I recently installed Fedora Atomic 43 and I have seen various programs in the default Fedora registry that are well far behind from what the developers release, for example, Fedora last update for Pinta was 4 years ago and Flathub latest release was 6 days ago, and a security program like Secrets, I initially installed it from Fedora registry but I was given a warning in Fedora that the program is not being updated, I Googled what this means and it had to do with using old runtimes, I uninstalled it got the Flathub version and it is fine now.
I donāt need the latest features but not to update something in 4 years and to use outdated runtimes with a password manager like Secrets does not seem wise for security, I am about to make Flathub a default for everything but I was wondering if this what everybody else is doing or how does this work, can packages get reported to be updated in the registry or you just wait and hope that one day they will update them wen they have time?
There are different camps and big arguments about this.
There is no one size fits all answer to security. However if you are worried about security for a 4 year out of date package I would say you have done the right thing in this instance.
If a package like āSecretsā is no longer being maintained, I would find a replacement program.
If you want to report a pakage to a maintainer you can do so via bugzilla.redhat.com or by mailing the maintainer - you find their details on the Fedora Packages page of the respective package.
The program is actively maintained by the developer, the old runtime problem is only with the Fedora registry because it has not been updated for a year. With Flathub is fine.
Fedora Flatpak uses Fedora RPMs so if a package doesnāt have an active maintainer within Fedora then the Flatpak will also be out of date.
In this case - Iād stick to using the Flathub version.
In general - I tend to recommend disabling Fedora Flatpak repo and sticking with Flathub Flatpaks as I find I have less issues with Flathub but this is a personal opinion.
I also prefer Flatpak apps from Flathub, but try to avoid non-verified apps.
As for Fedora runtimes, they are always up-to-date, since Fedora offers a new runtime with each release and points the apps to the latest runtime.
What happened with org.gnome.World.Secrets, is that it got retired in F43, and therefore the available app in the Fedora remote is an old one which still points to the old F42 runtime:
Just to add that I looked a few days ago to see if Pinta had had any update and it hadnāt in years. Maybe you just āgot luckyā and looked for it just when they finally released a new version.
I donāt know where you looked but in Gnome Software manager if you go to Pinta pick Flathub and click on Version History you will see updates listed every few months. 7 days ago, 2 months ago, 3 months ago, 5 months ago.
To avoid opening another thread, I will ask here, the LibreOffice package, in the Gnome Software manager, Flathub tells me the version number, 26.2 but the Fedora registry only says āVersion Stableā, is there a way to find out what version is it without having to install. It does not say how long ago they uploaded the program.
I looked at their website and tried to find the development repo.
Re. Libreoffice, 26.2 is the āstableā version and 25.8ā¦ is the āold stableā or something like that.
Itās explained in their site. 26.2 is the latest but 25.8ā¦ is more guaranteed to have a stable behaviour. When it reaches its end of life then fedora maintainers will package the next version, is what I suppose.
The 26.2 version is already packaged in the Fedora 44 repos - I doubt it will be coming to the F43 repos so it will be available once F44 ships later this month.