Summary of the discussion about Filter Fedora Flatpaks Atomic Desktops v2 proposal

Flatpak as a technology has a lot of cornercases

Getting into UI starts getting into the area of different opinionated interfaces.
We know there are differences in the UI between app stores.

There are other things we know..
We know open source forks are a thing… a federated platform like flatpak must anticipate that each of those forks has value and can potentially live inside the platform…

different UI stores will make opinionated choices on how to emphasize or de-emphasize the breadth and availability of soft/hard forks. There is a tension inherent in any federated platform. What is the best choice among peer variants of the same thing is fuzzy. And the best defaults are even fuzzier.

Which soft fork of the same application is the best one? Opinions will differ.. those different opinions will end up being expressed in UI choices that interact with platform features.

Oh, no, this is mostly solved. It’s been done in Arch and openSUSE, and bringing that to Fedora isn’t even that difficult. It’s just nobody has signed up to do the maintenance work for it.

Not sure it needs to be that complicated. Allow setting a priority list (can be as short as one) of the remotes you prefer. If names are not qualified with the remote, pick the first match going down the priority list?

Sorry, I am not entirely sure I understand the proposal. What I was thinking with my comment above is that, if installing a Flatpak app from multiple sources would ever be implemented, then the UI design of such a change in the affected software managers needs to be carefully done, as to not confuse the user.

However, IMHO, I don’t see such a change implemented in the flatpak tooling, or certainly not anytime soon, leaving the entities interested in this feature with the option to use different app ids. Not a nice user experience though.

Software centers are already multi-source aware, and already implement priority lists. GNOME Software doesn’t expose this to the user, while Plasma Discover does.

It’s pretty much how OCI stuff works, so Flatpak should at least work the same way as it evolves around OCI stuff.

Certainly. But neither GNOME Software, nor Plasma Discover allows installing the same app-id from multiple sources, and nor does the flatpak CLI tooling.

On a side note, while looking into the above mentioned software managers, I’ve noticed a design issue with GNOME Software, which I’ll probably have to report upstream, as for an app already installed it lets the user change the source and hit the Install button, which results in the obvious error message about the app already being installed, leaving the user with an unclear Cancel button.

I agree. But the resemblance is rather technical. From a user perspective, having multiple containers built from the same image is normal business, while having the same app installed from multiple sources is the exception.

This is my user-centric view on the matter, I’m well aware though that different target groups have different needs.

Hmm…
Along those lines..
Full linux containers as artifacts don’t have dependencies… so its not as simple as that.

Would having fully qualified namespace means applications on one remote can depend on runtimes offered on another remote? That would be very interesting.

Could we or CentOS offer platforms in our remote(s) that application upstreams served out of github depend on?

What does a future look like when individual upstreams not only take control of their flatpak binary outputs, but also take more control of their distribution channel for official flatpak outputs?

I keep thinking about a possible future… where flatpak is recognized as the defacto platform that encompasses not just bare metal linux desktop installs.. but also WSL2 linux environments… and github wants to offer a flatpak remote service as distribution channel primarily to serve those WSL2 environments (but would work equally well on all linux desktop environments).

That future definitely needs different UI, with a way to clearly designate “official” upstream releases because github’s remote would be a pile of soft forks (just like “traditional” full linux containers). For a future that encompasses WSL2 it might be the commandline tooling is sufficient UI.. it might mean an entirely different GUI than what either the two dominant rival native Linux desktop environments want as opinionated GUI. But I see that future out there…
And that future really puts an emphasis on what “official” upstream builds are.

Flathub sort of anticipates a version of that future. They have the verified concept. The subset stuff is a bit wonky because its not actually a set of independent tags.. its just a field I think… which makes it combersome to extend in combinatorical intersting ways efficiently. Which is why I think its hard for them to add a designation like “built from source” which is something we want to see and be able to apply abstract filters on. Again hindsight is 20/20. But because we are selves aren’t attempting to do any of the subset stuff in our own infrastructure we aren’t in a position to collaborate with flathub to help get to a more flexible subset concept that all remotes can implement.

The future we need to get to invovles taking the subset concept further and making it possible to filter in more abstract ways.

What are “official” releases… what are “official floss” releases… flathub has covered. I’m not sure the GUIs expose that yet… but the cmdline tooling has a subset filter concept that does. Which may be sufficient for the future that includes WSL2 environments.

What are “certified secure official releases that meet objective security criteria from such and such 3rd party” not a question that can be answered at present. And I’m not sure the subset metdata as I understand it is flexible enough to answer that yet. But that’s exactly the sort of thing I interpret some members of FESCO saying is needed. But we’ve got no skin in the game right now, because our remote isn’t doing anything with regard to subsets.

I want to hold us to the standards we say we want. I want to be able to stand up a fedora remote in such a way that we grade whats in our remote… and we build a working example of subset metadata that flathub can choose to take from us instead of us telling them what they should do. I want us to lead by example. Which means we need to give our Flatpak remote a mission that requires us to use subsets to expose grading on a flatpak package by package basis and requires the UI tools we put in from of users to expose the subsets in a way that is filterable. One such mission is security. We say we care about it, but we don’t actually have objective tooling that would allow us to say with specificity which flatpaks meet which objective gradable security criteria. We can make it the mission to work on that and to start tagging via an extended more flexible subset mechanism and start grading our own stuff. Then we can start using the exact same tooling and grade official releases in other remotes and put a stamp of approval on those as well in partnership in those remotes. We can just start with flatpaks we provide where we grade by which flatpak sandbox static permission overrides they use out of the box. That a security grading we can try to label in metadata… if we had the correct metadata. That’s something we could lead on.. and then partner with flathub and flatpak tooling. If the 3 and counting searchable flatpak GUIs don’t want to expose that…that’s their choice..GUIs get to be opinioned and get to differentiate from each other.

This is neither feasible nor desirable. Modern applications require consistency in their application IDs. The code is written as org.gnome.Mines, that is what needs to be used, we can’t just rename everything ourselves.

And I will remind you once again: if you substitute Fedora RPMs for Fedora Flatpaks and the statement still applies (as is the case for most of these supposed arguments), then why are you still singling out Fedora Flatpaks?

Sorry if this is obvious to everyone else, but what code are you talking about in the multiple layers. I am trying to figure out where a ‘fork’ of whatever code would have to happen for org.fedoraproject.Mines would occur if that is what is ‘wanted’ by others.

Use grep and Ctrl+H? Anywhere you see org.gnome.Mines, replace it with org.fedoraproject.Mines. Don’t forget all of the filenames, like icons, settings schemas, and appstream metainfo. Profit.

(It’s a waste of your time. Absolutely do not actually attempt to rename app IDs, not unless you are really doing a serious hard fork. But if you wanted to, that’s how.)

Probably make that a case-insensitive grep, because sometimes projects will use a different case for settings schemas than they will for everything else. Also, you’ll need to change the settings schema paths, which uses slashes rather than periods. Oh, and same for D-Bus object paths, if the project has a D-Bus interface.

Sorry, I wasn’t sure if the code was in the Mines source code, a flatpack repository, some third level which tied things together, etc. And from the fact that @jspaleta thought it was easy to change.. I am not sure he knew either.

Doing the git clone and looking at the code, this is hard coded into 2022 places just for the Mines and as @catanzaro says.. changing it would require a hard fork.

And again, as probably everyone else sees.. that makes org.gnome and org.fedoraproject useless items to ‘Federalize’ on since it is source code driven.

Uh, I think you counted the po files by mistake. It shouldn’t be 2000 different places.

But certainly it’s a bunch of different places, and definitely not intended to be changed.