Dne 26. 01. 23 v 16:07 Jiri Eischmann napsal(a):
Vít Ondruch píše v Čt 26. 01. 2023 v 15:37 +0100:Dne 26. 01. 23 v 14:55 Jiri Eischmann napsal(a):Robert Marcano via devel píše v Čt 26. 01. 2023 v 09:00 -0400:On 1/26/23 8:42 AM, Jiri Eischmann wrote:Vít Ondruch píše v St 25. 01. 2023 v 18:01 +0100:Dne 25. 01. 23 v 15:59 Josh Boyer napsal(a):On Wed, Jan 25, 2023 at 5:56 AM Vít Ondruch <vondruch@xxxxxxxxxx> wrote:I am not user of Bottles so I won't complain about this particular case, but the push towards (upstream) Flatpaks is unfortunate :/Can you elaborate on why you feel that way?
BTW does the flathub version support all the platforms Fedora does? Cannot tell from the Flathub pages :/
I don't trust upstream Flatpacks. I don't trust they follow any standard except standard of their authors.I maintain both packages in Fedora and flatpaks on Flathub, so I can compare. The review to get an app to Flathub was as thorough as Fedora package review. In some ways even stricter. It's not like "it builds, it runs, you're good to go". They care about some standards, about builds being verifiable etc.That doesn't seems to be enforced because many builds scripts just download binaries built by other projects, for example; https://github.com/flathub/org.gnome.gitlab.somas.Apostrophe/blob/master/org.gnome.gitlab.somas.Apostrophe.json#L89 Note: building the entire pandoc and TeX toolchain is very hard and I understand this example packager decision, but It doesn't make more trustful that version that one on Fedora.Yes, this is good example. I cannot imagine anybody would do the reviews for the 3rd party libraries. That is the main difference to Fedora, because there are no 3rd party libraries there.But let's not pretend it doesn't happen in Fedora at all.
Yes, of course you are right. But the mindset is what matters to me. We try to do our best to avoid vendoring and 3rd party libraries. We do our best to use single copy of library which is properly maintained.
Flatpacks on Flathub are antithesis to what Fedora does in this regard.
Yes, unlike on Flathub guidelines rule it out, but in the reality I've seen quite a few packages with (unacknowledged) bundled libraries in Fedora repos. The package goes through the initial review, a new version introduces a new dependency which is not available in the Fedora repo, you don't want to go through the hassle of introducing and maintaining a new package, you quietly bundle it. No source is pristine. It's always a compromise. Flathub is more flexible in what you can include in the flatpak
This is mostly just flexibility for upstream.
, but Flatpak mitigates it by isolation (although it may not be set strict enough for some apps).
Isolation is not silver bullet.E.g. if Flatpak included vulnerable OpenSSL or OpenSSL which does not obey the system crypto policies, this would be asking for troubles. What Flathub does for identifying such SW? I don't think it can do much, but I might be wrong.
Vít
Jiri _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
