Dne 26. 01. 23 v 14:55 Jiri Eischmann napsal(a):
Robert Marcano via devel píše v Čt 26. 01. 2023 v 09:00 -0400:On 1/26/23 8:42 AM, Jiri Eischmann wrote:Vít Ondruch píše v St 25. 01. 2023 v 18:01 +0100:Dne 25. 01. 23 v 15:59 Josh Boyer napsal(a):On Wed, Jan 25, 2023 at 5:56 AM Vít Ondruch <vondruch@xxxxxxxxxx> wrote:I am not user of Bottles so I won't complain about this particular case, but the push towards (upstream) Flatpaks is unfortunate :/Can you elaborate on why you feel that way?I don't trust upstream Flatpacks. I don't trust they follow any standard except standard of their authors.I maintain both packages in Fedora and flatpaks on Flathub, so I can compare. The review to get an app to Flathub was as thorough as Fedora package review. In some ways even stricter. It's not like "it builds, it runs, you're good to go". They care about some standards, about builds being verifiable etc.That doesn't seems to be enforced because many builds scripts just download binaries built by other projects, for example; https://github.com/flathub/org.gnome.gitlab.somas.Apostrophe/blob/master/org.gnome.gitlab.somas.Apostrophe.json#L89 Note: building the entire pandoc and TeX toolchain is very hard and I understand this example packager decision, but It doesn't make more trustful that version that one on Fedora.
Yes, this is good example. I cannot imagine anybody would do the reviews for the 3rd party libraries. That is the main difference to Fedora, because there are no 3rd party libraries there.
Flathub is definitely more flexible at that. I was involved in the deal with Mozilla which was not willing to do special builds in Flathub infra since from their point of view it was more secure to use builds done in their infra and just upload them to Flathub. We still found having official builds from Mozilla and Mozilla officially endorsing Flathub more beneficial than having Firefox rebuilt by a 3rd party in Flathub infra. But Flathub is still a curated repo. If you want to deviate from standards you have to justify it, if you're doing something fishy your flatpak may be taken out. But ultimetaly you have to trust the author, but that applies to Fedora, too, just to lesser extend.
I trust authors of the SW, but I don't trust in their trust to the libraries they bundle in the Flatpak.
Vít
Jiri _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue