On 7/2/23 19:28, Michael Catanzaro wrote: > On Sun, Jul 2 2023 at 04:59:39 PM -0400, Demi Marie Obenour > <demiobenour@xxxxxxxxx> wrote: >>> >> Fedora Flatpaks are also a security disaster: they are shipped in OCI >> format instead of OSTree format, but they aren’t signed by anyone. >> I’ve disabled the Fedora remote and recommend that others do the >> same. > > I didn't know about this problem. I agree that sounds pretty bad. I'm > going to ask some colleagues to comment on this. Thank you. As an aside, Fedora container images are also unsigned, and inasmuch as they are both shipped in OCI format, it might be possible to fix both at once. > There are, frankly, many other serious problems with Fedora Flatpaks, > most notably lack of regular updates when the app or bundled > dependencies are updated in Fedora. I think of them as a tech preview > that we shipped too early. That sounds accurate. I recommend turning them off by default _for now_, but hopefully they can be turned back on again in the future. > But these problems are not insurmountable, > and if we can get it right, building Flatpaks from RPMs will allow > Fedora to deliver applications packaged at Fedora's high level of > quality in a modern and safer format. I 100% support this. >>> My $0.02: maintaining complex desktop applications as part of the >>> operating system requires significant effort and produces low value >>> for >>> users when you can easily install that app from Flathub instead. (It >>> *especially* doesn't make sense to do in RHEL, but let's focus on >>> Fedora here.) >> >> What is your reasoning here? I’m not saying I disagree with you, >> but >> I want to know *why* you believe this, especially since flatpaks >> consume >> additional memory and disk space compared to RPMs. > > I do not believe that Flatpaks consume significant additional memory. > OK, host shared libraries and flatpaked libraries will be loaded at the > same time, but I really doubt that's going to be at all significant. > They do consume significant disk space if your disk is really small. > ostree deduplication is pretty good, though (and OCI images are > deduplicated too): > > https://blogs.gnome.org/wjjt/2021/11/24/on-flatpak-disk-usage-and-deduplication/ > > So I don't think many users will seriously care about additional memory > use or disk space. > > As a matter of strategy, packaging applications is fine, but nowadays > it is *optional*. 15 years ago, if Fedora did not ship an application, > you had to compile it yourself or, more likely, switch to Ubuntu or > Debian because they have more applications available. That is not the > case today. Our most popular applications are nowadays available from > Flathub or other third-party sources, and users are going to install > them regardless of whether we package them. Having Fedora packages > provides users with another way to use applications they would use on > Fedora anyway. So for the most complex applications, where packaging is > difficult or time-consuming, Fedora packagers will have to decide for > themselves whether it still makes sense to do that work as opposed to > other possible Fedora work. That makes total sense. If there are N distributions and M applications, traditional packaging takes O(N * M) time, whereas Flatpaks take O(N + M) time. Needless to say, the latter is a lot more sustainable as N and M get bigger. > (Flatpaks without sandbox holes are also dramatically more secure than > Fedora RPMs, which is why I'm *really* interested in Flatpaks. But > currently application declare too many holes: > https://theevilskeleton.gitlab.io/2023/05/11/overview-of-flatpaks-permission-models.html > ) Sandboxing is also my main interest in Flatpaks. The current state of non-macOS desktop security is honestly rather embarrassing and sandboxing applications is a necessary first step in fixing that. Furthermore, sandboxed applications have well-defined interfaces with the rest of the system, which makes isolation techniques like SELinux, Landlock, or even virtualization much easier to apply. > Anyway, I don't mean to suggest we should stop packaging applications > or that the work to keep the LibreOffice packages maintained is not > valuable (thank you to everyone working on that). Being able to > continue shipping LibreOffice by default is especially important for > users who do not already know about LibreOffice and would otherwise not > realize that Linux has an office suite available. What I really meant > there was that packaging applications is not the most valuable way for > Red Hat to contribute to Fedora. That makes total sense, thanks! > Contrast the LibreOffice announcement > to Bastien's announcement that Red Hat is orphaning a large number of > core desktop packages that are not applications and cannot be replaced > by Flatpaks. This one will be much more challenging for Fedora deal > with. :/ > > Michael-- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
