Are Snap and Flatpak apps safe to install? Are they "official", approved or tested for a particular distro version?

Solution 1:

Snaps have the https://snapcraft.io/ repo. This is run by Canonical, the same people that build Ubuntu.

Flatpaks have an official repo at https://flathub.org/ . Flatpaks were developed by Redhat but I don't know if they manage the flathub repo or not.

Stability

The stability of the individual packages, of course, rely on the quality of the build and are at the mercy of the maintainer.

Both flatpaks and snaps are built completely using the dependencies they need inside a sandbox but both handle this a little differently

Snaps build a mount point and the system mounts the program archive and runs it from there.

Flatpaks are built in /var/flatpak/ for system-wide (global) installs and in ~/.var/app on the local side. It mounts those and runs them.

The good news about stability is that if you get a wonky application in either it is contained and will not make the rest of your system unstable by installing libraries that cause conflicts with other installed apps.

Both are self-contained applications with all the needed information to run. This is what makes this distro-agnostic and allows them to be installed on any Linux system that supports them (flatpak or snap)

Security

This is a little more ambiguous.

Snaps only have the official repo. There was one reported case of malware getting into the repo but it was caught quickly and removed. It was cryptocurrency mining software that would send some mined currency back to the app maintainers without the users knowledge. Even with that there was no other ill effect from the app and AFAIK, it was unable to access the home folder of the user.

Flatpaks: If you use the official repo it should have about the same security as Snaps, nothing is perfect but anything that makes it in will be very quickly noticed and removed if it is malware and made it past the initial submission review.

I would personally doubt that anything overtly malware like a virus would make it into either Snap's or Flatpak's repos and anything with sneaky unwanted behavior like the aforementioned cryptocurrency mining app would stay in very long.

Overall I would say that both are safe but neither is as inherently safe as the official Ubuntu sources, but this goes for PPAs as well. Adding any sources outside of Ubuntu's official sources is not quite as safe.

I do have to add a caveat here, there are other Flatpak repos out there. Most of these are for legitimate programs that just want to host their own repo rather than use flathub. Those are completely outside any quality control of flathub and should only be added if you trust the developers of the program. This would also go for adding snap repos but I don't think that at this time there are any but the official Snap repos.

As to the whether or not flatpaks and snaps are safe to install

Overall that are safe as long as you stick to the official repos, look over the description of the packages you want to install and don't install anything that looks even a bit shady.

Both are a great way for users to have a safe (as safe as can be expected outside a distro's official package sources) way to install software that are not available any other way and have them "just work".

For example, I have Spotify installed as a Snap and Teamspeak 3 installed as a flatpak. While Spotify is available via a ppa, using a snap allows me to avoid cluttering apt with PPA that I can avoid using.

Teamspeak would only be available for me with a .run that unpacks the folder and then you put the extracted folder in your home directory and click on the sh file or use the command line to start. While I did this before and then made a desktop launcher to launch it for me then added that launcher to my ~/local/share/applications folder to launch it. It was so much easier to just install the Flatpak in one step and have it work.


Once I installed, from outside repos, a fancy terminal emulator that mimicked retro green/amber phosphor monitors. This app wreaked havoc in my system and I had to reinstall Ubuntu.

To address that part of your lead up to your question:

I would suspect that reason the PPA completely hosed your Ubuntu install is because it brought in newer libraries as dependencies that your native programs were unable to use or overwrote your installed libraries with older ones that were too outdated to be used by your native Ubuntu.

The good thing about both snaps and Flatpaks is that they will bring in any libraries they need to run inside their own folders. Snaps and Flatpaks are self-contained and will not touch any of your system files or libraries.

The disadvantage to this is that the programs might be bigger than a non snap or Flatpak version but the trade off is that you don't have to worry about it affecting anything else, not even other snaps or Flatpak. If the app is broken because it brought in bad libraries or for any other reason you just uninstall it and it is completely gone.

Solution 2:

It's very different for different apps. You can find good and well maintained apps:

  • https://snapcraft.io/pycharm-community
  • https://snapcraft.io/telegram-desktop

But there are much garbage, outdated or insecure apps

  • https://snapcraft.io/ghex-udt
  • https://snapcraft.io/electrum

Before install app you have to check author, current version/last update for snap version and same things for mainstream version, permissions (it may be "Classic" app with all dangerous permissions).

Same things for PPA, they are not any trusted quality control.