Packaging desktop apps in the Flatpak era

Hey!

I’m a packager and maintaining a few (not many) packages. Some of them are system libraries, those are no wonder, very important to get packaged.

I was wondering, if there is a desktop app available as flatpak, how much is it worth the “hassle” to maintain a Fedora RPM package for it? I’d need to create a specfile, get it reviewed, maintain releases and updates in several distro branches. (And I’m lucky if it’s not an Electron app because those are as I see nearly impossible to get packaged according to the guidelines.)

But, how much added value is out there for end-users? In GNOME Software, I bet almost all users have Flathub enabled and lots of desktop software is available there, ready to use.

Other package maintainers, what do you think about this, about your efforts as a packager? Is it worth packaging for the smaller package size alone?

Thanks for sharing your opinion or feelings about this topic!

2 Likes

I am a (small time) packager maintainer too,
I do not have GNOME Software installed,
but I do have Flathub configured.
I have only ever installed Flatpaks if something is not available as Fedora rpm.

Smaller install size is a factor.
Also I do not really understand how Flathub packages get updated,
so I have more trust in software that are in Fedora repositories.
So for me, there is value in having apps as Fedora rpms.
For instance, if something is not correct in a Fedora rpm,
I can file an issue,
and if that does not help,
I can invoke the nonresponsive maintainer policy and fix things myself in the end.
I have no idea how that would work in Flathub,
my assumption is that I could do nothing.

That said, mostly my setup is what it is because of inertia.
I have ran my setup like this for a long time already,
and I have not seen a compelling reason to switch to a “Flatpak first” setup.

4 Likes

My first thought is still always to package the rpm and get it reviewed—specifically because then I know that the tool has been packaged correctly. Frequently the review brings up bits that we discuss with upstream about, file bugs and send patches, and that helps us improve the software too. My use-case/maintenance focus is also NeuroFedora where we want to build lab images, so for that the software must be packaged in Fedora anyway.

I do like FlatHub and for a few tools that we haven’t yet got in Fedora (electron apps I think, as you mentioned) I do use it, but I’m:

  • not completely aware of it’s review guidelines and how they compare to Fedora’s (my current impression is that they’re quite loose or at least less strict than the Fedora guidelines).
  • not always sure which side I stand on when it comes to allowing proprietary software for convenience—I’m still more on the side of educating users about FOSS, and I think the way FlatHub etc. function at the moment skip the education part? I think gnome-software’s UI has improved now to put more information about what is community developed etc. so that’s good to see.

Finally, a community/social/branding nitpick is that FlatHub is not Fedora. If I put something on FlatHub, I can’t tell my friends/users that “it is a available in the Fedora repos”—it’s available on FlatHub. I don’t think most users care, tbh. FlatHub is doing really well in making the Linux desktop more usable. So I’m very grateful for that. We can’t have any FOSS education if folks aren’t using FOSS in the first place.

3 Likes

+1 on this. From what I understand, Flathub is moving in a direction of the developers themselves maintaining the app and pushing out updates. The pros are a more direct connection with the user and faster updates, but you also lose that review process that comes with apps that are from your distro’s repos. If you trust the developer then it’s not a problem, but being on Flathub doesn’t come with the same security expectations because of the looser guidelines.

That being said, flatpaks do have that containerization, and if implemented correctly it could nullify part of the security concern that there isn’t a third-party reviewing the package. I think this will improve over time, but even as it stands that could balance out the security concern enough.

For me, I like using Fedora RPMs first and then flatpaks if they’re not available in Fedora’s repos. While the packaging format may not have the containerization of flatpak, I know that a third-party looked at it as well as the developers and whatever community surrounds the app. That makes me feel better.

Maybe the thing to keep an eye on are the standards that Flathub requires. If the Fedora community thinks that those standards are on par enough to not worry about packaging certain applications, whether today or in the future, that could be how decisions are made at least for certain apps.

I guess one of the competing points is between wanting the security of Fedora’s review process but also dealing with the redundancy of a separately maintained flatpak.

