Re: F35 Change: Filtered Flathub Applications (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jun 30, 2021 at 6:42 AM Vitaly Zaitsev via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> On 29/06/2021 22:25, Ben Cotton wrote:
> > Enabling third-party repositories will now create a Flathub remote
> > that is a filtered view of Flathub.
>
> I don't trust Flathub at all, because they don't want to register a
> non-profit organization. They can easily sell their business like
> FreeNode did recently.

Setting up an independent non-profit, and maintaining it's non-profit
status is a quite involved activity. (details depend on the country,
of course!)

Flathub's non-donated hardware resources are owned by the GNOME
Foundation (a registered non-profit) and the GNOME Foundation also
owns the Flathub trademark (See:
https://foundation.gnome.org/logo-and-trademarks/). Hopefully this
provides some assurance that Flathub won't suddenly start doing
something entirely different.

If we lost trust in Flathub, Fedora would also have the ability to
update the filter to have *no* applications in it.

> Flathub relies on upstreams, not professional maintainers. Most of
> upstream developers don't know how to package software properly. They
> bundle lots of libraries, don't use C/C++ build hardening flags, etc.

Flathub is a packaging community, like Fedora. Being a professional is
definitely not a criteria for contributing to Fedora. :-)

> A lot of applications from Flathub uses --filesystem=host or
> --filesystem=home, which means they don't use Flatpak isolation at all.

This is something that definitely can be and will be examined when
reviewing applications for inclusion in the Fedora filter.
Unfortunately, a lot of interesting software can't be completely
sandboxed - because it, say, uses X11 rather than Wayland. But where
thing *can* be sandboxed they should be sandboxed.

> Due to the bundling of a large number of libraries, some applications
> have critical vulnerabilities with assigned CVE numbers: CVE-2020-12284,
> CVE-2019-17498, CVE-2018-11235, CVE-2018-17456, CVE-2017-9780.

There are definitely improvements that could be made to CVE response
policies in Flathub, and I know automated scanning was being worked
on. If we were activitely looking to delegate software that is
packaged in Fedora to Flathub, I think we'd need to have a very high
bar here. But as a source of *additional* software, I think the
standard should be comparison to wherever the Fedora user would get
the software from otherwise. When this is scheduled for FESCO
discussion, I'll try to see if we can get some Flathub maintainers to
attend in case people have questions in this area (or other areas).

> > Roughly speaking, the criteria for including software is a) will not
> > cause legal or other problems for Fedora to point to b) does not
> > overlap Fedora Flatpaks or software in Fedora that could easily be
> > made into a Flatpak c) works reasonably well.
>
> Should be added also:
>
> d) doesn't exists in Fedora RPM repositories.

The text you qouoted said "or software in Fedora that could easily be
made into a Flatpak" - I left some wiggle room there, but certainly if
we were including anything that overlapped Fedora RPMs, one of two
things would need to be true:

 * Installation from Flathub would need to be prioritized after
installation from Fedora RPMs
 * Fedora Silverblue would need it's own filter list with additional
applications

In the immediate future, our plan is to avoid any such overlap.

> > Fedora users who opt-in to third-party software repositories will have
> > immediate access to more software out-of-the-box.
>
> Fedora Silverblue must have its own Flatpaks and do not rely on third-party repositories.

This is not about replacing software that is included in Fedora. It's
about providing access to software *not* included in Fedora.

Thanks for the feedback!
Owen


- Owen
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux