Conversation

Notices

dave (dthompson@toot.cat)'s status on Friday, 24-Feb-2023 15:44:50 JST dave

The developer of Bottles has asked Fedora to stop packaging their software and to direct users to use their binaries from Flathub instead. I will refrain from hot takes and just say that this is part of a trend and a very misguided one. https://lwn.net/Articles/922387/
In conversation Friday, 24-Feb-2023 15:44:50 JST from toot.cat permalink
Attachments
1. Fedora packages versus upstream Flatpaks
  
  The Flatpak package format promises to bring "the future of apps on Linux", but a Linux distribution like Fedora already provides packages in its native format—and built to its specifications. Flatpaks that come from upstream projects may or may not follow the packaging guidelines, philosophy, and practices so they exist in their own world, separate from the packages that come directly from Fedora. But those worlds have collided to a certain extent over the past year to two. Recently, a packager announced their plans to stop packaging the Bottles tool, used for running Windows programs in Wine-based containers on Linux, in favor of recommending that Fedora users install the upstream Flatpak.
- dave (dthompson@toot.cat)'s status on Friday, 24-Feb-2023 15:44:20 JST dave
  in reply to
  
  "The importance of automated scanning for malware and outdated/vulnerable components therefore increases - there are tools in the cloud space which can do such automated scanning of OCI containers"
  Vulnerability scanning is necessary because these packages are just binary blobs so the only option is to apply algorithms that sift through all the files looking for signatures of known vulnerable libraries. Contrast this with Guix which can do vulnerability scanning by inspecting the package graph, a proper data structure.
  
  In conversation Friday, 24-Feb-2023 15:44:20 JST permalink
- dave (dthompson@toot.cat)'s status on Friday, 24-Feb-2023 15:44:25 JST dave
  in reply to
  
  This bit really gives away the game:
  "As we also open the ability for applications to be uploaded in binary form, which is essential for low-friction compatibility with popular language-specific build systems such as Electron/Node, Rust, Go, etc - we also reduce the ability for users to scrutinise the source in the Flathub build system"
  This is not a project to benefit open source. It also supports my spicy take that Rust is a net negative for FOSS because of its toolchain.
  
  In conversation Friday, 24-Feb-2023 15:44:25 JST permalink
  
  Adrian Cochrane repeated this.
- dave (dthompson@toot.cat)'s status on Friday, 24-Feb-2023 15:44:32 JST dave
  in reply to
  
  And of course until we have an object capability secure OS we need distro maintainers to act as a check on application developers and their often sloppy practices.
  
  In conversation Friday, 24-Feb-2023 15:44:32 JST permalink
- dave (dthompson@toot.cat)'s status on Friday, 24-Feb-2023 15:44:38 JST dave
  in reply to
  
  I am very skeptical of any attempt to monetize and homogenize package management by circumventing distros. No matter what they say it's just a vector for installing proprietary software or software that's such a mess that only the devs know how to build it and might as well be proprietary.
  
  In conversation Friday, 24-Feb-2023 15:44:38 JST permalink
- dave (dthompson@toot.cat)'s status on Friday, 24-Feb-2023 15:44:44 JST dave
  in reply to
  
  lol GNOME and KDE are making a Flathub "app store" now.
  https://github.com/PlaintextGroup/oss-virtual-incubator/blob/main/proposals/flathub-linux-app-store.md
  "Intentionally or not, many stakeholders such as traditional Linux OS vendors act as gatekeepers, slowing the ability of potential application developers to publish to their users, as well as disincentivizing any application developer who is unable to learn, produce and support their application without any remuneration."
  Sigh...
  
  In conversation Friday, 24-Feb-2023 15:44:44 JST permalink
  
  Adrian Cochrane repeated this.

Public

Notices

Feeds