I recently moved my work machine from Windows to Linux and chose Debian Trixie + KDE Plasma for the stability. The advice is that if stability is your priority, you should try to avoid breaking Debian. I understand that adding third-party sources can cause dependencies conflicts, and must be avoided at all costs. I also understand that Flatpaks, AppImages, Snaps, and Docker/Podman images are safe because they don’t interfere with the system dependencies. So far, so good. What I don’t understand is what happens with other ways of installing software (eg .deb, tarballs).
I know it’s a contentious subject but if stability is the priority, how would you rank different methods? I may be wrong but my take is:
Debian repository > Flatpak > Appimage > Docker/Podman > Snap > tarball
To be avoided: .deb for Debian > .deb for Ubuntu > PPAs
Eg Viber is available as an official AppImage (with certain bugs), unofficial flatpak (with other bugs), and an official .deb for Ubuntu (which is probably a bad idea for Debian anyway). Viber support told me they don’t support my OS.
I daily drive Debian and have a few loose .deb packages and tarballs installed. Also enabled the Librewolf repo. It mostly comes down to an issue of manageability and possible conflicting dependencies. The ones I have installed don’t introduce any dependencies, so they’ve been trouble-free and have survived the Bookworm to Trixie upgrade. They are installed as a last resort option in the absence of a satisfactory equivalent via the official repo, Flatpak, or AppImage.
Loose .deb packages can be installed and uninstalled like any other normal Debian package, but won’t be automatically updated and don’t have any compatibility guarantee. Tarballs are nothing more than a collection of files, which may need to be placed in system directories. You’re on your own for those since there’s no standard and automated way to manage them and it’s possible to overwrite important system files if unpacked and copied in blindly. It’s a good idea to keep a manual record of what was put where in case any issues with them pop up down the road.
My personal ranking:
Official Debian repo > Flatpak > AppImage > Docker/Podman > Snap >> Reputable and known compatible third-party repo > Loose Debian .deb > tarball > Loose Ubuntu .deb >> Unfamiliar third-party repos and PPAs
There are certain occasions where a loose .deb or tarball won’t hurt, but sticking to options further up the list closes off the biggest routes of breaking Debian.
This ranking is very close to how I see this. Anything after Docker/Podman is out unless I absolutely need an application in which case keeping a record of dependencies is a good idea. But I want to know the work system will absolutely start in the morning hours from a deadline. Avoiding single points of failure is another way of course (ie multiple systems, OSes, backups, password managers etc).
Debian is known to be stable as in “staying the same”, you won’t get any big version updates on the programs in the debian repository, just backported security updates. That ensures that you don’t end up with dependency mismatches where different programs want the same library but different versioning.
It also means that as Trixie ages the version you get from the repo will be further and further behind as you will still be running 2025 versions with backported security updates until you upgrade to Debian 14.By installing random .tarballs and .debs outside the default repository the main advantage of Debian Stable is nulled.
I would actually recommend going all in on flatpaks, appimages and dockers if your goal is to keep the main system stable and lean. You might also wanna look at distrobox for running programs that aren’t officially available for your distro.
Another thing too look at is atomic distros, such as Fedora Kinoite https://fedoraproject.org/atomic-desktops/kinoite/Yeah, I only use Debian to host Docker images. My main desktop is Pop OS, but I’ve been pondering switching to Fedora or something similar.
Fedora KDE is my main workstation distro and it’s been treating me fine.
I chose between that and opensuse Tumbleweed and ended up trying Fedora for the simple reason of having a larger user base than opensuse.
I’m still curious to try out opensuse tumbleweed but fedora has just kept going and I’ve felt no need to fix or switch.
I agree with the popular view that Debian Stable + KDE Plasma + Flatpaks (or Appimage, Docker) strikes a balance between system reliability and freshness in selected applications when that counts. I may be missing updates for KDE Plasma but v6 is quite mature so I don’t mind. I know storage is cheap but I am instinctively uneasy with containerisation as it’s done by Flatpaks etc because of the duplication you get with all-in. But if that’s the price of reliability, so be it. It’s just that sometimes there is only a PPA or a .deb, which is why I asked.
Im pretty appimage is stable to use on your system. It contains all of the dependencies inside of it. Just one file for all of its needs. Only issue that ive had is that you need to manually update them (ie download the newest version).
Just do stuff and figure out what works for you.
I’m a big fan of never using flatpaks or appimages and favoring literally anything else over them.
I remember the time applications came on floppies, 640kb of RAM was indeed enough for anyone, and people competed in writing games in one line of BASIC (yes, that was 255 characters code max). Containers feel horribly wasteful to me, but I came to accept there aren’t many realistic alternatives for the average users who need reliability with zero effort. Making a note of dependencies in case you need to backtrack is not a realistic proposition for most. But I can understand why some users will want full control and a lean setup.
My first recommendation was more geared towards nostalgia and control. In my own installs I break Debian all the time with outside packages and esoteric user tracked dependencies.
I don’t like flatpaks or appimages because they broaden the web of trust the system relies on to an absurd degree. Appimages can be better as long as they’re compiled against stuff you have and the code they’re based on has decent ways of failing when you don’t. My trust is in the best practices of the maintainer there. Flatpaks are no better than downloading random docker images though.
You can’t just trust people. The open source world relies on being able to ferret out infiltration and bad actors and exists at a time when millions of intelligence agents and assets are operating in service of the state and simply dumped out into the private sector.
We are hoping the “wisdom of crowds” will counteract millions of highly trained operatives. It hasn’t worked out so far.
I share your concerns about trust. With flatpaks we can still read the source and commits, but not many will or can do this every time they install and update software anyway. In this sense, we have little choice but to trust the verified developer and the community, who may of course be compromised too, regardless of distribution method. I suppose with flatpaks we have to check permissions and make them as restrictive as possible.
I’m pretty sure flatpaks don’t require that the source of any of the weird shit in them be open.
It’s also probably worth it not to hold open source up above closed source in terms of security since neither of us is conducting a meticulous audit of the stuff we run.
Regardless, my point was to figure out what works for you. When I ran Slackware I got comfortable doing manual dependency management so breaking Debian by doing a bunch of manual installs is fine for me.
If you feel most comfortable with using flatpaks or appimages then use those.
flatpak > distrobox > nix > appimage > brew > snap > .deb
I never installed any gui via podman. Not sure when it applies
If alp has bugs via flatpak, then don’t use the flatpak. Maybe it’ll be resolved in a year and then switch.
Other repos and debs are fine, just don’t go overboard and add dozens of them. It’s actually a better idea than some other methods, because of the ease of uninstallation if there’s a problem.
Not really answering your question, but what you describe is exactly why I switched to arch and have been rocking the same install for over a decade.
It’s uNsTaBLe - I keep getting updates and things keep changing and rarely something needs my intervention to keep working. But it keeps working. And I can install viber from AUR without thinking.
Before that I was on Debian and then Ubuntu and then Kubuntu - and dist-upgrades were a much worse, weekend-destroying, rage-inducing pain than doing light weekly maintaining of my arch install.