2 Likes

Yes, right now, there aren’t many standards required by Flathub, their requirements page is pretty short, especially when compared to Fedora’s packaging guidelines. :slightly_smiling_face:

But how much do end users realize from that, apart from maybe that all software is libre in Fedora? Are all users so conscious about their choices? I only discovered the bar of quality and curation offered by Fedora after becoming a packager and reading the packaging guidelines.

3 Likes

I’ll go a step further and argue that the more mainstream a user is, the less they even know what a package is. I only learned what packages are after getting into Linux. I didn’t realize there were different formats, just that apps had to be developed for specific operating systems.

I don’t think that mainstream users care either way what kind of package it is. They just want to use an app and will go with whatever works or seems cool. I also think that many knowledgeable Linux users are fine enough with flatpaks that they wouldn’t care either.

However, part of the draw of using Linux and open source is the idea that these apps are regularly vetted. At least, that’s what’s most important to me in this discussion. An app on Flathub is reviewed by the developer and their community. An app in the Fedora repos is also vetted by our packagers and review process (thanks again for that). If packaging fewer apps means using less vetted apps, I think that’s the real tradeoff that should be considered.

But also this isn’t a zero sum situation either. There are factors that can be taken into account to decide whether some apps can be dropped or not. We don’t have infinite time and manpower. It’s a matter of degrees more likely than not.

3 Likes

I think there are two aspects being discussed here.

#1: Who is your software vendor (distribution vs. developer)?
#2: How is the software packaged (rpm vs. flatpak)?

Re #1:
The danger I see is that flatpak technology is so well integrated in Fedora Linux that with one click you can install software from flathub without realizing that you are leaving the distribution - the distribution that you trust and that is marketed as being secure. I see some potential for bad reputation here.

Trusting your distribution is one thing, but trusting an individual publishing software on flathub is a totally different thing.

In the upcoming age of flatpaks, in my opinion, distributions need to make sure that they remain distributor of reviewed software (no matter if rpm or flatpak or deb or snap) and that packaging and publishing of software is not “outsourced” to the developers.

What happened in the past with malicious packages in npm, PyPI and other software stores can happen, and over time will happen, to flatpaks on flathub. I have no doubt.

Re #2: there is pros and cons for both, widely discussed before.

So, coming back to the initial question…

…package as much software as possible for Fedora repos, so the distribution stays strong and people don’t have to leave their web of trust and download non-reviewed apps from flathub or elsewhere just because it’s more convenient.

2 Likes

I 100% agree and stand behind this approach.
One of the initial reasons I adopted Fedora Linux over others was simply because every package they have in their repo I can review the code of, the same cannot be said of all Faltpak apps available at Flathub. Another reason I adopted Linux in general was due to being manipulated and controlled by the OS vendors, on how I could use my system, which in my case is my own business IMO and not the OS vendors or even the hardware manufacturers. Over the years of my experiences with PC’s (which began in 1984 building Mac clones then IBM PC clones from the board level), the one true constant has been the for profit OS vendors are not interested in open source beyond what they can monetize out of it. This is not the FOSS way or Fedora’s way.
What Fedora Linux brought to the FOSS table IMO was (initially) a very well curated set of core packages that provided a working linux distro OOTB. By that I mean even in the beginning Fedora was usable OOTB, while others had more “Bells and Whistles” exposed, they also seemed to break on me more often. Plus Fedora has been secure for me and is still a leader in distros for SELinux being baked in.

Really the value is in the chain of trust that you get from the Fedora repo, and the project by being able to audit the code yourself, being able to verify that the code your downloading is valid and tested. Even if you are not literate in the programming language, the packager is a fellow Fedora Linux user and is likely around the community discussion are and able to be approached. I really think if you review the packaging guidelines you will see the value in Fedora packaging process.

4 Likes

I think it’s worth remembering that Flatpak != Flathub. Let’s remember that Fedora has its own Flatpak remote. This should address the chain of trust issue. I would love to see more apps available via Fedora’s remote.

