Re: Retiring Bottles in favor of Flatpak provided by upstream

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Dne 26. 01. 23 v 14:55 Jiri Eischmann napsal(a):
Robert Marcano via devel píše v Čt 26. 01. 2023 v 09:00 -0400:
On 1/26/23 8:42 AM, Jiri Eischmann wrote:
Vít Ondruch píše v St 25. 01. 2023 v 18:01 +0100:
Dne 25. 01. 23 v 15:59 Josh Boyer napsal(a):
On Wed, Jan 25, 2023 at 5:56 AM Vít Ondruch
<vondruch@xxxxxxxxxx>
wrote:
I am not user of Bottles so I won't complain about this
particular case,
but the push towards (upstream) Flatpaks is unfortunate :/
Can you elaborate on why you feel that way?

I don't trust upstream Flatpacks. I don't trust they follow any
standard
except standard of their authors.
I maintain both packages in Fedora and flatpaks on Flathub, so I
can
compare. The review to get an app to Flathub was as thorough as
Fedora
package review. In some ways even stricter. It's not like "it
builds,
it runs, you're good to go". They care about some standards, about
builds being verifiable etc.
That doesn't seems to be enforced because many builds scripts just
download binaries built by other projects, for example;

https://github.com/flathub/org.gnome.gitlab.somas.Apostrophe/blob/master/org.gnome.gitlab.somas.Apostrophe.json#L89

Note: building the entire pandoc and TeX toolchain is very hard and I
understand this example packager decision, but It doesn't make more
trustful that version that one on Fedora.


Yes, this is good example. I cannot imagine anybody would do the reviews for the 3rd party libraries. That is the main difference to Fedora, because there are no 3rd party libraries there.


Flathub is definitely more flexible at that. I was involved in the deal
with Mozilla which was not willing to do special builds in Flathub
infra since from their point of view it was more secure to use builds
done in their infra and just upload them to Flathub. We still found
having official builds from Mozilla and Mozilla officially endorsing
Flathub more beneficial than having Firefox rebuilt by a 3rd party in
Flathub infra.

But Flathub is still a curated repo. If you want to deviate from
standards you have to justify it, if you're doing something fishy your
flatpak may be taken out. But ultimetaly you have to trust the author,
but that applies to Fedora, too, just to lesser extend.


I trust authors of the SW, but I don't trust in their trust to the libraries they bundle in the Flatpak.


Vít



Jiri
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux