Vít Ondruch píše v Čt 26. 01. 2023 v 15:37 +0100: > > Dne 26. 01. 23 v 14:55 Jiri Eischmann napsal(a): > > Robert Marcano via devel píše v Čt 26. 01. 2023 v 09:00 -0400: > > > On 1/26/23 8:42 AM, Jiri Eischmann wrote: > > > > Vít Ondruch píše v St 25. 01. 2023 v 18:01 +0100: > > > > > Dne 25. 01. 23 v 15:59 Josh Boyer napsal(a): > > > > > > On Wed, Jan 25, 2023 at 5:56 AM Vít Ondruch > > > > > > <vondruch@xxxxxxxxxx> > > > > > > wrote: > > > > > > > I am not user of Bottles so I won't complain about this > > > > > > > particular case, > > > > > > > but the push towards (upstream) Flatpaks is unfortunate > > > > > > > :/ > > > > > > Can you elaborate on why you feel that way? > > > > > > > > > > I don't trust upstream Flatpacks. I don't trust they follow > > > > > any > > > > > standard > > > > > except standard of their authors. > > > > I maintain both packages in Fedora and flatpaks on Flathub, so > > > > I > > > > can > > > > compare. The review to get an app to Flathub was as thorough as > > > > Fedora > > > > package review. In some ways even stricter. It's not like "it > > > > builds, > > > > it runs, you're good to go". They care about some standards, > > > > about > > > > builds being verifiable etc. > > > That doesn't seems to be enforced because many builds scripts > > > just > > > download binaries built by other projects, for example; > > > > > > https://github.com/flathub/org.gnome.gitlab.somas.Apostrophe/blob/master/org.gnome.gitlab.somas.Apostrophe.json#L89 > > > > > > Note: building the entire pandoc and TeX toolchain is very hard > > > and I > > > understand this example packager decision, but It doesn't make > > > more > > > trustful that version that one on Fedora. > > > Yes, this is good example. I cannot imagine anybody would do the > reviews > for the 3rd party libraries. That is the main difference to Fedora, > because there are no 3rd party libraries there. But let's not pretend it doesn't happen in Fedora at all. Yes, unlike on Flathub guidelines rule it out, but in the reality I've seen quite a few packages with (unacknowledged) bundled libraries in Fedora repos. The package goes through the initial review, a new version introduces a new dependency which is not available in the Fedora repo, you don't want to go through the hassle of introducing and maintaining a new package, you quietly bundle it. No source is pristine. It's always a compromise. Flathub is more flexible in what you can include in the flatpak, but Flatpak mitigates it by isolation (although it may not be set strict enough for some apps). Jiri > _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
