undefined | Better HN

0 pointsgoodpoint4y ago0 comments

>> - Security: you are trusting random developers on the Internet to handle security of all the dependencies in a flatpack, forever. Most do not provide security updates at all.

> As opposed to what?

Opposed to distributions providing targeted updates to each package.

> Dynamic linking does not solve this problem, contrary to popular belief.

On the contrary it provably works very well for distributions.

>>- Long term maintenability: your desktop becomes a random mashup of applications with increasing complexity that you have to maintain yourself.

>Again, as opposed to what?

Opposed to distributions that do the huge work of packaging, testing, backporting etc.

>>- Licensing issues: distros review licenses (and find plenty of copyright violations while doing so). A flatpak puts you or your company at risk.

>Sounds like a good way for a proprietary software to be distributed...

This is unrelated to the lack of licensing review.

>>- Impact on the ecosystem: the more users switch to opaque blobs the less testing and review is done for proper packages. The whole ecosystem become more vulnerable to supply chain attacks.

>I don't see how one follows the other.

Supply chain attacks are strongly mitigated by maintainers doing vetting and packaging, and by distribution doing release freezing.

0 comments

jcelerier4y ago

> On the contrary it provably works very well for distributions.

if it worked very well there wouldn't be a need for flatpak / snap / appimage / etc. How do I install an older or newer inkscape / ardour / krita in the latest debian stable / ubuntu / fedora / whatever without recompiling stuff ?

joconde4y ago

The sentence you're answering was about security. I don't think "fixing vulnerabilities faster" is something Flatpaks were created to solve. It was more of a solution to dependency hell, that makes vulnerabilities harder to fix and audit.

I see the same issue with Docker services I deploy: how am I supposed to check that the latest Nginx security update is included in all my docker-compose deployments? With shared libraries, it's as simple as "apt-get upgrade" then restarting the services. In Docker, I'd have to check that the latest versions of all images include the correct versions of all dependencies.

CRConrad4y ago

> if it worked very well there wouldn't be a need for flatpak / snap / appimage / etc.

Exactly: There isn't.

> How do I install an older or newer inkscape / ardour / krita in the latest debian stable / ubuntu / fedora / whatever without recompiling stuff ?

You don't. Or if you have to, do it on Gobo (or perhaps Guix or NixOS?).

jcelerier4y ago

That's a ridiculous answer. "You don't" means people go back to windows or Mac OS where they can do that easily because it's an actual need people have. That's the worst outcome by far as it leads to less support on Linux.

goodpointOP4y ago

No, "you don't" is a valid answer. You use what is in the distribution. You chose the combination of archives (stable, stable+backports, and so on...) as you need.

Then you use what the distro provides.

(The same way as you use the default, tested and guaranteed engine computer on your car rather than installing one bought in a dark alley.)

Like the car, distribution work when you use the whole set of components bundled and tested together.

If upstreams make it difficult to package new version you can help by asking them to step up their game or switch to a better software.

If you want to build a Frankenstein bundle of software you are free to do so but you'll be on your own when things start to break.

1 more reply

Mikeb854y ago

> Opposed to distributions providing targeted updates to each package.

Except distributions can manage their own flatpak repo. Using flatpaks as a format != using Flathub.

This is what Fedora does, for example.

j / k navigate · click thread line to collapse

0 comments

jcelerier4y ago

> On the contrary it provably works very well for distributions.

joconde4y ago

CRConrad4y ago

> if it worked very well there wouldn't be a need for flatpak / snap / appimage / etc.

Exactly: There isn't.

> How do I install an older or newer inkscape / ardour / krita in the latest debian stable / ubuntu / fedora / whatever without recompiling stuff ?

You don't. Or if you have to, do it on Gobo (or perhaps Guix or NixOS?).

jcelerier4y ago

goodpointOP4y ago

No, "you don't" is a valid answer. You use what is in the distribution. You chose the combination of archives (stable, stable+backports, and so on...) as you need.

Then you use what the distro provides.

(The same way as you use the default, tested and guaranteed engine computer on your car rather than installing one bought in a dark alley.)

Like the car, distribution work when you use the whole set of components bundled and tested together.

If upstreams make it difficult to package new version you can help by asking them to step up their game or switch to a better software.

If you want to build a Frankenstein bundle of software you are free to do so but you'll be on your own when things start to break.

1 more reply

Mikeb854y ago

> Opposed to distributions providing targeted updates to each package.

Except distributions can manage their own flatpak repo. Using flatpaks as a format != using Flathub.

This is what Fedora does, for example.

j / k navigate · click thread line to collapse