Harder to accidently render insecure? My experience is the opposite, that docker style containers frequently fail to update vulnerable dependencies.
Also depending on context, I can say often the container is harder to use. Snap is probably the easiest to use of the solutions, flatpak makes cli invocation a pain, and docker style sucks entirely for interaction, but is fine if your primary interaction is via Web service once you set it up (but oh boy, adding a webui package means you get to mess with nginx or apache proxypass by hand, and each app may require subtly different parameters in proxypass).
The person said “containers” so I was responding to both.
However, docker containers could stand to learn a thing or two with how flatpak and snap compose a runtime. Applications can say “allow x, y, and z dependency layers to update independent of the application container”, versus the docker style of the app developer must own maintenance of the entire image.
There may be reasonable differences with respect to how much of a users “real” files and environment are presented to a container in those scenarios, and functional differences like gui and networking suggesting different defaults, but image composition does not need differentiation for their use cases.
Harder to accidently render insecure? My experience is the opposite, that docker style containers frequently fail to update vulnerable dependencies.
Also depending on context, I can say often the container is harder to use. Snap is probably the easiest to use of the solutions, flatpak makes cli invocation a pain, and docker style sucks entirely for interaction, but is fine if your primary interaction is via Web service once you set it up (but oh boy, adding a webui package means you get to mess with nginx or apache proxypass by hand, and each app may require subtly different parameters in proxypass).
Docker is not in a competitor for snap and flatpak. They are tackling very differend kinds of installations.
The person said “containers” so I was responding to both.
However, docker containers could stand to learn a thing or two with how flatpak and snap compose a runtime. Applications can say “allow x, y, and z dependency layers to update independent of the application container”, versus the docker style of the app developer must own maintenance of the entire image.
There may be reasonable differences with respect to how much of a users “real” files and environment are presented to a container in those scenarios, and functional differences like gui and networking suggesting different defaults, but image composition does not need differentiation for their use cases.