I recently moved my work machine from Windows to Linux and chose Debian Trixie + KDE Plasma for the stability. The advice is that if stability is your priority, you should try to avoid breaking Debian. I understand that adding third-party sources can cause dependencies conflicts, and must be avoided at all costs. I also understand that Flatpaks, AppImages, Snaps, and Docker/Podman images are safe because they don’t interfere with the system dependencies. So far, so good. What I don’t understand is what happens with other ways of installing software (eg .deb, tarballs).
I know it’s a contentious subject but if stability is the priority, how would you rank different methods? I may be wrong but my take is:
Debian repository > Flatpak > Appimage > Docker/Podman > Snap > tarball
To be avoided: .deb for Debian > .deb for Ubuntu > PPAs
Eg Viber is available as an official AppImage (with certain bugs), unofficial flatpak (with other bugs), and an official .deb for Ubuntu (which is probably a bad idea for Debian anyway). Viber support told me they don’t support my OS.
I remember the time applications came on floppies, 640kb of RAM was indeed enough for anyone, and people competed in writing games in one line of BASIC (yes, that was 255 characters code max). Containers feel horribly wasteful to me, but I came to accept there aren’t many realistic alternatives for the average users who need reliability with zero effort. Making a note of dependencies in case you need to backtrack is not a realistic proposition for most. But I can understand why some users will want full control and a lean setup.
My first recommendation was more geared towards nostalgia and control. In my own installs I break Debian all the time with outside packages and esoteric user tracked dependencies.
I don’t like flatpaks or appimages because they broaden the web of trust the system relies on to an absurd degree. Appimages can be better as long as they’re compiled against stuff you have and the code they’re based on has decent ways of failing when you don’t. My trust is in the best practices of the maintainer there. Flatpaks are no better than downloading random docker images though.
You can’t just trust people. The open source world relies on being able to ferret out infiltration and bad actors and exists at a time when millions of intelligence agents and assets are operating in service of the state and simply dumped out into the private sector.
We are hoping the “wisdom of crowds” will counteract millions of highly trained operatives. It hasn’t worked out so far.