I decided to upgrade Fedora Workstation 30 to Fedora Silverblue 30.
First of all: It worked way better than I thought!
One can clearly notice it’s “still” the same Workstation as before, because everything “high-level”/user-facing is quite the same. What probably surprised me the most is that (technically obviously, I have to say, but anyway…) GNOME extensions work flawlessly in the same way as before. Literally (nearly *) zero changes…
The only bigger problems I had were mostly that many apps are not yet on flatpaks at registry.fedoraproject.org. I’ve opened bugs for the ones I really like to see, but possibly the most
embarrassing astonishing () thing to notice is that even very simple GNOME apps like GNOME photos, GNOME Contacts or the non-expendable GNOME Sudoku (:wink) had no Fedora flatpaks.
In most cases I can fallback to Flathub ones – or in the worst case to package layering via
Where is my secure source for software?
However, I want to avoid both, because a) layering is obviously considered bad in Silverblue context and b) Flathub is a third-party source and does not belong to the Fedora project. When you use the official Fedora packages (respectively flatpaks) you have the advantage that they are from one source, are QA tested etc. – Basically all advantages you also have for any distro’s rpm/deb/… packages, only that they are distributed via flatpak and thus you additionally have features like is isolation (though it depends on the flatpak how strong that is. Tip: Check the permissions in GNOME Software!)
You can always fall back!
Generally said, however, what is possibly the best argument for Silverblue is that you can in 99.99% of all cases fall back to other mechanisms for using/installing your software when it’s not available as a (Fedora) flatpak:
- First of all, as mentioned, you can always use Flathub.
In my experience Flathub is (still?) the larger collection and you find many GNOME apps there before they are in the Fedora flatpak registry. However, I occasionally also had flatpaks in Fedora first, which were not on Flathub.
- If flatpak fails and usually it does so e.g. for CLI tools (zsh, etc.), as they are not shipped via flatpaks, you anyway always have the ability to install the “usual” RPM packages from Fedora via
rpm-ostree. This tool is really awesome! I mean, it lacks any search functionality or so, but that was not that bad for me, as I anyway mostly just use the Fedora website for that.
- In the end, you can get a whole container Fedora Workstation with
toolbox, which is another great idea as you can install and run software there as you want. Even GUI apps are possible.
When mentioning all the things I liked, I also have to say one notices that it’s still not finished. Most notable of course the missing flatpaks on registry.fedoraproject.org, as explained before, but also because you’ll always have these little things that do not really work yet:
- H264 is still an issue for browsers
- one should not dare to use a non-USB keyboard (layout) when installing, as you won’t be able to unlock your LUKS-encrypted volume anymore afterwards.
- Sometimes flatpak’s isolation will definitively annoy you. That’s good, because it shows it’s working…
However, it also leads to bugs such as that gedit cannot use my custom font.
Thankfully, though, as a dev you maybe need tools that may need to break the flatpak’s sandbox. And it is possible with the correct flatpak permissions. Good that I’ve already created my solution for Atom before already, so I could just re-apply it here, but it’s obviously not an “out-of-the-box” experience. However, people are discussion better solutions in the linked thread.
And I won’t count them as problems, but obviously also some other minor things are different and cause me to ask (stupid ) questions like where is
chsh for shell changing? and uhm, where is
One surprise was that Silverblue ships will really, really few GNOME apps. I know, this is by design and possibly not bad, but as a GNOME Workstation user it’s still surprising.
It was fun to find out all these GNOME apps I regularly use and install them. By doing that, you also notice what you don’t actually use…
I have no idea how that works, but what I really did not expect was that the flatpaks for GNOME Contacts and GNOME Calendar e.g. do have access to the GNOME online accounts! (the ones you add in the settings)
As such, just as with a regular Workstation, you add your account once, and applications can use it.
What I’d which would be a little more insight/permissions for the user, so they can actually check/notice/control when an application is going to access your online accounts. Otherwise a malicious flatpak could do bad things.
Same BTW for seahorse (the password/keyring management tool of GNOME). It just works™, even though I actually had to install this from Flathub, because – again – it was not available in the Fedora Regsitry.
So all in all, great job Fedora Silverblue Team!
I can only see this getting better, and hopefully applications will also be adjusted, so the flatpak isolation get’s stronger, so that there are no trivial sandbox escapes anymore. That said, the main security (and reliability) of that distro still comes from the fact that you can get vetted packages (aka flatpaks) from the Fedora Registry. Though that is the case for any (Fedora) distro, I’d not take this as given for a distro that ships flatpaks and installing software as flatpaks as a “first citizen” experience, because you could also just have put everything on Flathub.
What you’d loose then is the way packages are checked and IMHO this is a big part of a Linux distro and a big part of the criticism some people have against flatpak.
You, however, just combine the best parts of both traditional distros and distribution via “containers”
(flatpaks) in one distro, which is awesome!
All in all, it surprised me how similar the distro actually is, once you get accustomed to these “little” new underlying technologies. And the experience to just reboot your system and are in a new updated system is just a pretty cool one!