On 6/30/22 10:23, Michael Catanzaro wrote:
I take a pretty dim view towards arguments about "Flathub is untrusted" and "Flathub packaging is poor" since proponents of these arguments conveniently ignore the fact that traditional RPMs are totally unsandboxed. [...]
Opponents of Flatpak have had seven years since Flatpak launched to figure out an alternative model to make apps safe using firejail or bwrap or whatever, but nobody ever seriously did, and at this point the endgame has arrived with a *commanding* lead in favor of Flatpak. So it's time to move on.
There are two separate issues: sandboxing and library duplication/lifecycle management. I agree that sandboxing is desirable, but I don't think we should give up on the shared libraries, because of their savings of memory and storage, and because of their better security profile.
I see how RPM-driven flatpaks can actually mitigate the security issue--presumably any vulnerability fixes/updates to system libraries also end up in the rebuilt flatpaks, so they would not rot in place. Still, the library/runtime duplication bothers me and I hope that there will be some technical solution to it.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
