On Thu, 2023-01-26 at 14:55 +0100, Jiri Eischmann wrote:
Robert Marcano via devel píše v Čt 26. 01. 2023 v 09:00 -0400:
> On 1/26/23 8:42 AM, Jiri Eischmann wrote:
> > Vít Ondruch píše v St 25. 01. 2023 v 18:01 +0100:
> > >
> > > Dne 25. 01. 23 v 15:59 Josh Boyer napsal(a):
> > > > On Wed, Jan 25, 2023 at 5:56 AM Vít Ondruch
> > > > <vondruch(a)redhat.com>
> > > > wrote:
> > > > > I am not user of Bottles so I won't complain about this
> > > > > particular case,
> > > > > but the push towards (upstream) Flatpaks is unfortunate :/
> > > > Can you elaborate on why you feel that way?
> > >
> > >
> > > I don't trust upstream Flatpacks. I don't trust they follow any
> > > standard
> > > except standard of their authors.
> >
> > I maintain both packages in Fedora and flatpaks on Flathub, so I
> > can
> > compare. The review to get an app to Flathub was as thorough as
> > Fedora
> > package review. In some ways even stricter. It's not like "it
> > builds,
> > it runs, you're good to go". They care about some standards, about
> > builds being verifiable etc.
>
> That doesn't seems to be enforced because many builds scripts just
> download binaries built by other projects, for example;
>
>
https://github.com/flathub/org.gnome.gitlab.somas.Apostrophe/blob/master/...
>
> Note: building the entire pandoc and TeX toolchain is very hard and I
> understand this example packager decision, but It doesn't make more
> trustful that version that one on Fedora.
> >
Flathub is definitely more flexible at that. I was involved in the deal
with Mozilla which was not willing to do special builds in Flathub
infra since from their point of view it was more secure to use builds
done in their infra and just upload them to Flathub. We still found
having official builds from Mozilla and Mozilla officially endorsing
Flathub more beneficial than having Firefox rebuilt by a 3rd party in
Flathub infra.
But Flathub is still a curated repo. If you want to deviate from
standards you have to justify it, if you're doing something fishy your
flatpak may be taken out. But ultimetaly you have to trust the author,
but that applies to Fedora, too, just to lesser extend.
Firefox is an interesting example, though, because it's *exactly* a
case where I trust the Fedora builds more than I trust upstream's.
Mozilla makes some, to me, sub-optimal choices in search of revenue;
this isn't a dilemma Fedora has. (This is also why I run Fennec, not
Mozilla's Firefox, on Android). This was one of the main nits I had
running Silverblue on my main system for a while, actually - the baked-
in Fedora firefox package couldn't play h264 video, to which a common
'fix' is to just install the Mozilla flatpak instead, but I didn't want
to do that because I'd much rather have a Fedora packaged build.
--
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net