Distributors entering Flatpakland
Distributors entering Flatpakland
Posted Jul 9, 2022 19:40 UTC (Sat) by atnot (subscriber, #124910)In reply to: Distributors entering Flatpakland by jafd
Parent article: Distributors entering Flatpakland
Chosing not to pester the user with permission prompts at installation time is just a pragmatic policy choice that accounts for the realistic user risks, the degree to which most applications can actually be sandboxed on linux in the first place (anything with access to X or pulseaudio is right out) as well as the risk of developers refusing to support flatpak or people deciding it's a bigger hassle than just downloading random binaries off of websites instead. If flatpak is succesful enough, it is easy to just enforce stricter policies during installation, the metadata is already there.
Posted Jul 9, 2022 19:51 UTC (Sat)
by jafd (subscriber, #129642)
[Link] (5 responses)
For example, software business gets bought and sold. What if the alignment of the current owner is not the same as that of the previous one?
X.0 software is ok, X.1 carries adware in addition to its useful functionality.
A software which is demanded by an employer is, in addition to providing stated functionality, invades privacy in numerous ways. (Zoom is an example of software which is walking a very fine line between being useful and falling into total shoddiness, and is required by many.)
A program starts carrying, say, Facebook SDK.
In the world of mobile (and maybe Windows), where there is proliferation of apps, you hit these bad apples all the time. Flatpak is after the same kind of apps proliferation, so you can expect all antipatterns known in App Store/Play Store to also appear there once they succeed.
But I get it, learning from past mistakes and current mistakes of the competition is *hard*. Let’s grow, let’s hype what we don’t have, let’s fix it later or maybe never.
Posted Jul 9, 2022 20:39 UTC (Sat)
by atnot (subscriber, #124910)
[Link] (4 responses)
Please do tell me what your alternatives are. Offering a grand selection of five GNOME apps? Giving users alert fatigue by showing a big red banner for every large application? Hosting broken applications and ensuring the users' next course of action is purging Flatpak? (Snap has been very good at that.) The Flatpak developers coming in and personally porting every codebase to Wayland and Portals (including proprietary ones like Zoom)? I disagree, Flatpak definitely learned from competitors like UWP in what happens if you try to force people to do things your way overnight.
I get that you want Flatpak to be more than it is. I agree that what you're describing would be wonderful. But what I also see is that it is already a significant increase in security for the average user over what we have right now and lays the technological foundations for it being even more secure in the future. I'm willing to cut it some slack on the things it needs to compromise on to get us there.
Posted Jul 10, 2022 5:05 UTC (Sun)
by jonesmz (subscriber, #130234)
[Link] (2 responses)
Every single one of the security benefits claimed by flatpack could be provided by traditional packaging systems like dpkg and rpm as an incremental improvement to those packages.
So why flatpack in the first place, if it comes with all this enormous baggage?
Posted Jul 10, 2022 7:41 UTC (Sun)
by pabs (subscriber, #43278)
[Link]
Posted Jul 10, 2022 8:31 UTC (Sun)
by atnot (subscriber, #124910)
[Link]
Sure, but are they doing it? Almost universally no, because this kind of sandboxing for linux GUI applications requires a lot of additional work, metada, code changes and considerations and distros don't see a need. As far as I can tell, Flatpak have been the only ones driving these features. It does happen a bit for system services though thanks to systemd's sandboxing features. But getting every maintainer to turn them on has been hard.
If you want to change that go ahead, it would be great!
> So why flatpack in the first place, if it comes with all this enormous baggage?
The primary goal is to make it easier to target applications at Linux. The biggest demographic of Flatpak developers, afaict, is KDE and GNOME developers who were annoyed by the amount of work required to get your application onto every distro and inability to deliver speedy updates. Isolation and sandboxing are just implementation details to make that less haphazard.
Posted Jul 10, 2022 12:18 UTC (Sun)
by jafd (subscriber, #129642)
[Link]
Learning from the mistakes of the competition is hard. But it’s also vital.
I wouldn’t have anything against distributions just being honest: we adopt and push flatpak on everyone because maintenance of packages is hard and we don’t want to be doing it. Flatpak is also slightly better at removing stuff you don’t need without leftover files. Okay. I can understand that.
This brings us more or less to the level of Windows 7 security where you download all sorts of crap from the internet, and the publisher has the final word.
But offering a sandbox that doesn’t quite protect you, and claiming “hey it’s better than nothing” is vile. It doesn’t provide anything more than a false sense of security. Like a counterfeit bulletproof vest.
Distributors entering Flatpakland
Distributors entering Flatpakland
Distributors entering Flatpakland
Distributors entering Flatpakland
Distributors entering Flatpakland
Distributors entering Flatpakland