On Wednesday, 07 June 2023 at 08:51, Stephan Bergmann wrote: > On 6/6/23 18:07, Fabio Valentini wrote: > > In general, I do like having software available as flatpaks, > > especially if it's not available from Fedora repositories. > > However, there's also the question of *trust* - do I trust the > > software source and / or the people / projects providing them? > > > > Let's take LibreOffice as an example, since it started this whole discussion. > > The Fedora package appears to bundle only one "major" dependency, > > hsqldb, and it's documented and justified why this is the case in the > > spec file. > > > > On the other hand, the libreoffice flatpak bundles ~80 projects: > > - OpenJDK 17 (huh? is there no shared JDK flatpak runtime / SDK extension?) > > - krb5 (huh?) > > - xmlsec > > - boost 1.80 > > - gpgme (huh?) > > - mariadb-connector-c > > - openldap (huh?) > > - poppler > > - PostgreSQL 13.10 (huh?) > > - and about 70 more (but with less memorable names) > > > > While I *do* trust the LibreOffice project (somewhat) to ship their > > own software correctly, do I trust them regarding these ~80 bundled - > > and partially security sensitive - libraries, as well? I'm not sure. > > Do I trust the Fedora packages for these libraries? Probably. Many of > > these libraries are installed by default on Fedora, and are not only > > used by LibreOffice, so I basically placed implicit trust in these > > when I first installed Fedora on my machine. > > If you are talking about the LibreOffice upstream flatpak on Flathub (i.e., <https://github.com/flathub/org.libreoffice.LibreOffice/blob/06020bac005ef56305bcf5bc62ada8db2f259436/org.libreoffice.LibreOffice.json>): > > * It bundles OpenJDK 17 provided by the > org.freedesktop.Sdk.Extension.openjdk17 sdk-extension. Whenever a new > version of the LibreOffice flatpak is provided, it automatically includes > whatever latest version of that openjdk17 extension is provided. (And the > assumption is that the providers of that extension take timely action in > case of any relevant (security) issues.) Still, if there are urgent > (security) issues in the extension, we would need to notice that and rebuild > the LibreOffice flatpak accordingly. (It would be nicer if Java was > provided as an org.freedesktop.Platform extension rather than only as an > org.freedesktop.Sdk extension.) > > * It bundles gvfs (see <https://github.com/flathub/org.libreoffice.LibreOffice/commit/800d0d553fec6bd093f813cb4aa2f10dcbe10aee> > "Re-enable GIO support") and krb5 (see <https://github.com/flathub/org.libreoffice.LibreOffice/commit/5b49a9e3ca243910a094f9865e2cdda9e2cda098> > "Add krb5" and <https://git.libreoffice.org/core/+/227350eb5a9881f795e9ae499c732f0148e4ac38%5E!> > "Introduce optional krb5&gssapi support for internal PostgreSQL") "on its > own": If there are any (security) issues with their upstream sources, we > need to notice that and adapt the LibreOffice flatpak accordingly. > > * It bundles another 83 packages (from pdfium-5408.tar.bz2 to f543e6e2d7275557a839a164941c0a86e5f2c3f2a0042bfc434c88c6dde9e140-opens___.ttf) > that are "managed" by upstream LibreOffice: These are also used for other > upstream LibreOffice builds (e.g., on macOS and Windows), and if there are > any relevant (security) issues, upstream LibreOffice takes care of that and > provides a new upstream LibreOffice version (and thus a new LibreOffice > flatpak version). And this is exactly where the value of Linux distribution lies. Upstream does not have to "manage" their dependencies and can rely on distributions instead. There are package management solutions for Windows and MacOS, so upstreams could make a one-time effort to support those and delegate instead of the constant time investment to manage dependency bundling for all platforms on their own. I realize this would not happen overnight, but I wish this were the direction in which upstreams are moving instead of bundling everything. Regards, Dominik -- Fedora https://fedoraproject.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue