Flatpak Doesn't Work in Ubuntu 25.10, But a Fix is Coming

"It's not just you: Flatpak flat-out doesn't work in the new Ubuntu 25.10 release," writes the blog OMG Ubuntu: While Flatpak itself can be installed using apt, trying to install Flatpaks with Flatpak from the command-line throws a "could not unmount revokefs-fuse filesystem" error, followed by "Child process exited with code 1". For those who've installed the Ubuntu 'Questing Quokka' and wanted to kit it out with their favourite software from Flathub, it's a frustrating road bump.

AppArmor, the tool that enforces Ubuntu's security policies for apps, is causing the issue. According to the bug report on Launchpad, the AppArmor profile for fusermount3 lacks the privileges it needs to work properly in Ubuntu 25.10. Fusermount3 is a tool Flatpak relies on to mount and unmount filesystems... This is a bug and it is being worked on. Although there's no timeframe for a fix, it is marked as critical, so will be prioritised.
The bug was reported in early September, but not fixed in time for this week's Ubuntu 25.10 release, reports Phoronix: Only [Friday] an updated AppArmor was pushed to the "questing-proposed" archive for testing. Since then... a number of users have reported that the updated AppArmor from the proposed archive will fix the Flatpak issues being observed. From all the reports so far it looks like that proposed update is in good shape for restoring Flatpak support on Ubuntu 25.10. The Ubuntu team is considering pushing out this update sooner than the typical seven day testing period given the severity of the issue.
More details from WebProNews: Industry insiders point out that AppArmor, Ubuntu's mandatory access control system, was tightened in this release to enhance security... This isn't the first time AppArmor has caused friction; similar issues plagued Telegram Flatpak apps in Ubuntu 24.04 LTS earlier this year, as noted in coverage from OMG Ubuntu.

Re:

[Going_Digital]

SELinux doesn’t have issues, admins who can’t be bothered to learn how to use it have problems.

Re:

[Kokuyo]

That seems like a cop-out argument.

I could just as well ask why this thing is designed so stupidly as to have a learning curve at all.

Re:

[_merlin]

How would you suggest making it so it had no learning curve? With a pretty GUI? Then you'd complain that it's Microsoft-like and unsuitable for headless servers.

Re:

[ArchieBunker]

For decades AIX has used a utility called "smit" for system configuration and maintenance. What makes this program so great is how it will show you the exact command line argument it issued.

Re:

[Bill, Shooter of Bul]

Sorry posted the answer in my comment, but you have to make an easy way for developers who don't care about selinux to do the easiest thing possible to support it. Only once devs care about it will it be possible to use by most end users who care about security and don't have endless free time to reconfigure their security posture at each update.

Re:

[Bill, Shooter of Bul]

Because it was designed by NSA for use by people of similar intelligence, rather than Joe ubuntu user. That makes it awesomely powerful and kind of a pain for someone without the time and resources to properly configure it. Its been a while but I had it super locked down then I really really needed a stupid utility that was only available for snap and tried to lock it down. That was a huge pain in the ass, I did it and thought myself very smart, then an update came in and... whoosh I had another round of a

Re: At least it's not SELinux.

[fluffernutter]

Because it replaced things like cron that were easy and made things complex. Cron was a one liner and I could mostly remember what the fields did. To do the same thing in systemd you need a service file and a timer file and I don't think I'll ever remember the format of those without using a reference.

Re: At least it's not SELinux.

[fluffernutter]

Sorry I thought we were talking about systemd. SELinux isn't quite as bad because it fills a space that wasnt done before. Though we do have an application that spits out SELinux errors like crazy and the vendor can't tell us how to stop them.

Re:

[_merlin]

That's either a badly behaved application or a misconfigured policy. If it's a badly behaved application, maybe the best solution is to just ignore the errors. I use SELinux to prevent some badly behaved applications from doing things I don't want them doing when they have no configuration option to turn the behaviour off.

Re: At least it's not SELinux.

