I recently moved my work machine from Windows to Linux and chose Debian Trixie + KDE Plasma for the stability. The advice is that if stability is your priority, you should try to avoid breaking Debian. I understand that adding third-party sources can cause dependencies conflicts, and must be avoided at all costs. I also understand that Flatpaks, AppImages, Snaps, and Docker/Podman images are safe because they don’t interfere with the system dependencies. So far, so good. What I don’t understand is what happens with other ways of installing software (eg .deb, tarballs).
I know it’s a contentious subject but if stability is the priority, how would you rank different methods? I may be wrong but my take is:
Debian repository > Flatpak > Appimage > Docker/Podman > Snap > tarball
To be avoided: .deb for Debian > .deb for Ubuntu > PPAs
Eg Viber is available as an official AppImage (with certain bugs), unofficial flatpak (with other bugs), and an official .deb for Ubuntu (which is probably a bad idea for Debian anyway). Viber support told me they don’t support my OS.
- I daily drive Debian and have a few loose .deb packages and tarballs installed. Also enabled the Librewolf repo. It mostly comes down to an issue of manageability and possible conflicting dependencies. The ones I have installed don’t introduce any dependencies, so they’ve been trouble-free and have survived the Bookworm to Trixie upgrade. They are installed as a last resort option in the absence of a satisfactory equivalent via the official repo, Flatpak, or AppImage. - Loose .deb packages can be installed and uninstalled like any other normal Debian package, but won’t be automatically updated and don’t have any compatibility guarantee. Tarballs are nothing more than a collection of files, which may need to be placed in system directories. You’re on your own for those since there’s no standard and automated way to manage them and it’s possible to overwrite important system files if unpacked and copied in blindly. It’s a good idea to keep a manual record of what was put where in case any issues with them pop up down the road. - My personal ranking: - Official Debian repo > Flatpak > AppImage > Docker/Podman > Snap >> Reputable and known compatible third-party repo > Loose Debian .deb > tarball > Loose Ubuntu .deb >> Unfamiliar third-party repos and PPAs - There are certain occasions where a loose .deb or tarball won’t hurt, but sticking to options further up the list closes off the biggest routes of breaking Debian. - This ranking is very close to how I see this. Anything after Docker/Podman is out unless I absolutely need an application in which case keeping a record of dependencies is a good idea. But I want to know the work system will absolutely start in the morning hours from a deadline. Avoiding single points of failure is another way of course (ie multiple systems, OSes, backups, password managers etc). 
 
- Just do stuff and figure out what works for you. - I’m a big fan of never using flatpaks or appimages and favoring literally anything else over them. - I remember the time applications came on floppies, 640kb of RAM was indeed enough for anyone, and people competed in writing games in one line of BASIC (yes, that was 255 characters code max). Containers feel horribly wasteful to me, but I came to accept there aren’t many realistic alternatives for the average users who need reliability with zero effort. Making a note of dependencies in case you need to backtrack is not a realistic proposition for most. But I can understand why some users will want full control and a lean setup. - My first recommendation was more geared towards nostalgia and control. In my own installs I break Debian all the time with outside packages and esoteric user tracked dependencies. - I don’t like flatpaks or appimages because they broaden the web of trust the system relies on to an absurd degree. Appimages can be better as long as they’re compiled against stuff you have and the code they’re based on has decent ways of failing when you don’t. My trust is in the best practices of the maintainer there. Flatpaks are no better than downloading random docker images though. - You can’t just trust people. The open source world relies on being able to ferret out infiltration and bad actors and exists at a time when millions of intelligence agents and assets are operating in service of the state and simply dumped out into the private sector. - We are hoping the “wisdom of crowds” will counteract millions of highly trained operatives. It hasn’t worked out so far. - I share your concerns about trust. With flatpaks we can still read the source and commits, but not many will or can do this every time they install and update software anyway. In this sense, we have little choice but to trust the verified developer and the community, who may of course be compromised too, regardless of distribution method. I suppose with flatpaks we have to check permissions and make them as restrictive as possible. - I’m pretty sure flatpaks don’t require that the source of any of the weird shit in them be open. - It’s also probably worth it not to hold open source up above closed source in terms of security since neither of us is conducting a meticulous audit of the stuff we run. - Regardless, my point was to figure out what works for you. When I ran Slackware I got comfortable doing manual dependency management so breaking Debian by doing a bunch of manual installs is fine for me. - If you feel most comfortable with using flatpaks or appimages then use those. 
 
 
 
 
- Debian is known to be stable as in “staying the same”, you won’t get any big version updates on the programs in the debian repository, just backported security updates. That ensures that you don’t end up with dependency mismatches where different programs want the same library but different versioning. 
 It also means that as Trixie ages the version you get from the repo will be further and further behind as you will still be running 2025 versions with backported security updates until you upgrade to Debian 14.- By installing random .tarballs and .debs outside the default repository the main advantage of Debian Stable is nulled. 
 I would actually recommend going all in on flatpaks, appimages and dockers if your goal is to keep the main system stable and lean. You might also wanna look at distrobox for running programs that aren’t officially available for your distro.
 Another thing too look at is atomic distros, such as Fedora Kinoite https://fedoraproject.org/atomic-desktops/kinoite/- Yeah, I only use Debian to host Docker images. My main desktop is Pop OS, but I’ve been pondering switching to Fedora or something similar. - Fedora KDE is my main workstation distro and it’s been treating me fine. 
 I chose between that and opensuse Tumbleweed and ended up trying Fedora for the simple reason of having a larger user base than opensuse.
 I’m still curious to try out opensuse tumbleweed but fedora has just kept going and I’ve felt no need to fix or switch.
 
- I agree with the popular view that Debian Stable + KDE Plasma + Flatpaks (or Appimage, Docker) strikes a balance between system reliability and freshness in selected applications when that counts. I may be missing updates for KDE Plasma but v6 is quite mature so I don’t mind. I know storage is cheap but I am instinctively uneasy with containerisation as it’s done by Flatpaks etc because of the duplication you get with all-in. But if that’s the price of reliability, so be it. It’s just that sometimes there is only a PPA or a .deb, which is why I asked. - EDIT: I just tried distrobox for the first time. It is amazing how efficient it is. I ran Firefox on Arch and I couldn’t tell the difference in resources. Amazing really. - Glad you found something of value from my comment. :) 
 
 
- Im pretty appimage is stable to use on your system. It contains all of the dependencies inside of it. Just one file for all of its needs. Only issue that ive had is that you need to manually update them (ie download the newest version). 
- Other repos and debs are fine, just don’t go overboard and add dozens of them. It’s actually a better idea than some other methods, because of the ease of uninstallation if there’s a problem. 
- Not really answering your question, but what you describe is exactly why I switched to arch and have been rocking the same install for over a decade. - It’s uNsTaBLe - I keep getting updates and things keep changing and rarely something needs my intervention to keep working. But it keeps working. And I can install viber from AUR without thinking. - Before that I was on Debian and then Ubuntu and then Kubuntu - and dist-upgrades were a much worse, weekend-destroying, rage-inducing pain than doing light weekly maintaining of my arch install. - How were dist upgrades going bad? - I don’t have a good memory, because it was about 15-10 years ago. - I remember one time where the dist upgrade finished, but after a reboot most apps would crash with core dumps and I wasn’t able to use apt for anything. - One time I did the dist upgrade too late and the repos were gone. It would have probably worked by manually pointing at the archive, but I was a newbie back then. - One time I had some ppa for work, that blocked the upgrade and I would have to completely remove it, but there was no version for the new release yet, even though I needed (also for work) a feature from some tool that was updated in the new release. So I was stuck between having one or the other but not both. - But like I said, it’s all cloudy. - something like this happened to be too circa 2005 and it made me switch to debian; which stayed rocked solid until 2016 when the motherboard died. 
- Oh, yeah, I remember that time. Upgrading between major versions isn’t perfect, but it has improved dramatically since about 2017 on both Ubuntu and Debian. - Debian has also just implemented apt v3, which adds many basic http/s quality-of-life improvements to package downloading and installing (like multithread, better config definitions, easier key mgmt, etc) - I don’t know about Ubuntu because I moved from Ubuntu to debian 4 years ago for other reasons, but I’m sure they have aptv3 as well. 
 
 
 
- If the goal is stability, I would have likely started with an immutable OS. This creates certain assurances for the base OS to be in a known good state. 
 With that base, I’d tend towards:
 Flatpak > Container > AppImage- My reasoning for this being: - Installing software should not effect the base OS (nor can it with an immutable OS). Changes to the base OS and system libraries are a major source of instability and dependency hell. So, everything should be self contained.
- Installing one software package should not effect another software package. This is basically pushing software towards being immutable as well. The install of Software Package 1, should have no way to bork Software Package 2. Hence the need for isolating those packages as flatpaks, AppImages or containers.
- Software should be updated (even on Linux, install your fucking updates). This is why I have Flatpak at the top of the list, it has a built in mechanism for updating. Container images can be made to update reasonably automatically, but have risks. By using something like docker-compose and having services tied to the “:latest” tag, images would auto-update. However, its possible to have stacks where a breaking change is made in one service before another service is able to deal with it. So, I tend to tag things to specific versions and update those manually. Finally, while I really like AppImages, updating them is 100% manual.
 - This leaves the question of apt packages or doing installs via make. And the answer is: don’t do that. If there is not a flatpak, appimage, or pre-made container, make your own container. Docker files are really simple. Sure, they can get super complex and do some amazing stuff. You don’t need that for a single software package. Make simple, reasonable choices and keep all the craziness of that software package walled off from everything else. 
- flatpak > distrobox > nix > appimage > brew > .deb - I never installed any gui via podman. Not sure when it applies - If an app has bugs via flatpak, then don’t use the flatpak. Maybe it’ll be resolved in a year and then switch. - Edit: removed snap from list 

