First impressions of Fedora Silverblue 30 coming from Workstation

I decided to upgrade Fedora Workstation 30 to Fedora Silverblue 30.

First of all: It worked way better than I thought!
One can clearly notice it’s “still” the same Workstation as before, because everything “high-level”/user-facing is quite the same. What probably surprised me the most is that (technically obviously, I have to say, but anyway…) GNOME extensions work flawlessly in the same way as before. Literally (nearly :wink:*) zero changes…


* obviously, when you use the Firefox Fedora flatpak you cannot use extensions.gnome.org to manage your extensions, because it’s sandboxed, but well… there are enough ways to do this. :slight_smile:

Problems

The only bigger problems I had were mostly that many apps are not yet on flatpaks at registry.fedoraproject.org. I’ve opened bugs for the ones I really like to see, but possibly the most embarrassing astonishing (:wink:) thing to notice is that even very simple GNOME apps like GNOME photos, GNOME Contacts or the non-expendable GNOME Sudoku (:wink) had no Fedora flatpaks.

In most cases I can fallback to Flathub ones – or in the worst case to package layering via rpm-ostree.

Where is my secure source for software?

However, I want to avoid both, because a) layering is obviously considered bad in Silverblue context :wink: and b) Flathub is a third-party source and does not belong to the Fedora project. When you use the official Fedora packages (respectively flatpaks) you have the advantage that they are from one source, are QA tested etc. – Basically all advantages you also have for any distro’s rpm/deb/… packages, only that they are distributed via flatpak and thus you additionally have features like is isolation (though it depends on the flatpak how strong that is. Tip: Check the permissions in GNOME Software!)

You can always fall back!

Generally said, however, what is possibly the best argument for Silverblue is that you can in 99.99% of all cases fall back to other mechanisms for using/installing your software when it’s not available as a (Fedora) flatpak:

  1. First of all, as mentioned, you can always use Flathub.
    In my experience Flathub is (still?) the larger collection and you find many GNOME apps there before they are in the Fedora flatpak registry. However, I occasionally also had flatpaks in Fedora first, which were not on Flathub.
  2. If flatpak fails and usually it does so e.g. for CLI tools (zsh, etc.), as they are not shipped via flatpaks, you anyway always have the ability to install the “usual” RPM packages from Fedora via rpm-ostree. This tool is really awesome! I mean, it lacks any search functionality or so, but that was not that bad for me, as I anyway mostly just use the Fedora website for that.
  3. In the end, you can get a whole container Fedora Workstation with toolbox, which is another great idea as you can install and run software there as you want. Even GUI apps are possible.

More problems

When mentioning all the things I liked, I also have to say one notices that it’s still not finished. Most notable of course the missing flatpaks on registry.fedoraproject.org, as explained before, but also because you’ll always have these little things that do not really work yet:

  • H264 is still an issue for browsers
  • one should not dare to use a non-USB keyboard (layout) when installing, as you won’t be able to unlock your LUKS-encrypted volume anymore afterwards. :wink:
  • Sometimes flatpak’s isolation will definitively annoy you. That’s good, because it shows it’s working… :stuck_out_tongue_winking_eye:
    However, it also leads to bugs such as that gedit cannot use my custom font.
    Thankfully, though, as a dev you maybe need tools that may need to break the flatpak’s sandbox. And it is possible with the correct flatpak permissions. Good that I’ve already created my solution for Atom before already, so I could just re-apply it here, but it’s obviously not an “out-of-the-box” experience. However, people are discussion better solutions in the linked thread.

And I won’t count them as problems, but obviously also some other minor things are different and cause me to ask (stupid :wink:) questions like where is chsh for shell changing? and uhm, where is gnome-open, actually?.

More surprises

One surprise was that Silverblue ships will really, really few GNOME apps. I know, this is by design and possibly not bad, but as a GNOME Workstation user it’s still surprising. :stuck_out_tongue_winking_eye:

It was fun to find out all these GNOME apps I regularly use and install them. By doing that, you also notice what you don’t actually use… :wink:


I have no idea how that works, but what I really did not expect was that the flatpaks for GNOME Contacts and GNOME Calendar e.g. do have access to the GNOME online accounts! (the ones you add in the settings)
As such, just as with a regular Workstation, you add your account once, and applications can use it.

