided to remove menus from app and similar and breaks users flow of work.

In order to install Blufin GTS on my family computers I need to have STABLE end-users application environment. I can’t setup a system with major issues appearing in unpredictable time and takes unpredictable time to get a fix. Has someone come out with a solution to have stable flatpak application environment? What I am thinking is of pinning all of the flatpaks to prevent application upgrade and then have controlled way to push updates. I would like to avoid manual maintenance if possible. Like I see it, until flatpak has STABLE and PREDICTABLE environment I see Ubuntu LTS as better option.

Any ideas how to overcome this issues, comments?

Any reason you couldn’t just roll back the problematic flatpaks in your scenario? It’s not that hard to roll back to an arbitrary version in the general sense. Or to flatpak mask against future auto-updates with per-app granularity.

I don’t necessarily love ublue’s stance on updates, but I feel like you’re complaining about a problem that Flatpak is specifically designed to address.

Use nix home-manager with either declarative-flatpak or nix-flatpak module?

Sample flake here, from my config. Fair warning, I haven’t dived deep into my Nix config in a while, due to being very busy with work that needed me to use Windows on my device.

The Warehouse GUI app is useful for doing this if you want to “pin” versions, and you can likely script out command line stuff:

image1228×414 47.7 KB

Apps like Signal aren’t in Ubuntu, Suse, or Red Hat, so the whole “distro developers test each application better than anyone else” thing is just a myth. You are always at the mercy of an open source developer’s free time, whether they work on the distro, flatpak, or both.

Hopefully it leads to organizations like Signal to become more active and take ownership of their software. One of the reasons we’re so opinionated on this is to get focus on the things we need fixed. A large part of that is helping to amplify the message to orgs that users need well supported Flatpaks.

I think what you’re experiencing in in the variance in QA is just the usual open source stuff. If someone is around to care about a thing, it’s high quality, if no one is there caring for it, then it’s not. One of the reasons we went all in on this model is being stuck with 2 year old snapshots of software sucks worse.

For this use case I get it, I don’t want my parents calling me either. This is one of the reasons I always set new users to be web-focused instead of app focused, but that’s a discussion for another day lol. A way to solve this would be to just have an LTS-style lifecycle for an image. HeliumOS does this: https://www.heliumos.org/ would get you most of the way there, and then you could set a better default for your parents that is more traditional so you could gate them by just telling them to not update unless you’re around to check everything, etc.

@red11 for family computers, consider one of the following Windows OS:

Windows 10 Enterprise LTSC 2019 / Windows IoT 10 Enterprise LTSC 2019 (version 1809)
Windows 10 IoT Enterprise LTSC 2021 (version 21h2)
Windows 11 IoT Enterprise LTSC 2024 (version 24h2)

Here is WindowsLTSC Reddit sub.

These are cleanest versions of Windows OS (with 10-years of security updates).
Just let the PROs in Redmond do the OS work for your family, so that your family can spend time to enjoy their lives

Alternatively, we just accept fedora is a testing ground for Red Hat and we live with it. I know I know, fedora is a community project, but Red Hat sponsors it for a reason. And of course, we all know, ublue is fedora-based.

Not a problem for me, but for my family I don’t want to have broken apps when they most need them and I can’t help them fixing the issue. I am searching for stable end-user application environment so they can work with computer.

It looks like another layer of complexity… I will look into this in more detail. Thanks for idea.

In case of Signal, it should be installed manually adding repository and according to help only Ubuntu, Mint etc (Debian based) are supported (not even RPM package, and obviously no flatpak one). What happened in this particular case is, Signal was using encryption key for its database in local file and so working fine in deb and flatpak application, but now application developers decided to store key in gnome-keying and using Signal on Ubuntu this works fine (as officially supported), but flatpak version does not work, because application is sandboxed. What happened is, Signal encrypted its own database and tried to save key into gnome-keying, but obviously failed because of flatpak sandbox. Then when Signal is started for the second time it can’t decrypt the database anymore because key is not stored in gnome-keying and it can’t even access it if it was. The result is broken database. The issue in this case was strictly that the third party flatpak maintainer created new version of flatpak and didn’t even start application for the first time. If he did, then obviously would detect application is broken.

In the case of Calibre I see they officially only support tar file installations. You know the way we used to install software on Linux like 20 years ago. In case of Calibre/flatpak when issue appeared, flatpak maintainer was waiting for upstream fix instead of immediately rollback to previous version to prevent all new users to get broken program.

