----- Original Message ----- <snip> > > - make it possible to create Flatpaks quicker for some more complicated > > apps > > That just requires shipping the tools for third parties to use, not using > them to deliver software packaged by Fedora. The tooling is koji and bohdi. Shipping them isn't enough, hosting them is necessary as well. > > - developers not having to learn GPG to sign their releases > > That is a very weak argument. It is very straightforward to set up an RPM > signing key, not any harder than writing a specfile. And then you just run > rpmsign --addsign to sign the RPMs. > > And in the end, you are just saying that Flatpak does away with a critical > security feature. Relying exclusively on the sandboxing for security is a > very bad idea. Sandbox evasion exploits exist. "developers not having to learn GPG to sign their *Flatpak* releases" I really don't understand how you misinterpreted that sentence so badly, individual Fedora developers never had to GPG sign their Fedora packages... > > - more efficient update tracking than RPM (eg. no need to download 20 megs > > of metadata to know there's nothing to update) > > But less efficient updating, because you will need to download much more > than 20 megs of bundled libraries. You download deltas, so the downloading is unlikely to be any worse than downloading packaged updates. It also means I can update individual apps without guesswork. > The only reason the metadata is smaller > is because there is almost no dependency information encoded (only a single > dependency on a runtime). But those dependencies are what makes installing > and updating packages so efficient! Flatpak throws away the main competitive > advantage of GNU/Linux! It's not efficient if I need to download 20 megs of data to see that I have nothing to update. I really don't see why dependencies make installing and updating packages "so efficient". > And it is actually possible to solve the metadata size issue, see the work > on metadata deltas. (There was at least one talk at DevConf on this.) Right. It's just not done yet. I started replying from the bottom of the mail, but I stopped midway. The number of unsubstantiated claims got the better of me. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