[fluffernutter]

It is because in a corporate environment you segregate everything. You use deferent filesystems and methods of storage. This means custom paths. If there was any policy at all with the install, they would provide no guidance on a custom policy. And a lot of the paths are defined by developers using the system independent of the admins.

Re:

[thegarbz]

To do the same thing in systemd you need a service file and a timer file and I don't think I'll ever remember the format of those without using a reference.

You won't remember the format of something you don't use and go out of your way not to use? I'm shocked I tell you. SHOCKED! By the way I have the same problem with cron.

But really the fundamental problem is you, that person who thinks that just because systemd is part of your system that you can't install crond. Do you even Linux bro? I mean we're not even talking about systemd and you're having a meltdown.

Re:

[fluffernutter]

I don't "go out of my way" not to use it. If I want a linux that has systemd then I use it. But there are only so many scenarios for which I need to set up a timed command so... I don't have an eidetic memory.

Re:

[dargaud]

SElinux and Apparmor are 2 of the worst and most obscure security systems I've ever seen. I have no idea what the main ideas behind either are and on what principles they work, and I've been on Linux for 25 years with all kinds of systems (embedded Pi, desktop, servers, etc...). I've never seen a proper introduction to either, the manpages are a block of lead on your head and they DO NOT work out of the box to the point where you just have to disable them if you want to keep on working. Apparmor pollutes th

Re: At least it's not SELinux.

[SG83]

Out of curiosity, which one would you consider better? I mean which MACs over those two

Re:

[Anonymous Coward]

Disable both and run bareback. That is the only way.

Re:

[dargaud]

I'm not saying SElinux or Apparmor are useless, I'm saying they are too complex and too poorly documented and too steep of a learning curve for the average sysadmin, even more so for the average desktop user. If you receive a full week pro training to use them, good for you, but that doesn't work for most people.

Re:

[ArchieBunker]

I still don't understand the point of KDE wallet. I'm logged into my machine with a password and now it wants another password when I run a web browser? I just delete the dumb fucking binary. Trying to uninstall will result in complaints and broken packages.

Re:

[Bill, Shooter of Bul]

Its trying to implement secure storage of passwords, but in an obnoxious way. I don't want to store my passwords in kdewallet. but by default it wants to. You can disable that somehow, but the next time you update your pc it will forget it and you'll have to do it again. Worse of all, depending on your set up it can lock you out of your pc and domain controller if you don't disable it.

Re:

[dargaud]

I've been using KDE for 25 years and KDEwallet never bothered me and yet I've never used it. Maybe because Firefox doesn't interface with it ?

Re:

[derplord]

It's an incredibly poorly designed and unintuitive system, has poor tooling and an archaic templating system at best.

It feels like it was designed by a single engineer in some backroom who has absolutely no concept of how you should design something that is used by a large base of users.

And the fact that "Well, if you don't know how to make templates for SELinux, then you are lazy and incompetent and you shouldn't be able to use that external USB device as it requires additional configuration to use!" is ex

SELinux causes me no issues

[_merlin]

I run all my Internet-facing Linux servers with SELinux in enforcing mode, and it works fine. Even after major distro upgrades, it's usually just a matter of just installing the already-compiled policy modules for the machine and it's ready to go.

Re:

[nashv]

The problem with SELinux is that it interferes with Userspace first-party applications in a way that is completely enigmatic to the end-user...even someone who wants to try out the new advertised feature that Gnome/KDE released. Case in point : GNOME Remote Desktop [fedoraproject.org]

Re: At least it's not SELinux.

[SG83]

Selinux used to be a proper PITA... 15+ years ago. It isn't anymore.

What is this RevokeFS filesystem ?

[NewID_of_Ami.One]

What is this RevokeFS filesystem ? Anyone has any idea, because I can't find anything on the net (except this exact error)
SquashFS, OverlayFS, ResilientFS i can understand but RevokeFS ? Maybe some new/re-branded journalling thing?

Re:What is this RevokeFS filesystem ?

[_merlin]

It's a user-space filesystem driver that Flatpak uses to manage temporary storage, particularly during package installation and updates. As for what it does or how it works, who knows. All these application package systems are convoluted Rube Goldberg machines held together with duct tape.

Re:

[flux]

It's part of flatpak: https://github.com/flatpak/fla... [github.com]

It seems the main functionality is to allow reading a particular directory tree, and that for all write activity it asks a daemon if this is OK. Then presumably the daemon checks some rules or even might ask the user if it is acceptable to proceed.

Wtf?

[Viol8]

"the Rust replacements for standard gnu utilities were busted."

I had to google this - I didn't realise people were wasting time and effort in a pointless re-write of utilities that have probably been debugged better than any other code out there!

Do these Rust zealots not understand that memory leaks are only one of many potential bugs and in a fire and forget utility that may only run for literally microseconds they're borderline irrelevant compared to logic errors? And if you rewrite complicated code in another language you're going to make those sorts of mistakes.

Re:

[dremon]

It's not about memory leaks but memory safety and much better maintainability that legacy GNU C code. For logic errors there is a comprehensive test suite.

Re:Wtf?

[Viol8]

"It's not about memory leaks but memory safety"

Are there many safety issues in these utilities? I presume they've done code analysis and found loads then?

"and much better maintainability that legacy GNU C code"

BS. There's nothing special about Rust wrt maintanability plus there's a FAR greater pool of C devs than Rust devs who can check any new code.

Oh, and just because code is old, debugged and works doesn't make it "legacy". No serious devs are interested in the Shiny New Thing unless it does something incredibly special and useful. I'm not seeing that here.

Re:

[phantomfive]

Oh, and just because code is old, debugged and works doesn't make it "legacy"

Having personally looked at the old GNU C code, it did not appear particularly difficult to maintain.

Re:Wtf?

[dremon]

Are there many safety issues in these utilities? I presume they've done code analysis and found loads then?

Not many, but there are some discovered: https://www.cve.org/CVERecord/... [cve.org] and who knows how many undiscovered. And it's not only about the existing code but also adding a new code.

BS. There's nothing special about Rust wrt maintanability plus there's a FAR greater pool of C devs than Rust devs who can check any new code.

Well, even without it's built-in compile-time safety, Rust is a modern language with a lot of features missing in C (just naming a few like traits, generics, utf-8 strings, FP-style constructs, immutability, standard library, thread safety, async, etc.), and it is much more attractive for the new developers.

Re:Wtf?

[Viol8]

"And it's not only about the existing code but also adding a new code."

I doubt many command line utils will be updated anytime soon. Most of them have been a done deal for years.

"Rust is a modern language with a lot of features missing in C"

So is C++ and there are far more C++ devs than rust devs and they could have been rewritten in C++ years ago but sensible people realised that if it ain't broke don't fix it.

"ust naming a few like traits, generics, utf-8 strings, FP-style constructs, immutability, standard library, thread safety, async"

Wow, cutting edge! See C++.

"is much more attractive for the new developers."

So is Python, perhaps they should be rewritten in that if popularity is a reason.

Re:Wtf?

[dremon]

I doubt many command line utils will be updated anytime soon. Most of them have been a done deal for years.

Yes and not because "they are done", but also because few people are really interested in maintaining and expanding GNU code written 30 years ago in the language which isn't appropriate anymore to write anything beyond the very low-level OS kernels.

So is C++ and there are far more C++ devs than rust devs and they could have been rewritten in C++ years ago but sensible people realised that if it ain't broke don't fix it.

Or may be because C++ isn't fun to work with at all and it introduces no real advantages because it has the same fundamental issues as C.

Wow, cutting edge! See C++.

C++ has no traits, no thread safety, no built-in utf-8 strings, no proper macros, no immutability by default, it is still inherently unsafe even without using the raw pointers.

So is Python, perhaps they should be rewritten in that if popularity is a reason.

Why not, it will be an interesting project and I can only welcome it. I don't understand your point in complaining that some people are busy doing something that you don't like.

Re: Wtf?

[Viol8]

So much of your post is just plain wrong that I really cant be bothered. Go learn modern C++ then get back to me. In the meantime I'll mentally file you in the ignorant idiot section.

Re:

[Viol8]

"Yes and not because "they are done","

They are done. "ls" for example doesn't need to do anything new.

"Or may be because C++ isn't fun to work with "

Oh I'm sorry, I didn't realise the appropriate language choice was one that was "fun". I thought we were talking about adults here, not preschoolers.

"C++ has no traits"

Wrong.

"no thread safety"

Wrong.

" no built-in utf-8 strings"

Plenty of libraries do it.

"no proper macros"

Define proper macro. C had them, C++ has them + constexpr which you've probably never heard o

Re:

[thegarbz]

Are there many safety issues in these utilities? I presume they've done code analysis and found loads then?

The entire world thought that about OpenSSL held up as a shining example of oh so secure open source.

Question: Were you involved in that code analysis you're talking about? To what depth was it done? How well was it resourced? Were experts involved or was this some developer grading their own homework?

The problem with open source is that everyone *THINKS* someone is doing some detailed review, and ultimately very few people are.

Re:Wtf?

[phantomfive]

It's not about memory leaks but memory safety and much better maintainability that legacy GNU C code.

Most people who complain about this have never actually looked at the legacy GNU code.

Re:

[dremon]

Well I did, but funny enough, most people who complain about Rust language know absolutely nothing about it and just repeat the common FUD.

Re:

[phantomfive]

Then explain why you think it's more maintainable, don't just throw comments without reasoning.

AppArmor or SELinux

[simlox]

are making Linux into Windows, where arbitrary security rules blocks functionality. And that is probably the motivation by adding those restrictions: Corporate IT departments are used to them from Windows, therefore we need to add them in Linux, too. What about just making the standard Linux system secure, while workable, instead of adding configuration rules on top?

Re:

[Viol8]

I'm all for pointing out the foibles of windows, but I'm afraid security and firewall rules are standard in the corporate world and have been for decades. If you think any of the corporate *nixes like Solaris of HP-UX didn't have any of this then you really need to get yourself up to speed as to how IT works in a business.

Re: AppArmor or SELinux

[simlox]

That doesn't make it right, does it? It comes from corporate IT's mistrust of their users. If they instead made compartmentalise their IT infrastructure, each user wouldn't be that dangerous.

Re:

[Viol8]

Oh dear. When you leave your mums basement and go get a job in the messy real world with companies having to mitigate against idiots, lazies trying to cut corners and people with bad intentions get back to us.

Re:

[laxguy]

maybe some day you'll meet an end-user... until then, have fun in your fantasy-land.

Re:

[_merlin]

The trouble is, the POSIX model is broken. You need root to do all sorts of things, but once you get root, it doesn't just allow you to do the thing you need to do, it allows you to do anything. This gives bugs a lot more exploitation potential. SELinux lets you check that programs are only doing the things they're supposed to be doing, and not accessing something they shouldn't.

Re: AppArmor or SELinux

[simlox]

And then Ubuntu disable user namespaces such that you need root access even more. You run Docker containers as root instead as user applications, but someone have decided that pseudo root looks too much like real root, and we better disable it. It is Flatpack and other user namespace using technologies, are what actually helps security, by giving more power to users, not making everything need to run as root.

Re:

[Viol8]

"The trouble is, the POSIX model is broken"

Its not broken, people just don't use it properly. You're supposed to use groups to give permissions for certain activities but its too much effort so , what the hell, just use root, right?

Re:

[_merlin]

You need root to change your UID. This means that any service that needs to impersonate users needs a component running as root. SELinux mitigates the impact of vulnerabilities in that component that are exposed during the time between when it starts and when it changes to the target UID.

Re: AppArmor or SELinux

[simlox]

Why would you as non-root need impersonate another user? I can see rare uses covered by user namespaces, but that again keeps you within what you as a user is allowed to do with other people's resources. A lot of cases are probably due to bad implementations of stuff; for instance package managers: Why can't I apt install something in my home dir?

Re: AppArmor or SELinux

[simlox]

Sorry, I misread the comment. I understand you don't want to run services as root. But Linux have capabilities. If those aren't fine grained enough, make a better system with the kernel community. Staying as root, but then remove capabilities again is the dumbest approach ever. It is much better to fix the security model and give the correct privileges. As of now you can split your services in a minimal part, which does the privileged stuff, while the major part of the service runs unpriviliged. The privile

Re:

[_merlin]

That minimal part is still a major target for exploitation, and checking commands is one of the areas most prone to vulnerabilities as we've seen numerous times. Having something to mitigate vulnerabilities in that minimal part is an advantage out here in the real world.

You recommend sudo, but that's a critical component where we keep finding vulnerabilities. It's also a nightmare to configure properly without inadvertently opening holes. It's mainly used for "allow these users to get root" but even that

Re:

[Viol8]

You don't need to change your UID if you can do what you need using a specific GID. Looks like you're another one who doesn't understand the purpose of groups.

Flatpak: a solution in search of a problem.

[Mirnotoriety]

Flatpak: a solution in search of a problem. If an app isn't available locally just download the source tree and compile it yourself.

$ ./configure
$ make
$ make install

Re:Flatpak: a solution in search of a problem.

[drinkypoo]

If an app isn't available locally just download the source tree and compile it yourself.

I've been compiling software for Linux since I first started running it 1994 and it has never been more complicated than it is today. Dependency changes five levels deep or more and you get compilation errors at multiple levels. Your dismissiveness is unwarranted and makes you look ignorant.

Re:

[Waccoon]

Plus, you apply one update and EVERYTHING breaks, so re-building any codebase, even without any changes, is a nightmare.

Welcome to the world of "living standards".

Re:Flatpak: a solution in search of a problem.

[ArchieBunker]

Here is where things rapidly snowball. The developer used 50 different esoteric libraries that you don't have. Those libraries have their own dependencies. Software is such a shit show that they decided it was easier to recreate the one off developer environment instead of make something truly portable.

Re:

[organgtool]

I know I'll get downmodded to oblivion for complimenting Rust, but this is one of my favorite aspects about it. Cargo automatically downloads all of the dependencies recursively and builds everything in a single command. It does this in the same manner that most other modern languages have supported by default.

Re: Flatpak: a solution in search of a problem.

[simlox]

Try even to compile old gcc and binutils with a modern gcc...

Re:

[thegarbz]

$ ./configure
$ make
$ make install

This is DLL - Hell Linux style. Virtually all completely broken Linux systems I've fixed (or attempted to fix) have been the result of straying from the curated path that distribution maintainers provide.

If this shit were so easy we wouldn't need distributions. You can very rapidly break things when you need to deal with dependencies of custom compiled and self-installed packages. If this isn't you, congrats, either you're lucky, a guru, or haven't tried hard enough.

Re:

[karmawarrior]

Flatpak is about containerizing third party applications to add a level of security that wouldn't exist otherwise. It's not just another packaging system. The thing you're quoting works for insecure applications, but in theory someone can put stuff in the code that could have access to things it shouldn't.

That said, Flatpak (and its rival Snap) are both particularly bad solutions because it appears the starting point was "How can we containerize Firefox" rather than "How can we create a framework where appl

Re: Flatpak: a solution in search of a problem.

[simlox]

Working in small boxes is good for security and also makes your software behave much more predictable. The is more like a phone OS, but that is fundamentally a better model than the old general purpose OS, where you install everything in one "compartment".

