Keeping on this week’s theme of Linux software repositories, an announcement from Canonical last week caused quite a commotion in various Linux communities. As Ars Technica reported, Canonical is touting “snap packages” as the next big thing in software distribution. The client software has been ported to platforms other than Ubuntu, which has been misrepresented as other distros actively supporting it.
The idea behind snaps (and Flatpak, which is under development in Fedora) is that software projects can build a single, self-contained package that runs on any version of Linux. It’s certainly an appealing prospect for some use cases. Not every open source project wants to rely on community packagers or spend their own effort being the maintainer in a dozen different distros. Some applications, particularly large web apps, could definitely benefit from an easier install process. I’ve found several open source project management tools I wanted to try out, but wasn’t interested enough to go through all of the setup.
Increased security is also being touted as a benefit, but I’m less inclined to buy into that. I count 63 packages on my Fedora machine that depend on the openssl-libs package. That means the next Heartbleed would require 63 updates instead of one. If some of the upstreams are slow to release updated snaps, sorry about your luck. I did see some discussion that snaps can depend on each other, but that sort of kills the “self-contained” aspect. Containerizing the applications does offer some improvements, but in most implementations, the containerization is disabled.
I think snapd (and Flatpak) are going to be useful tools, but they’re not there yet. And they certainly won’t solve all of the problems that the tech press seems to think they will. For the foreseeable future, maintainers will matter.