What I’d which would be a little more insight/permissions for the user, so they can actually check/notice/control when an application is going to access your online accounts. Otherwise a malicious flatpak could do bad things.

Same BTW for seahorse (the password/keyring management tool of GNOME). It just works™, even though I actually had to install this from Flathub, because – again – it was not available in the Fedora Regsitry.

Conclusion

So all in all, great job Fedora Silverblue Team! :fedora: :large_blue_diamond:
I can only see this getting better, and hopefully applications will also be adjusted, so the flatpak isolation get’s stronger, so that there are no trivial sandbox escapes anymore. That said, the main security (and reliability) of that distro still comes from the fact that you can get vetted packages (aka flatpaks) from the Fedora Registry. Though that is the case for any (Fedora) distro, I’d not take this as given for a distro that ships flatpaks and installing software as flatpaks as a “first citizen” experience, because you could also just have put everything on Flathub.
What you’d loose then is the way packages are checked and IMHO this is a big part of a Linux distro and a big part of the criticism some people have against flatpak.

You, however, just combine the best parts of both traditional distros and distribution via “containers”
(flatpaks) in one distro, which is awesome! :smiley:

All in all, it surprised me how similar the distro actually is, once you get accustomed to these “little” new underlying technologies. And the experience to just reboot your system and are in a new updated system is just a pretty cool one! :sunglasses:


Related:

1 Like

(reserved)

in case I need to add a second part of the story here

  • The fonts issue is odd, Flatpak should definitely pick up on user fonts. Does fc-list run from inside a Flatpak show the fonts?
  • Flathub isn’t official as per Fedora, but it’s officially maintained by the Flatpak developers, and many of the packages (including GNOME ones) are maintained by the upstream developers, meaning they are updated quickly and usually tested by the devs themselves. It’s quite reliable overall, and the Flatpaks are maintained by quite a few people (including me!). The main issue it’s had is just that packages occasionally can go out of date, but you can usually just open an issue then. In addition, Flathub will most likely remain the primary source for proprietary apps afaik.
  • Fedora intentionally doesn’t include chsh because it’s setuid root which is a bit of a security rabbit hole, use sudo lchsh $USER.
  • Use xdg-open instead of gnome-open. The former is generally available and a modern alternative.
  • For GOA access, look for the permission talk-name=org.gnome.OnlineAccounts.
2 Likes

User fonts from the host work in apps from Flathub, but not apps from the Fedora registry.

I’m not sure, but I suspect it’s because the Fedora runtime lacks the configuration that makes fontconfig look in /run/host/user-fonts. The Freedesktop runtime has this: https://gitlab.com/freedesktop-sdk/freedesktop-sdk/blob/master/files/fontconfig-flatpak.conf#L14. The Fedora platform contains a similar file, https://src.fedoraproject.org/rpms/flatpak-runtime-config/blob/master/f/50-flatpak.conf#_11, that contains <dir>/run/host/fonts</dir> but not <dir>/run/host/user-fonts</dir>.

1 Like

First of all, thank you for trying the Silverblue and for providing the feedback with us!

I don’t think that you are choosing the right words - why you’ve chosen “embarrassing”? Fedora is about community and also its involvement. Wouldn’t it be better for self-study https://docs.fedoraproject.org/en-US/flatpak/tutorial/ and help the project by flatpaking the “very simple GNOME apps”?

Uhm, yeah… indeed I did not, sorry. I already placed a :wink:, but I should have know this could be exaggerated.

So ~delete embarrassing~, replace it with “astonishing”.

Well… I don’t want to discuss the single issues now. Best comment in the bug/issue/thread I’ve linked instead. This here was rather for sharing the overall experience.

Same for the other things, you’ve commented. These are good answers, but I am now posting them to the right locations. :slight_smile:

Yeah thanks. While we speak, it is already going to be fixed, however: https://src.fedoraproject.org/rpms/flatpak-runtime-config/pull-request/1

So great, this was really fast! :tada: