From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
I feel like OP missed an opportunity to title this post “Fedora Flatpaks Fall Flat”
Great article, BTW
Great article, BTW
I disagree, the headline is clickbaity and implies that there is some ongoing conflict. The fact that the Fedora flatpak package maintainer pushed an update marking it EOL, with "The Fedora Flatpak build of obs-studio may have limited functionality compared to other sources. Please do not report bugs to the OBS Studio project about this build." in the end-of-life metadata field the day before this article was written is not mentioned until the second-to-last sentence of it. (And the OBS maintainer has since said "For the moment, the EOL notice is sufficient enough to distance ourselves from the package that a full rebrand is not necessary at this time, as we would rather you focus efforts on the long-term goal and understand what that is.")
The article also doesn't answer lots of questions such as:
Note again that OBS's official flathub flatpak is also marked EOL currently, due to depending on an EOL runtime. Also, from the discussion here it is clear that simply removing the package (as the OBS dev actually requested) instead of marking it EOL (as they did) would leave current users continuing to use it and unwittingly missing all future updates. (I think that may also be the outcome of marking it EOL too? it seems like flatpak maybe needs to get some way to signal to users that they should uninstall an EOL package at update time, and/or inform them of a different package which replaces one they have installed.)
TLDR: this is all a mess, but, contrary to what the article might lead people to believe, the OBS devs and Fedora devs appear to be working together in good faith to do the best thing for their users. The legal threat (which was just in an issue comment, not sent formally by lawyers) was only made because Fedora was initially non-responsive, but they became responsive prior to this article being written.
I can confirm, I really missed the opportunity
You can edit the title...
IT'S OVER, MAN. YOU HAVE TO LET IT GO!!!!
The issue is that they are pushing their own version of flatpaks, some of which are broken, instead of contributing to flat hub and making that the default.
That wouldn’t work. Flathub and Fedora Flatpaks have different goals.
Fedora Flatpaks must meet legal requirement set by Fedora, so no proprietary or patented software.
Flathub also encourages upstream to maintain their packages. But upstream may not meet the security requirements set by Fedora. Fedora has much stricter packaging guidelines which don’t permit vendored dependencies.
That honestly doesn't sound like a bad mission, but it seems like there's a couple other requirements they should impose on their mission and then there wouldn't be any controversy.
They should require that their package works as well as the upstream, and, in the even that it doesn't, they need to be very blatant and open that this is a downstream package, and support for it will only be provided by Fedora Flatpaks, and that you may have better results with the official packages.
The primary issues in this case is that it doesn't work, and it's not been clear to users who to ask for help.
Ah I'm glad to see the situation seems to have cooled a little.
See this comment and the three following, as well as this one and the two following. I think they can now work it out between the projects reasonably.
PS: This more fundamental proposal for Fedora Workstation that started from the OBS packaging issue is also interesting to read. It seems they are looking to make more limited / focused use of their own Flatpak remote in the future since some old assumptions regarding Flatpaks and Flathub don't hold so well anymore.
What is the lesson we can learn here as stated by the author of the post?
A messy situation but hopefully one some lessons can be learned from.
There is no info why packaging failed. I can't draw any obvious lesson from this post
The lesson is that Fedora Flatpak Repo needs to fuck off. It's an anti-pattern to have an obscure flatpak repo with software that is packaged differently from everything else.
The entire point of flatpaks was to have a universal packaging format that upstream devs could make themselves, and Fedora is completely undermining it.
And Fedora Flatpaks are universal, they work on any distros.
Flatpak by design allows you to install Flatpaks from multiple stores. The fact that snap only allows one store is a common criticism of snap.
Fedora Flatpaks were created because Fedora has strict guidelines for packages. They must be FOSS, they must not included patented software, and they need to be secure.
Flathub allows proprietary and patented software, so not all Flathub packages could be preinstalled. And if a Flathub package was preinstalled, it could add proprietary or patented bits without Fedora having a say.
Flathub packages are also allowed to use EOL runtimes and include vendored dependencies that have security issues. Fedora does not want this. Fedora Flatpaks are built entirely from Fedora RPMs so they get security updates from Fedora repos.
They work on other distros... if they work at all. If those "strict guidelines" are resulting in flatpaks like OBS and Bottles, which are broken and the devs have tried to get them to stop shipping, then I'll pass on Fedora flatpaks.
I dont criticize Flatpaks for allowing alternative packaging sources. I criticize Fedora for sneakily (whether intentionally sneaky or not) setting their broken flatpak repo as the default, leading to a bunch of confusion by Fedora users that don't know they're actually using different, sometimes broken, packages from everyone else.
The uBlue downstreams of Fedora know this, and they have the decency to present the user with that information upon installation. So thankfully, their users don't end up wasting their time with problems that Fedora introduced.
Honestly, that sounds great.
My biggest problem with Flatpak is that Flathub has all sorts of weird crap, and depending on your UI it's not always easy to tell what's official and what's just from some rando. I don't want a repo full of "unverified" packages to be a first-class citizen in my distro.
Distros can and should curate packages. That's half the point of a distro.
And yes, the idea of packaging dependencies in their own isolated container per-app comes with real downsides: I can't simply patch a library once at the system level.
I'm running a Fedora derivative and I wasn't even aware of this option. I'm going to look into it now because it sounds better than Flathub.
Why don't you like fedora flatpaks?
Among other reasons, Fedora ensure that apps get a flatpak. Imagine there was no official flatpak, fedora would've made one. Just like fedora ensures that there are native ways to install it via dnf. On atomic distros, you want to use flatpaks very often. Hence it makes sense to package apps via flatpak.
Fedora ensures that there is not additional code in the app kind of like fdroid on phones.
Anyone can make flatpaks, not just the main dev.
I answered most of this in the other thread, but I am aware that anyone can make flatpaks. What I meant is that flatpaks were supposed to make it easier for devs to get their software to end users by allowing them to not have to worry about distro-specific packaging requirements or formats.
But when someone else takes it upon themselves to make broken flatpaks, ones that you've requested they stop doing, now they're making things worse for everyone involved and should be considered a hostile fork and treated as such.
Obviously, the best solution is that the gets settled out-of-court. However, Fedora has had a long time to listen to the OBS devs' request to stop packaging broken software, so maybe they won't listen to reason.
Fedora needs to get their heads out of their asses and kill the Fedora Flatpak repo.
Is there any merit to the claim OBS is using an end-of-life (EOL) runtime and that this is a very bad thing for security?
OBS continued using the EOL runtime because of Qt regressions introduced in the updated KDE runtime. The OBS team decided the security risk of sticking to the EOL runtime was small, so they didn't update.
But that still does mean that users were no longer receiving security updates. Ideally, OBS should have moved to the standard Freedesktop runtime and vendored in the older Qt dependency. That way, the they would still be receiving security updates for everything in the Freedesktop runtime. Then once the regressions were fixed, they could move to the updated KDE runtime and remove the vendored Qt dependency.
Overall, the risk OBS had was small. But it demonstrates a larger issue with Flathub, which is that they don't take security as seriously as Fedora. There are hundreds of flatpaks in Flathub that haven't been updated in years, using EOL runtimes and vendored dependencies that get no updates.
It's important to acknowledge that nothing is completely secure.
I didn't know this was an issue for OBS because I'm not experiencing any problems nor am I seeing anyone else.
I think you might find this comment by one of the OBS upstream devs interesting:
https://pagure.io/fedora-workstation/issue/463#comment-955899
Fedora's opinion seems to be that upgrading is always the right choice, which we disagree with.
Ugh, I'm glad people are willing to fight back against these kinds of assertions.
Regardless of who is right, facilitating and encouraging this kind of discourse is how we end up with better software for everyone.
thanks!
Totally forget that I still was in fedora's flatpak repo until the news dropped. Took the opportunity to remove and replace it with flathub.
inb4 Iceweasel