As far as I can tell, there is no helper yet for Flatpak packages.
With that in mind, hows the best way to install/use them, and keep them up to date?
A) Make a separate template for Flatpaks. Make a separate VM for Flatpaks. Install in the template.
B) Use a standard template. Install the Flatpaks in their own VM.
C). Install Flatpaks in the VMs they are needed?
If I understand correclty, A) the Flatpaks will be updated? Right?
B
Have you seen this?
ā¦but consider this:
Not sure what to think. Micah Lee is very knowledgeable but the criticisms of Flatpak also seem legit.
This looks like an interesting solution for less technical inclined users and those preferring the standard Fedora templates for various reasons. It does however come with the downsides you pointed to.
If one has the space and bandwidth (for the respective updates) I would recommend going with dedicated templates instead.
If one has some technical skill in installing Linux programs and resolving package dependencies of course as always: debian-minimal, apt-cacher-ng & one template per app/use case for reasons discussed many times in this forum.
Yeah, I decided against using Flatpak. I arrived at my decision, ironically enough, because I donāt consider myself technical enough to know if itās safe or not.
assigned to āUser Supportā
To clarify: install a minimal template. Install flatpak in the an appVm of the template. Install the flatpaks in the appVm?
I imagine that the flatpaks wonāt update with the updater. And would need to be updated inside the appVm. And each appVm with the same flatpak would have to be updated separately?
(Turning on the network for the install, and installing the flatpaks direct in the template didnāt seem to work.)
Sorry for being unclear: I meant NOT using flatpacks at all and instead doing a traditional install in the template.
A few apps are Flatpak only. In this case I imagine the only solution is to install in an appVM and then update manually in the appVm?
I needed an up to date telegram app, allowed a debian clone internet installed the package then the app per the debian instructions, seems to be working, guess I could just use the clone template for the 1 app vm in which I run the telegram app,
Not sure if I looked at what version the Fedora template uses of telegram, nor if there was some kind of backport to get a newer telegram, which is an issue with debian sometimes, having older versions, did give me the idea to use disposable fedora firefoxās now for a newer version ā¦
Iāve never used flatpaks before , did use backports or tried to before , maybe for youtube-dl, but tends to confuse meā¦ or mess up my templates
Big thanks to Micah Lee for making such a useful app.
Qubes team, you might want to add that app to 4.1.2.
@Micahflee, msg me your XMR, ARRR address. Iād like to send you some appreciation. Please continue to make such useful apps and guides.
So for now in 2024 year, is this criticism still legit? I am thinking about trying flatpaks too because of their advertised safety. But if itās just a blown bubble, I think Iāll hold off.
That website has a bit of bad faith. The sandboxing works fine, but some programs are not sandboxed or not tightly, this is listed in the program information on flathub.
Just make sure to avoid flatpak that are not from verified sources, this mean there are anonymous people behind it. That doesnāt mean the program packaging isnāt legit, but itās not verified. For instance, Firefox flatpak on flathub is verified, this mean itās made by the people making Firefox, so you should be able to trust them for not shipping malware 
Usually, flatpak ships vulnerability fixes pretty fast, and programs are automatically updated using compilation pipeline from sources code, itās usually the first place to receive update for a new software version.
Thanks. There are many different manuals for how to install and use flatpaks in Qubes. Many of them look pretty complicated. Iām not sure which oneās right for me. I just want to try sandboxed Telegram flatpak in some separated, dedicated for this purpose qube (most likely standalone). What method would you suggest for this purpose?
You could use an AppVM so itās easier to maintain and add the --user flag to flatpak commands to install it under the user in /home/user/, this way it will be persistent even in the AppVM.
I wrote a detailed guide to use Flatpak for templates, but itās more cumbersome for your use case that just need 1 program in 1 qube.
I wanted to use standalone because thought it will improve security (or privicy) while using such app as Telegram, because app qubes share the same template.
using a standalone may provide a bit less security than a template. In an AppVM, in the case a malware infects your computer in the template inherited files, they are just reset at every reboot, while a standalone isnāt partially reset.
In term of privacy, this would potentially allow an attacker to figure the programs installed in the template, nothing more.
You have all information to decide between a standalone or an AppVM now 
In a standalone, just add flathub repository and install with the provided flatpak command line on flathub (just flatpak install something).
Even better, you could make a disposable from a standalone / AppVM and use telegram in it. This would work if telegram can resend you the history each time you connect.
As I understand, when it comes about app qube and flatpak, you donāt need to install it in template. This all is performed only in app qube, right? So if I want to use only single, sandboxed flatpak app in app qube and using terminal for installation (in order not to bother with gnome) is ok for me then what manual would you suggest to follow?
Since Micahās manual doesnāt work now I decided to try this one, but have few questions:
https_proxy so flatpak can figure how to reach the repository through the proxy". What proxy you mean? I use only sys-whonix as netvm. Should I specify tor proxy 127.0.0.1:9050 or it needs some special proxy? Maybe only this one that you wrote?The āproxyā here is the update proxy defined for the system, so if you configured sys-whonix as a proxy, it will be torrified.
I just re-read your manual more carefully and realized that I can avoid some hassle if I just do it all in standalone. Especially since I donāt want to install Telegram in template. So all I need is just to do:
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
In order to circumvent a GNOME Software bug, if you want to use it to install packages (Flatpak or not), you need to add the following line to /rw/config/rc.local:
ip route add default via 127.0.0.2
And it seems you miswrote 127.0.0.2 instead of 127.0.0.1. Yes? At least you wrote here 127.0.0.1.
Am I correct?