On Wed, Jun 30, 2021 at 6:42 AM Vitaly Zaitsev via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On 29/06/2021 22:25, Ben Cotton wrote: > > Enabling third-party repositories will now create a Flathub remote > > that is a filtered view of Flathub. > > I don't trust Flathub at all, because they don't want to register a > non-profit organization. They can easily sell their business like > FreeNode did recently. Setting up an independent non-profit, and maintaining it's non-profit status is a quite involved activity. (details depend on the country, of course!) Flathub's non-donated hardware resources are owned by the GNOME Foundation (a registered non-profit) and the GNOME Foundation also owns the Flathub trademark (See: https://foundation.gnome.org/logo-and-trademarks/). Hopefully this provides some assurance that Flathub won't suddenly start doing something entirely different. If we lost trust in Flathub, Fedora would also have the ability to update the filter to have *no* applications in it. > Flathub relies on upstreams, not professional maintainers. Most of > upstream developers don't know how to package software properly. They > bundle lots of libraries, don't use C/C++ build hardening flags, etc. Flathub is a packaging community, like Fedora. Being a professional is definitely not a criteria for contributing to Fedora. :-) > A lot of applications from Flathub uses --filesystem=host or > --filesystem=home, which means they don't use Flatpak isolation at all. This is something that definitely can be and will be examined when reviewing applications for inclusion in the Fedora filter. Unfortunately, a lot of interesting software can't be completely sandboxed - because it, say, uses X11 rather than Wayland. But where thing *can* be sandboxed they should be sandboxed. > Due to the bundling of a large number of libraries, some applications > have critical vulnerabilities with assigned CVE numbers: CVE-2020-12284, > CVE-2019-17498, CVE-2018-11235, CVE-2018-17456, CVE-2017-9780. There are definitely improvements that could be made to CVE response policies in Flathub, and I know automated scanning was being worked on. If we were activitely looking to delegate software that is packaged in Fedora to Flathub, I think we'd need to have a very high bar here. But as a source of *additional* software, I think the standard should be comparison to wherever the Fedora user would get the software from otherwise. When this is scheduled for FESCO discussion, I'll try to see if we can get some Flathub maintainers to attend in case people have questions in this area (or other areas). > > Roughly speaking, the criteria for including software is a) will not > > cause legal or other problems for Fedora to point to b) does not > > overlap Fedora Flatpaks or software in Fedora that could easily be > > made into a Flatpak c) works reasonably well. > > Should be added also: > > d) doesn't exists in Fedora RPM repositories. The text you qouoted said "or software in Fedora that could easily be made into a Flatpak" - I left some wiggle room there, but certainly if we were including anything that overlapped Fedora RPMs, one of two things would need to be true: * Installation from Flathub would need to be prioritized after installation from Fedora RPMs * Fedora Silverblue would need it's own filter list with additional applications In the immediate future, our plan is to avoid any such overlap. > > Fedora users who opt-in to third-party software repositories will have > > immediate access to more software out-of-the-box. > > Fedora Silverblue must have its own Flatpaks and do not rely on third-party repositories. This is not about replacing software that is included in Fedora. It's about providing access to software *not* included in Fedora. Thanks for the feedback! Owen - Owen _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure