The Shifting Landscape of Software Delivery and Vulnerability Tracking

// Sorry I use gemini to make text because of my poor english skill.

I wanted to share some thoughts on the rapidly changing world of software delivery and its impact on vulnerability tracking in Linux.

We’re clearly seeing a move beyond just traditional OS packages. For instance, recent Red Hat Enterprise Linux 10 documentation suggests they’ll be promoting Flatpak. Similarly, Ubuntu has long championed Snap packages, with Canonical even offering long-term support for some Snap-delivered software like Canonical Kubernetes.

While these new formats offer advantages, they also bring complexities. My main concern right now is the clarity of vendor support for software delivered this way. It’s not always clear how much Red Hat will maintain Flatpak apps, or where to find detailed support info and track vulnerability discrepancies for Snaps.

This is a tough spot for vulnerability scanners too. Even as tools like Syft are trying to adapt, many scanners struggle to even detect these new package types. And when they do, figuring out if specific vulnerability backports exist within them is a real challenge.

It feels like relying solely on OS-level package tracking (RPM, DEB) for vulnerability management is quickly becoming outdated. Our traditional methods just aren’t cutting it anymore with this fragmented software delivery.

I’m interested to hear what you foresee for future software installation trends and how end-users might adjust their vulnerability tracking strategies to stay secure in this increasingly diverse environment.

2 Likes