On 29/06/2021 22:25, Ben Cotton wrote:
Enabling third-party repositories will now create a Flathub remote that is a filtered view of Flathub.
I don't trust Flathub at all, because they don't want to register a non-profit organization. They can easily sell their business like FreeNode did recently.
Flathub relies on upstreams, not professional maintainers. Most of upstream developers don't know how to package software properly. They bundle lots of libraries, don't use C/C++ build hardening flags, etc.
A lot of applications from Flathub uses --filesystem=host or --filesystem=home, which means they don't use Flatpak isolation at all.
Due to the bundling of a large number of libraries, some applications have critical vulnerabilities with assigned CVE numbers: CVE-2020-12284, CVE-2019-17498, CVE-2018-11235, CVE-2018-17456, CVE-2017-9780.
Roughly speaking, the criteria for including software is a) will not cause legal or other problems for Fedora to point to b) does not overlap Fedora Flatpaks or software in Fedora that could easily be made into a Flatpak c) works reasonably well.
Should be added also: d) doesn't exists in Fedora RPM repositories.
Fedora users who opt-in to third-party software repositories will have immediate access to more software out-of-the-box.
Fedora Silverblue must have its own Flatpaks and do not rely on third-party repositories.
-- Sincerely, Vitaly Zaitsev (vitaly@xxxxxxxxxxxxxx) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
