Hey, so lets talk about it.
I’m going to firmly put my Fedora Project leader hat on my head right now.. so everyone is clear that I am speaking as the Fedora Project Leader…
First let me say that I’ve been unable to talk about flathub specifically for the last 3 months or so because I found a very significant copyright license violation problem with the flatpak runtimes they host while I was attending GUADEC in my capacity as a GNOME Advisory board member. I spent some amount of time communicating back channels, quietly with the goal of making sure that problem got fixed and tried to make sure everyone involved felt like they had space to get it solved without feeling like I was going to throw them under the bus publicly for making a mistake with the license compliance.
If I had wanted to have an actively hostile relationship between Fedora and Flathub I would have made my findings public and dragged them for 3 months in social media while they sorted out the problem. I could have stood up in front of the entire collected group of GNOME developers and made some very opinioned statements that would have probably torn the relationship asunder for years. I didn’t. Nor did I slink a way to the relative safety of social media to outrage farm at their expense. I didn’t. Instead I had some quiet conversations with people in positions to effect change, and got them to acknowledge the problem existed, and gave them my assurance I would give them the time to address it… because mistakes happen.. and its important to get it addressed.
Sometimes, a lot of the time, playing nice means having quiet conversations about the difficult topics, instead of pulling out the eye poking stick at every single opportunity and jabbing other people in the eye publicly. I definitely poked some people in the eye, but I did it in private in an effort to keep future opportunities open. So when you make a call for playing nice… know one thing… I have been.
There are more things I’m going to be doing in my capacity as GNOME Advisory board member that will involve playing nice in a similarly less public capacity. But now that flathub has made a public statement about the license compliance problem I found and reported, I’m able to play nice in public now too. If you want me to talk more about the details of the compliance problems I found.. I’m happy to.. now that they’ve made a public statement and addressed them. From my point of view, they’ve made progress and there’s more to be done. Talking about it publicly specifically to score points off of them is explicitly not something I’m interested in doing.
Moving on… lets talk about Fedora flatpaks. I would love nothing more than to be able to make the case that Fedora can set aside this work.. and stand up flathub as a trusted partner but here is what I need to be able to do that.
- I have to have a way to address the inherent liability associated with license compliance from a distributor point of view for any flatpaks that Fedora pre-installs as part of any composed images. The 3 months it took for flathub to address the compliance problems I found this summer puts an exclamation point on this. I can’t live with a response time like that for the runtimes that multiple applications depend on. I know the leaders of other distribution projects have come to the conclusion that they can live with it.. but Fedora can’t. If you can’t respect the self-assessment that Fedora has a higher risk profile than either flathub or other projects that depend on flathub.. then I don’t really know what to tell you… you’re gonna have to agree to disagree on that. If you do accept that Fedora has a higher risk profile for the liability associated with license compliance and you still think Fedora can shutdown its own flatpaks in favor of flathub.. you’re gonna have to explain to me how that’s gonna work the next time there is a compliance problem at flathub and it takes them months to fix.
If flathub fails, for whatever reason, to address acknowledged, license compliance issues with a certain timeframe (that we need to come to agreement on) Fedora, as a downstream distributor, needs to have an out, where Fedora can take control and address the compliance risk by issuing replacement flatpaks builds under Fedora’s control. Every distributor makes its own risk assessment and it really doesn’t matter if other things out there feel comfortable baking in Flathub flatpaks into their images, end of the day, flathub isn’t a liability shield for the license compliance risk to Fedora for things baked into Fedora images. This is my top priority to solve. If there is no other workable solution to the liability problem, Fedora has to keep building and distributing its own flatpaks.
I can’t stress this enough… license compliance isn’t like security issues. We live in a no warranty world and while security issues are problematic for users and have reputation damage burn associated with them.. there is no actual legal liability at present with not addressing them. The CRA may impact that assessment soon…but not yet.
License compliance is sort of the exact opposite. Users generally don’t care (A few do) , but there is legal liability for Fedora as a distributor… and I as FPL have to take that into account. And the only way right now that I see is that Fedora continues to build the flatpaks for anything it wants to preinstall into deliverable images. We don’t have to build them the way we are building them now, but we may still have to build them if we distribute them to ensure we can mitigate our own liability. Give me another option to address the inherent liability associated with license compliance that doesn’t make the Fedora project wait 3 months for flathub…which is frankly unacceptable.
- Fedora needs flatpaks on architectures that flathub doesn’t provide support for. This will likely become more pressing in the near future because we may end up in a world where we have deliverable RISC-V desktop like bootc environments ahead of flathub servicing RISC-V. We already have some differences for ARM that makes depending on flathub difficult because flathub lets individual projects choose which architectures they support. Flathub is allowed to do that, they control their policy, but that creates gaps for Fedora users using anything but x86_64 arch…sometimes in places that are quite noticeable. I have no idea how to fix that other than having Fedora build its own flatpaks. RISC-V enablement puts significant pressure on Fedora to keep building its own flatpaks.
Person opinion..
part of the problem here is that flatpak as a technology is way more expressive as a commandline tool than how it presented to desktop users. I can actually prototype some interesting examples using the commandline tool that doesn’t translate to the desktop user experience right now.
I think what’s really needed here is some acknowledgement from the UI developers that there is some compromise needed to have flatpak capabilities surface up to the users in some different ways. There maybe a way out of some of this using flatpaks installations concept.. but its not surfacable to end-users right now.. or at least I don’t see how to.