As a user, the best way to handle applications is a central repository where interoperability is guaranteed. Something like what Debian does with the base repos. I just run an install and it’s all taken care of for me. What’s more, I don’t deal with unnecessary bloat from dozens of different versions of the same library according to the needs of each separate dev/team.
So the self-contained packages must be primarily of benefit to the devs, right? Except I was just reading through how flatpak handles dependencies: runtimes, base apps, and bundling. Runtimes and base apps supply dependencies to the whole system, so they only ever get installed once… but the documentation explicitly mentions that there are only few of both meaning that most devs will either have to do what repo devs do—ensure their app works with the standard libraries—or opt for bundling.
Devs being human—and humans being animals—this means the overall average tendency will be to bundle, because that’s easier for them. Which means that I, the end user, now have more bloat, which incentivizes me to retreat to the disk-saving havens of repos, which incentivizes the devs to release on a repo anyway…
So again… who does this benefit? Or am I just completely misunderstanding the costs and benefits?
It benefits the end-user.
People do not want to be in dependency resolution hell; where they have three programs that all use different versions of libssl and require them to install all of them properly and point each application to the correct one. Most users have no ability to resolve problems like that. By not bundling, the application developer is forcing them to either try anyway or just not install their software.
Bundling dependencies with Flatpak or Snap helps the end user at the cost of only a few extra megabytes of space, which most users have in abundance anyway.
Traditional distro repositories also solve these dependencies for the user.
Only if everything you need is in the repository. If you have a application you want to install that doesn’t work with your repo supplied version of library, then you are gonna have fun making it work without messing other stuff up. And end users don’t really want to deal with that. Also disk space today is cheap, compared to the time it takes to learn and fix such issues.
Not really; they will try to automatically download dependencies, but they don’t provide the application with resolution to the correct dependency. So upgrading libssl for one dependency could still break another.
That hasn’t been my experience in Debian, which is the example OP gave.
I’ve run into this in Debian. Not sure what to tell you – the base repo does not have an explicit contract that everything in it uses the same version of all available software.
Distro packagers solve the issue for the user. And it takes a lot of work