Please remember that Flathub remains disabled by default even if this
change proposal is fully implemented. It's gated behind the "enable
third-party software?" switch. So if you only want free software from
Fedora, you'll just leave that switch off and never see anything from
Flathub. (In fact, enabling it by default would actually be prohibited
by previous FESCo and Fedora Council decisions.) But users who do
choose enable third-party software really want to see Flathub
unfiltered, not our confusing and annoying limited view of Flathub.
On Thu, Jun 30 2022 at 11:18:04 AM +0200, Kevin Kofler via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Users of RPM-based variants will expect the default package manager to
install RPMs, not Flatpaks, or they would have chosen a Flatpak-based
variant.
Any such expectations are misplaced. The people working on Silverblue
do not feel that it is ready to become Fedora Workstation yet, but
Flatpaks are certainly ready and there's no need to wait. Various
discussions about using more flatpaks:
https://pagure.io/fedora-workstation/issue/151 (resolved long ago)
https://pagure.io/fedora-workstation/issue/269 (next up)
https://pagure.io/fedora-workstation/issue/300 (this change proposal)
I take a pretty dim view towards arguments about "Flathub is untrusted"
and "Flathub packaging is poor" since proponents of these arguments
conveniently ignore the fact that traditional RPMs are totally
unsandboxed. One memory safety bug and your PDF reader, video player,
or other native app has full control of your user account and can do
whatever it wants with all your files. And Linux apps have *lots* of
memory safety bugs. With the exception of web browsers (all of which
have strong sandboxes), few other apps are even trying to sandbox
themselves. I'm not too interested in rehashing the same old arguments
about this because it has all been well-known and said many, many, many
times before. (Yes, system libraries are generally safer than bundled
libraries. No, this is not anywhere near as important as having a
strong sandbox. Yes, many apps on Flathub sabotage the sandboxing to
the point where it is meaningless, and yes that should be discouraged
harder somehow.)
Opponents of Flatpak have had seven years since Flatpak launched to
figure out an alternative model to make apps safe using firejail or
bwrap or whatever, but nobody ever seriously did, and at this point the
endgame has arrived with a *commanding* lead in favor of Flatpak. So
it's time to move on.
Having third-party Flatpaks take precedence over Fedora RPMs that
nobody has bothered to Flatpak is a very intentional choice to improve
user safety (again, only if users opt-in to third-party software). But
you can ensure the Fedora version of an app takes precedence by
creating a Fedora Flatpak for it. And users ultimately have full
control over which source they use to install.
Regardless, Fedora will still be RPM-based no matter what. ;) Even if
our future is OS images composed of RPMs plus Flatpaks composed by
RPMs, it's still based on RPMs. (Of course stuff from Flathub is not
based on RPMs, but we wouldn't expect third-party stuff to be.)
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
