Re: F27 System Wide Change: Graphical Applications as Flatpaks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2017-07-20 at 11:13 -0700, Japheth Cleaver wrote:
> On 7/19/2017 8:05 AM, Owen Taylor wrote:
> > On Wed, 2017-07-19 at 12:56 +0200, Dominik 'Rathann' Mierzejewski
> > wrote:
> > > [...]
> > Bundling enables some of the key features of Flatpak - the ability to
> > try out new versions of an application even if they require library
> > versions newer than what you have on your system, the ability to have a
> > single binary package that can be installed on different Linux
> > distributions, the assurance that installing an application will never
> > prevent you from upgrading your operating system due to missing
> > dependencies, and so forth.
> > 
> > And yes, there are downsides from bundling. But we're trying to address
> > those downsides as much as possible. Some of that is in the Flatpak
> > system:
> > [...]
> > And some of that is going to be in how we generate Flatpaks from Fedora
> > content:
> > [...]
> > 
> Isn't one of the selling points for this, however, the use of Flatpacks 
> written/produced by generic third party app vendors to publish without 
> specially constructed packages by Fedora participants? If that's the 
> case, what's to say that any upstream Flatpack/container/image will have 
> the same care of using runtime definitions or expectations as the ones 
> curated by the Workstation WG (or Freedesktop group, or whomever)? Why 
> couldn't a third-party app creator bundle libz on a regular basis 
> "because it's easier"?

The main point I'll make here is that the thread is discussing my change
proposal to generate flatpaks out of Fedora content, and so the main
question is whether those flatpaks are going to handle bundled dependencies
in a sane way. Not about all possible flatpaks.

(Note that the ability to install third party flatpaks is not listed as
a benefit of my change proposal... and we already have that in F25/F26
in any case.)

> Of course, one could do that in an RPM too, but then it would be berated 
> as a "badly constructed RPM". It seems like one of the point of 
> Flatpacks is to reach out to app developers who can't be bothered to 
> write a decent .spec file but whose apps we still want to have easily 
> installable by Fedora users.

While there are strong barriers in place to make sure that the RPMs that
are *part* of Fedora are high quality, we don't have any barriers in place
to make sure that an RPM a user installs from a third party is high quality -
if a users install the Google Chrome, or Adobe Flash, or Skype, or whatever RPM
it probably doesn't meet your requirements for a high-quality RPM.

It's not really any different with Flatpaks, other than that we have some
extra protections that aren't there with RPMs:
 
 - A flatpak can't make arbitrary modifications to your system at
   install time.
 - libraries installed in a flatpak cannot affect any other application
 - flatpaks are potentially sandboxed at runtime
 - The source repository when you install a flatpak only is used to
   update that flatpak and does not participate in general package
   resolution.

So the potential damage from a bad flatpak is more limited.

Owen
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux