On Wed, Jun 7, 2023 at 8:51 AM Stephan Bergmann <sbergman@xxxxxxxxxx> wrote: > > If you are talking about the LibreOffice upstream flatpak on Flathub > (i.e., > <https://github.com/flathub/org.libreoffice.LibreOffice/blob/06020bac005ef56305bcf5bc62ada8db2f259436/org.libreoffice.LibreOffice.json>): Yes, that is what I was referring to. > * It bundles OpenJDK 17 provided by the > org.freedesktop.Sdk.Extension.openjdk17 sdk-extension. Whenever a new > version of the LibreOffice flatpak is provided, it automatically > includes whatever latest version of that openjdk17 extension is > provided. (And the assumption is that the providers of that extension > take timely action in case of any relevant (security) issues.) Still, > if there are urgent (security) issues in the extension, we would need to > notice that and rebuild the LibreOffice flatpak accordingly. (It would > be nicer if Java was provided as an org.freedesktop.Platform extension > rather than only as an org.freedesktop.Sdk extension.) > > * It bundles gvfs (see > <https://github.com/flathub/org.libreoffice.LibreOffice/commit/800d0d553fec6bd093f813cb4aa2f10dcbe10aee> > "Re-enable GIO support") and krb5 (see > <https://github.com/flathub/org.libreoffice.LibreOffice/commit/5b49a9e3ca243910a094f9865e2cdda9e2cda098> > "Add krb5" and > <https://git.libreoffice.org/core/+/227350eb5a9881f795e9ae499c732f0148e4ac38%5E!> > "Introduce optional krb5&gssapi support for internal PostgreSQL") "on > its own": If there are any (security) issues with their upstream > sources, we need to notice that and adapt the LibreOffice flatpak > accordingly. > > * It bundles another 83 packages (from pdfium-5408.tar.bz2 to > f543e6e2d7275557a839a164941c0a86e5f2c3f2a0042bfc434c88c6dde9e140-opens___.ttf) > that are "managed" by upstream LibreOffice: These are also used for > other upstream LibreOffice builds (e.g., on macOS and Windows), and if > there are any relevant (security) issues, upstream LibreOffice takes > care of that and provides a new upstream LibreOffice version (and thus a > new LibreOffice flatpak version). > > * It includes ant as a build-time--only dependency. Thank you for the explanation, but still, I would argue that it is not the LibreOffice project's job to do those things, and I don't necessarily trust them to do this right (other people might have a different opinion here). Basically, I'm wondering how this is different from the "don't (re)package everything as RPMs if upstream already provides flatpaks! don't reinvent the wheel!" argument that's sometimes brought in favor of flatpaks. Don't flatpaks do just the same thing, just not with the applications themselves, but basically "reinventing the wheel" by bundling / shipping / maintaining all their dependencies, which are already provided by the underlying Linux distro in most cases? Fabio _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