And this is why Microsoft got away with Windows 11

[xack]

Because Microsoft actually uses all the telemetry to fix problems. Remember the Gimp is 30 years old, Linux is 34 years old, Gnome is 27 years old and Microsoft still has the upper hand after all these years. I gave up on Wayland after constant freezing up and now that distros are going past the point of no return I "silently" went back to Windows 11. Many Linux users don't admit when they go back to Windows, because they can't take the humbling.

Re:

[drinkypoo]

Because Microsoft actually uses all the telemetry to fix problems

[citation needed]

Windows 11 is causing me grief daily, and the UI is provably worse than it was in 10.

Re: And this is why Microsoft got away with Window

[simlox]

I struggle with Win11 at work. I try WSL2 but it is terrible unstable - but much fastet than Windows. Virtual Box isn't much better - could be in conflict with WSL2, as Windows have trouble with running multiple hypervisors. If I could just transform my Windoze to run as a virtual machine under Linux, my boss probably wouldn't really mind...

Re:

[drinkypoo]

If I could just transform my Windoze to run as a virtual machine under Linux, my boss probably wouldn't really mind...

I don't know how hard it would be to do with your existing install, but I have Windows 11 in a QEMU/KVM VM with a virtual TPM and it works fine...

Yup. Ubuntu problems with Every. Single. Release.

[doubledown00]

Meanwhile Ubuntu 22.04 and 24.04 were just dogshit. After install I spent weeks tracking down various bugs and making basic stuff on my systems work. It felt like using Linux on the desktop circa 2001 again. To say nothing about the noticeable step down in virtualization performance from version 18 to 22.

This is why I left Ubuntu. Say what one wants about Redhat and RHEL. I don't agree with all their tactics in the past or their decisions on CentOS. But from a system usability standpoint they generally don't have these issues on initial release. That's probably because they dedicate the time and resources to actually test their software!

Re:

[jopet]

Next time I "upgrade" i will also get rid of Ubuntu on all my machines (6 of them).
Have not decided which one yet, but I think I have had it with Ubuntu.

Atomic packaging systems suck

[rtkluttz]

With atomic packaging systems, I feel like computing is in a weird place where it has taken on all of the bad characteristics that are both a step backwards towards the days of DLL hell and a step forwards to today where there is almost no tweaking and debloat attempted by devs because powerful hardware and memory make it unnecessary in their eyes.

I don't WANT 53 copies of the same library on my system. I don't want slow startup because applications to have to be unpacked before they can be used. I don't want applications that make it difficult or impossible to share data between applications. I don't want applications that don't theme properly. I don't want applications that weaponize themselves against the owner of the machine and try to dictate how the app is used like Windows apps do.

I simply do not want atomic packaging systems. I want traditionally installed apps that only put one copy of the library on my system and I want to be able to share data between apps easily and efficiently without having to install additional apps from the same package manager to be able to use them... for example for gaming, If you want to use Lutris and choose the version that comes from an atomic package manager, you also have to install a SECOND version of all your 3d libraries for your video card that are available to the atomic Lutris. Fuck that, fuck the entire idea of that type of system.

Re:

[drinkypoo]

On one hand, I agree with you, I want everything done the old way and all my packages updated, and for all that software to still work.

On the other hand, that's not actually realistic, and a lot of people have to do a lot of hackery and patchwork in order to make it be like that.

I chose the version of Lutris that you get from their apt repo. If it installed extra 3d libraries, I didn't notice because disk space is cheap. I noticed it installed extra copies of runners available to Steam. I'm not thrilled abo

Re:

[Waccoon]

Things are updated every 5 minutes and we have "living standards" everywhere. It is simply not possible to have one version of a library shared by everything. Those days do not exist anymore.

Well snap does not really work either ...

[jopet]

that terrible package manager is still broken, struggles with home directories not on the root file system and sucks in many other ways.
Same with wayland: "modern" tech that is unable to do lots of things that are possible with X (related to remote desktops, running windows remotely etc).

The next update of my Ubuntu machines will actually a replacement with some other distro that does not shove all that enshittified limited or broken stuff down their users.