I heard was better than flatpaks
I haven't heard that, nor have I seen research that indicates so. I think the main issue is that a lot of Flatpaks and Snaps aren't sandboxed by default due to lazy devs. My understanding is that Flatpak is better if you have used bubblewrap as it defines only what is needed.
no where near as good as something like android or ios's sandboxing
User apps on Android are confined by a SELinux policy, and everything on Android/iOS is done through the SDKs. Software on a linux system is fundamentally not designed in the same way.
systemD (which I consider a negative)
FYI, there's a lot of FUD around Systemd, most of it is from whingy neckbeards who think some great
tragedy has occurred. My personal experience is that I've found it a LOT less flakey than OpenRC (used on Gentoo and Alpine Linux), both of which I had used for years. There was even some talk about
replacing that
in Alpine Linux with s6, the original maintainer uses NetBSD now, and is
dying of
cancer. Every other init, is not really maintained. With Alpine Linux most of the usage actually is in containers anyway where there is not init anyway. Every distribution which uses something else is "niche".
People assume that the project and anything under it are all hard requirements and that's not so. Lennart Poettering has been doing
great work with
systemd-cryptenroll and
systemd-ukify. Unsigned init ram disks
have always been a huge problem, and so has the lack of being able to use your TPM to rate limit decryption. The idea of having
completely separate home directories is also a really good idea that don't rely on files in /etc. It means you could have a home directory on a CIFS share or portable NVMe that doesn't crap on the main system. You can also use your own LUKS key for that too.
sandbox being weakend makes that one of the few positives for snaps moot. I did know about the AppArmor reliance
I think Flatpak and Snap will never really go away. The main issue with software on Linux is the lack of sandboxing, and users want the latest software "now". Software developers also haven't got the time necessarily or expertise to package the software for every distro, and these mechanisms are a way of distributing to a huge number of platforms. One of the major issues with Debian currently is the huge amount of unmaintained software in their repo, and frankenstein patched software because they refuse to upgrade to the "next version" when there is a security vulnerability. It results in a massively stale distribution or undefined behavior as you've now made franken-software (not what the original developer intended). Downstream distributions like ubuntu simply just freeze
testing repo every release. Debian also has a huge number of bits of software that don't contain security fixes, because nobody ever reported it. I think this problem will get bigger as package maintaining is not something people want to do (there's less each year, and more software to package).
As with most things Ubuntu/Canonical based they heavily AppArmor for confinement, which is
not as granular as SELinux. I've noticed that a lot of the AppArmor policies that exist are old and not really maintained, eg the Firefox one and others. I also think it's absolutely ridiculous that security should be the user developing policies. like lulwut. Got better things to do with my time. I've also noticed that
Microos switched to SELinux, for their immutable OS, when in the past they've used AppArmor for SUSE/SLES etc. Microsoft is working on a
high level language to make it easier to write SELinux policies.
I don't know a lot of custom flatpak repos as most software I know of just sends you to the flathub page
I can think of an example, 1Password has
their own repo, there's probably heaps of others out there too. I think from an idealogical point of view though it should be possible, otherwise we end up in walled gardens of what is an isn't allowed. It also gives greater power to those which want to force their opinions on others. We've seen a few things like that with Google Play, for example when
Element was removed from the Google Play. I'm sure there's been plenty of
other things like that too. That the main reason I dislike snap over Flatpak.
I believe that everyone shouldn't assume a sandbox means its safe, and that everyone should use common since and caution when running software they know nothing about.
That is totally true

, but that's not the sandbox's fault, that's the supply chain, both are different issues.