On Sun, Jul 2 2023 at 04:59:39 PM -0400, Demi Marie Obenour
<demiobenour@xxxxxxxxx> wrote:
Fedora Flatpaks are also a security disaster: they are shipped in OCI
format instead of OSTree format, but they aren’t signed by anyone.
I’ve disabled the Fedora remote and recommend that others do the
same.
I didn't know about this problem. I agree that sounds pretty bad. I'm
going to ask some colleagues to comment on this.
There are, frankly, many other serious problems with Fedora Flatpaks,
most notably lack of regular updates when the app or bundled
dependencies are updated in Fedora. I think of them as a tech preview
that we shipped too early. But these problems are not insurmountable,
and if we can get it right, building Flatpaks from RPMs will allow
Fedora to deliver applications packaged at Fedora's high level of
quality in a modern and safer format.
My $0.02: maintaining complex desktop applications as part of the
operating system requires significant effort and produces low value
for
users when you can easily install that app from Flathub instead. (It
*especially* doesn't make sense to do in RHEL, but let's focus on
Fedora here.)
What is your reasoning here? I’m not saying I disagree with you,
but
I want to know *why* you believe this, especially since flatpaks
consume
additional memory and disk space compared to RPMs.
I do not believe that Flatpaks consume significant additional memory.
OK, host shared libraries and flatpaked libraries will be loaded at the
same time, but I really doubt that's going to be at all significant.
They do consume significant disk space if your disk is really small.
ostree deduplication is pretty good, though (and OCI images are
deduplicated too):
https://blogs.gnome.org/wjjt/2021/11/24/on-flatpak-disk-usage-and-deduplication/
So I don't think many users will seriously care about additional memory
use or disk space.
As a matter of strategy, packaging applications is fine, but nowadays
it is *optional*. 15 years ago, if Fedora did not ship an application,
you had to compile it yourself or, more likely, switch to Ubuntu or
Debian because they have more applications available. That is not the
case today. Our most popular applications are nowadays available from
Flathub or other third-party sources, and users are going to install
them regardless of whether we package them. Having Fedora packages
provides users with another way to use applications they would use on
Fedora anyway. So for the most complex applications, where packaging is
difficult or time-consuming, Fedora packagers will have to decide for
themselves whether it still makes sense to do that work as opposed to
other possible Fedora work.
(Flatpaks without sandbox holes are also dramatically more secure than
Fedora RPMs, which is why I'm *really* interested in Flatpaks. But
currently application declare too many holes:
https://theevilskeleton.gitlab.io/2023/05/11/overview-of-flatpaks-permission-models.html
)
Anyway, I don't mean to suggest we should stop packaging applications
or that the work to keep the LibreOffice packages maintained is not
valuable (thank you to everyone working on that). Being able to
continue shipping LibreOffice by default is especially important for
users who do not already know about LibreOffice and would otherwise not
realize that Linux has an office suite available. What I really meant
there was that packaging applications is not the most valuable way for
Red Hat to contribute to Fedora. Contrast the LibreOffice announcement
to Bastien's announcement that Red Hat is orphaning a large number of
core desktop packages that are not applications and cannot be replaced
by Flatpaks. This one will be much more challenging for Fedora deal
with. :/
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
