I like the concept of AppImage much more than Snap and Flatpak.
I fully embrace the idea of decentralized distribution of applications, as opposed to the way package managers work (central repository mantained by the distro)
I believe the operating system should only be concerned about the base software and present a sane interface so that the user can then install the specific programs they need, the OS should not care about how or where the user gets those programs.
Appimage is the only project I know that respects that idea. Snap and Flatpak are centralized AFAIK (or are unnecessarily hard to use in a decentralized manner).
How does AppImage solve distribution of applications? It seems to do packaging, but the actual distribution part is left to the developer. Maybe they put them in a somewhat trusted location like a github releases page, or maybe they are pinned to a webforum post.
Something like Snap tries to solve distribution and updating, using a store and cryptographic signatures. For decentralized use, the snaps can be downloaded along with a signature, and they can then be installed on computers with no net access. The snapd software can verify that the binary came via the store and can be trusted that far at least. Or you can avoid the store entirely, distributing .snap files unsigned or using your own verification mechanisms exactly as a developer does with AppImage, and force the installation using the relevant CLI arguments.
How is this different from windows? I think this is good for dependency heavy apps, such as krita, but you should still try to keep things as centralized as possible, makes updates easier and painless
The practical difference is that the ecosystem of Linux applications is composed almost entirely of open source software. Consequently, installing something you downloaded from the web is much less dangerous than installing a closed source program on Window, provided that you trust the website.
I agree that the centralized scheme is easier to use in the 80% of cases. i.e. when:
(1) The package you want is in the repos, and ...
(2) The version of the package you want is in the repos.
But, when those 2 conditions are not met, installing software is usually harder than on Windows. Additionally, I don't like the very nature of centralized things, even if they are managed by the good guys.
Unless somebody else built the app from source and reproduced exactly the same binaries there is no guarantee that the binaries you download were actually built from the source you're looking at. Open source per se doesn't magically imply any benefits wrt security. Things look differently if the binaries were built on a central & trusted platform or by trusted packers.
> Things look differently if the binaries were built on a central & trusted platform or by trusted packers.
How so? I believe the same principle applies for centralized distribution. How do I know the packer didn't change the code?. The same way I trust repo mantainers I can trust application developers, or any other third party.
And reproducible builds are possible both in decentralized and centralized modalities of distribution. Aren't they?
Yeah I agree that it is a pain when a package is not in the official repos and maybe I should see this a centralized solution to that, currently I think each distro tries to solve it somewhat, for example Arch and it's AUR
I have a similar but different view. I don't mind a centralized distribution platform, but I like how snap seperates that from the distro so it's easy to target many distros with one package.
I fully embrace the idea of decentralized distribution of applications, as opposed to the way package managers work (central repository mantained by the distro)
I believe the operating system should only be concerned about the base software and present a sane interface so that the user can then install the specific programs they need, the OS should not care about how or where the user gets those programs.
Appimage is the only project I know that respects that idea. Snap and Flatpak are centralized AFAIK (or are unnecessarily hard to use in a decentralized manner).