In case of Password Safe I see several issues, it looks like the program work the best on X-org and even has issues with Wayland and with combination of flatpak is double trouble.

Me too. But it may not happen in any time soon. Why? Applications like those are targeting Windows as first and MacOS as second and then Ubuntu as third. Ubuntu has largest Linux distro market share and other distros have even smaller and are so ignored. On Signal forum I have found thread of requesting to take flatpak ownership by application developers, but there was no response by them.

Thanks. I will look into this too.

EDIT: I checked it and on web site: HeliumOS offers… An app store with a wide selection of Flatpak packages, providing up-to-date and sandboxed applications that are easy to install and manage. I see they are also using flatpak. Why is this different then Blufin, that is also relying on flatpak? Did I misunderstand something?

Yes, having old software is no guarantee of being stable. In some cases it can even be worse. In case of Calibre on web site is strictly written to NOT use program from official distros repos, but use tar file instead.

I don’t think Windows is a solution. Windows is system level software just like Ubuntu or Blufin and Blufin shines in this area with image based system software. I am complaining about end-user level software and such software has the same issues on Windows too.

I am currently satisfied how software is behaving on system level like on Ubuntu for my family, and I am touching the ground for alternative like Blufin. I don’t see the way to go to Windows.

I have written quick script to mask/umask all of the flatpaks. So I am thinking in way to mask all of the flatpaks and when I have time, check for flatpak updates manually and mask them back until next time I have time to test everything is working again.

#!/bin/bash
read -p "(M)ask all, (U)mask all, (C)ancel? " question
if [[ "$question" == "M" || "$question" == "m" ]]; then
    flatpak list --columns=application | while read app; do
        echo "Masking $app"
        sudo flatpak mask $app
    done
elif [[ "$question" == "U" || "$question" == "u" ]]; then
    flatpak list --columns=application | while read app; do
        echo "Unmasking $app"
        sudo flatpak mask --remove $app
    done
else
   exit
fi

RECAP: I know I am probably complaining on the wrong site, I should on Flathub’s one, but… actually I did couple of months ago and I have got an answer after few “pings” that Flathub is run by volunteers and so takes time anyone to tackle a problem at all. I asked why after flatpaks are build on Github applications are not at least run for the first time to see if app crashes… “We are volunteers.”

Maybe I am too negative at the moment, I see huge improvement of flatpaks on Flathub and trend is in right direction improving more and more. It is obvious that flatpak is gaining traction and like Jorge has written a year ago even Red Hat will stop packaging LibreOffice as RPM package, because there is flatpak version that is now maintained by upstream.

Maybe I don’t need to mask all of the flatpaks, but only the ones that are not used by huge amount of users, those are the one most likely get broken without proper QA testing.

I meant this as a start, you’d start with HeliumOS and bundle in the apps you need on the image.

May I ask

if your family need to care about image based system software ?
Are you going to pay for Ubuntu Pro?

Bluefin is not an alternative to neither Windows Enterprise LTSC, nor
to Ubuntu LTS. As I said, Fedora is a testing ground for Red Had and ublue is fedora-based.

I need stable system for my family computers. I don’t want to use Windows, because every time I install user level software, system gets potentially less stable.

On Ubuntu this is less likely to happen, because applications are installed from common repository.

On Blufin it is potentially even better, flatpaks are separated from each other and from the system. What I see as a trap is auto-updating of flatpaks and lack of proper QA testing before release.

I don’t know… I am still in the thinking process. For now I see Ubuntu LTS as the system my family is probably the best on, until flatpaks or maybe better word Flathub (I and my family use) mature to the level there are more strict QA testing required. Like I see flatpak/flathub is getting better and better, but it is not at the level of e.g. Android store where I have not fail in new application stability trap.

Thank you all for helping my thinking process to evolve.

I think you’re overthinking this. Warehouse is preinstalled to downgrade Flatpak applications (as well as delete cache if needed). The entire point of Bluefin/Aurora is to have a nearly maintenance-free setup which is why we have automatic updates for everything. If your family can use cell phones, then I think they can manage Flatpaks since they behave similarly to mobile apps.

I haven’t used it much myself but there’s a flatpak app to take snapshots of flatpaks so you can roll them back if an update borks. Might be useful for keeping things stable for family: jdFlatpakSnapshot

I found installing the GNOME Passwords and Keys (Seahorse) flatpak has helped me with gnome keyring issues. @j0rge I still need to fully test this but I think it might be a flatpak that should be included in the Bluefin image.