A large portion of packages on flathub are directly supplied by the developers of the software themselves. It’s easy for them because in this way they can then provide their software to a large number of distros/users at the same time, and they can provide updates whenever it’s needed – this includes important security updates. AlI steps in the build process are open source and can be checked not only by you, but by thousands of other users. The community has a role in keeping an eye on things.
In the case of distro-built packages there is always a delay before vulnerabilities can be addressed and distributed to the local repos. Regularly Fedora RPM’s are weeks or months out of date, and sometimes the upstream repo is a dozen releases or more ahead of the local repos. Again this may also include vulnerabilities that were addressed by the developers.
It does not make sense to not trust the upstream developer to provide a safe and well working flatpak, but instead only trust a random Fedora packager who pulled the same code from github, compiled it into an RPM and pushed it to a repository.
Flatpak infrastructure feels like a 3rd-party app store on-top of the distro’s. I don’t entertain those on mobile, and barely entertain RPM Fusion. Everyone uses Flathub, which makes it appealing for malicious actors.
Flatpak all-sides is used as a convenience. Convenience doesn’t usually go well with security. And apparently Flatpaks can be done wrong (OBS Studio ordeal).
I get the issue Flatpak tries to solve; I don’t like that everyone’s taking the easy way out of the mess.
Windows apps are on Windows. Everything mainstream and worth using has a Windows exe. OBS Studio direct from the dev comes in a double-click exe.
Valve with Steam and OBS Studio support Ubuntu directly. Anything on Linux likely was tested on or works on Ubuntu. But everyone not using Ubuntu has some reason not to be using it, hence every-other-distro-and-forks.
Nobody can decide on a standard (Windows exe/msi, macOS dmg/pkg); there’s deb, rpm, apk, AppImage, and folders with extenstion-less binaries in folders inside tar.gz. And everyone wants their software used everywhere. Flatpak is the easy solution by bolting on another package manager, and putting everyone in FlatHub’s giant repo. Good luck anyone not into developing within FlatHub.
Not really related to DJ Ware, but I don’t like Flatpak
I do have the opposite opinion. I think there are good chances the “developer” is NOT the real developer or she/he is a hostile actor. Having somebody checking stuff before it comes to me is the only reason I need a “distribution”. Yes, it could be the opposite, meaning the “developer” is the good guy and the distro maintainer is the bad guy. But in this scenario only the distribution users are affected, instead of the whole world AND I don’t use “one man” distributions so I expect bigger organizations to check the people who work inside them.
That said, I repeat.
From the user perspective flatpak does not provide any advantage besides updates.
ANYTHING ELSE is an disadvantage.
It makes no sense to install a flatpak when I am given the option of APT or RPM.
“native” applications work better, bring less bloat, aren’t “isolated” from the system so I don’t get any permission/access problem.
Somebody said about the issue flatpak tries to solve. Those issues are not MINE, they are somebody’s else issues. The idea is to move those issues from them to me.
Minimally vetted is still better than “nobody knows who XYXOR23 is”, plus, at some point it seems we are playing a sort of game here, IF some Fedora maintainer is a bad guy, only Fedora users are affected, not the whole world. AND, again flatpaks are worse for everything but updates. Sorry for the repetition but it looks like it is needed.
