On 03/07/2023 01:28, Michael Catanzaro wrote:
OK, host shared libraries and flatpaked libraries will be loaded at the
same time, but I really doubt that's going to be at all significant.
Include dozens of bundled libraries here too. Only runtimes can use
shared memory.
They do consume significant disk space if your disk is really small. ostree deduplication is pretty good, though (and OCI images are deduplicated too)
Many Flatpaks from Flathub still use the old runtimes. Each runtime
consumes approximately 1 GB of disk space.
They need to start doing mass rebuilds with every new major release of
the runtime.
As a matter of strategy, packaging applications is fine, but nowadays it is *optional*.
I don't think so.
Our most popular applications are nowadays available from Flathub or other third-party sources, and users are going to install them regardless of whether we package them.
Sorry, but I can't trust them since they allow uploading pre-built blobs
and DEB repacks for popular and even for security-focused applications:
- Firefox (uploaded as ostree blob without sources, has disabled ASLR
and hardening);
- OBS Studio (uploaded as ostree blob);
- Element (DEB repack:
https://github.com/flathub/im.riot.Riot/blob/master/im.riot.Riot.yaml#L69-L70);
- Signal (DEB repack:
https://github.com/flathub/org.signal.Signal/blob/master/org.signal.Signal.yaml#L65-L66);
- Blender (static binary repack:
https://github.com/flathub/org.blender.Blender/blob/master/org.blender.Blender.json#L150-L151);
- VS Codium (DEB repack:
https://github.com/flathub/com.vscodium.codium/blob/master/com.vscodium.codium.yaml#L98-L99);
- many others: https://github.com/search?q=org%3Aflathub+.deb&type=code
They need to forbid uploading pre-built blobs and repacks. All packages
(except proprietary ones) should be built on their infrastructure.
Flatpaks without sandbox holes are also dramatically more secure than Fedora RPMs, which is why I'm *really* interested in Flatpaks.
Also, many Flathub's apps don't use Flatpak isolation at all:
- https://github.com/search?q=org%3Aflathub+--filesystem%3Dhost&type=code
- https://github.com/search?q=org%3Aflathub+--filesystem%3Dhome&type=code
They need to restrict such holes. Snap already did this a few years ago
(classic snaps are only allowed in exceptional cases).
--
Sincerely,
Vitaly Zaitsev (vitaly@xxxxxxxxxxxxxx)
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
