Flatpak — Sandboxed Application Distribution for Linux

Introduction

Flatpak solves the Linux software distribution problem: applications need to work across Debian, Fedora, Arch, openSUSE, and dozens of other distributions with varying library versions. By bundling dependencies in a sandboxed runtime, Flatpak lets developers ship one build that works everywhere while giving users security through application-level permission controls.

What Flatpak Does

• Packages applications with their dependencies in a distribution-independent format
• Sandboxes apps using Linux namespaces, seccomp, and a permission portal system
• Shares common runtimes (GNOME, KDE, Freedesktop) across applications to reduce disk usage
• Delivers delta updates so only changed files are downloaded
• Runs on virtually all Linux distributions without modification

Architecture Overview

Flatpak uses OSTree (a git-like content-addressed filesystem) to store application and runtime content. Each app is built against a specific runtime (e.g., org.freedesktop.Platform) that provides core libraries. At runtime, Flatpak creates a sandboxed environment using Linux namespaces and mounts the app and runtime layers together. The portal system (via D-Bus and xdg-desktop-portal) mediates access to host resources like files, printing, and screen sharing, allowing fine-grained permission control without breaking functionality.

Self-Hosting & Configuration

• Install Flatpak from your distribution's package repository
• Add Flathub as the primary remote for access to thousands of applications
• Override application permissions with flatpak override or Flatseal (a GUI tool)
• Host a private Flatpak repository using flat-manager or ostree-based static hosting
• Build custom Flatpak apps using flatpak-builder with YAML/JSON manifest files

Key Features

• Distribution-independent packaging that works from Ubuntu to Arch to Fedora
• Fine-grained sandboxing with portal-based access to host resources
• Shared runtimes reduce duplication and total disk usage across apps
• Efficient delta updates minimize bandwidth for version upgrades
• Flathub provides a curated app store with thousands of applications

Comparison with Similar Tools

• Snap — Canonical's alternative with automatic updates and broader daemon/server support but uses SquashFS with slower cold starts
• AppImage — single portable executable approach with no sandboxing or centralized updates
• Native packages (deb/rpm) — tightly integrated with the OS but require per-distro packaging and lack sandboxing
• Docker — container technology for server workloads, not designed for desktop GUI applications
• Nix — reproducible package manager that can run GUI apps but uses a different isolation model

FAQ

Q: Does Flatpak use a lot of disk space? A: The first app install downloads a shared runtime (~500 MB), but subsequent apps reuse it. Deduplication keeps overall usage reasonable.

Q: Can I control what permissions an app has? A: Yes. Use flatpak override to adjust permissions per app, or install Flatseal for a graphical permission manager.

Q: Is Flathub the only source of Flatpak apps? A: No. Flathub is the largest community repository, but you can add any Flatpak remote, including private or self-hosted ones.

Q: How do updates work? A: Run flatpak update to check all remotes for new versions. Delta updates download only the changed portions of the application.

Sources

• https://github.com/flatpak/flatpak
• https://flatpak.org/