There are other issues with this though - packagers would “need” to package both for Fedora’s remote as well as Flathub, if they want the widespread visibility that Flathub provides. Secondly, and maybe more importantly for maintainers, the Fedora Flatpak packaging workflow seems to somewhat rely on both rpm and Flathub, though I don’t know to what extent those are hard requirements.

4 Likes

And in fact it’s possible that GNOME Software will present the Flatpak option as the default, even when distro packages are available. A user who isn’t aware of the difference will just see a search result that looks like what they wanted, and click ‘Install’.

2 Likes

Agreed.

Fedora packaging is done the way it is for various reasons but fundamentally it revolves around the very real need to be able to build everything from source. Fedora flatpaks generally start as RPM packages, made modular, then into flatpaks. The RPM state and modular state get tested through the normal tests for Fedora Linux since they have been around for some time. I am not remiss in saying the Fedora flatpaks get tested, but I don’t know any details of those tests at present. Also worth noting is the Flatpak’s from Fedora are meant to run on the Fedora Flatpak Runtime, so a runtime built specifically to work best with your Fedora Linux.

Top right corner of the Gnome software app will show you what repo you are looking at for the particular app you are about to install, it is there you can select the source, Flathub/Fedora/RPM repo.

3 Likes

Indeed, but that requires that the user be aware that there are multiple options in the first place. When I first experienced this I wasn’t even aware that Flathub had already been enabled on my system.

1 Like

This is something upstream (Gnome) should be aware of in their issues as a needed feature request. You should submit an issue with your experience to help raise awareness there.

I can honestly say that I only get access to flathub’s remote AFTER I add it, so it wouldn’t have been enabled unless you either did it manually at the command line, or enabled third party software in Gnome Software, or installed it via the Flathub website with the available Fedora Linux installer. Gnome SW will have the Fedora Flatpak repo enabled OOTB though, so maybe you meant that one.

1 Like

Sorry, yes, I meant Flathub when referring to “Flatpaks” even though they are not the same. I know about Fedora Flatpaks, but from my perspective they are the same as distro RPMs, just in a different package.

I personally also prefer RPMs due to speed and size, but it’s hard to beat Flathub when it comes to app availability.

I agree about that! What really stands out for me is that for example I just can’t find any examples of Electron apps being packaged for Fedora (or documentation on how to do so). I’m not sure if it’s impossible to get right according to the packaging guidelines or if it’s just very challenging, but these days, I’d say about at least a quarter of all Flathub apps are Electron apps.

The other day I was looking for a productivity/todo app and half of what I found were Electron apps. What’s the status of packaging apps like these in Fedora?

I’ve started packaging some of my FOSS games for itch.io. While I prefer rpms in Fedora, I would like all Linux users to be able to play the game. They can compile it from source but most won’t. Packaging something to run on multiple linux distros is hard. Right now I build on an old Fedora VM which has libgamerzilla but that won’t support Debian because C library is too new on Fedora. I would need to build with even older distro and build libgamerzilla for it. Flatpak is probably the best solution to this problem but I haven’t tried it yet.

2 Likes

I don’t know what the current status of Electron is but I think it was the use of binary dependencies etc. that make it quite a task to unbundle. I remember seeing this thread though, so perhaps there is some progress:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Q4ZYYBTEP2ODUI6KV77JUOB4QZG2BTPD/

I am not a package maintainer but a regular Fedora Silverblue user, I did not realized that there is that big difference in guidelines. I usually try to install everything as flatpak when it’s available and preferably from flathub and hope that it gets more attraction in the future by all main distros. My hope is that the maintainer can unite and share the maintenance work between distros maintainers (this was my naive thinking I guess).

When there are concerns about the trust chain and review process maybe on the flathub site a feature needs to be implemented like “verified by flathub core team” or something similar? Like an sign that the app was reviewed by an high quality process.

My personal opinion is that the regular users would benefit more from flatpaks distributed via flathub.