**** Cyborg Central ****

Old Androids Never Die, They Just Have A Few Screws Loose

Static App Images Are Hard To Update

December 11, 2019

I was looking at anbox - a neat little program for running Android applications on Ubuntu - and was a bit unhappy to see that it was only supported on LTS releases, primarily because of kernel modules that aren't actually part of the snap package in which it's distributed. We're told that static images are supposed to fix dependency problems, and let you run programs built on one distro easily on another, but it's not quite the case, is it?

One of the nice side effects of having your application be part of a distro's package set is that it has to stay current to stay supported - that is, as the distro moves forward, your application must by necessity at least be rebuilt against new versions of dependencies. Static application images (like snaps, flatpack, and appimages) supposedly give the developer the luxury of not having to care about the underlying distro, and this is great - for them - if they can't, or won't, spend the time to keep their application up to date with the distros they support.

For users? Not so great, especially if the application has unspoken dependencies, like specific kernel or GPU driver features, or security problems.

Games are often one of the examples given in favor of statically packaged software, but they are also some of the most fragile software there is. A tiny variance between driver levels can turn into a major problem, either slowing the game to a crawl, or crashing it outright, and the developer - if they want to be responsible, of course - still has to test their game on all these variations, so much of the supposed benefit to static packaging is lost.

Security is another major problem, not only because it demands that the developer constantly update their dependencies themselves, it also means that if the developer doesn't keep up, while your distro itself may be secure, your applications may not be, so that old, reliable end-to-end encryption app you've used for months (and hasn't been updated for that long) has a fat stack of CVEs sitting in it, and you have no way to mitigate them.

Some of the static packaging solutions talk about security sandboxes, but when that sandbox includes your personal data, after a security incident, it will come as little consolation that the OS went untouched.

Lastly, a large number of statically-packaged applications may be violating the LGPL by shipping un-modifiable versions of LGPL libraries. You have the right to rebuild and replace LGPL libraries with your own versions; if the application is contained in an unmodifiable static image, you've lost this right. Maybe you don't care that much, but when that one-shot dev stops maintaining an app you depend on, lack of access and rebuildability will hurt.

Ultimately, I feel that the supposed benefits of static packaging are very underwhelming relative to the serious drawbacks they still have.

Categorized as: Linux | Personal

Leave a Reply

Your email address will not be published. Required fields are marked *