Post AaDVI1wwBqHync3t20 by alwayscurious@infosec.exchange
(DIR) More posts by alwayscurious@infosec.exchange
(DIR) Post #AaBUwZXAFskwGvr2lk by alwayscurious@infosec.exchange
2023-09-26T19:26:02Z
0 likes, 0 repeats
The era of “get everything from your distro repository” is over, at least for desktop applications.Upstreams aren’t willing to wait on downstream distributions to ship the dependencies of their software. Why should they? Nowadays, they can just ship a flatpak on their own authority, include whatever dependencies they want in it, and do their QA on the same binary that end users will use, running in the same environment that end users will run it in.Is this a good thing? For upstreams, it is. For end users, it is good if (and only if) the upstream uses secure dependencies and keeps them up to date. For sysadmins who need to know every single piece of software installed on their system, it is a bad thing.However, such sysadmins generally work for companies that can (and should!) pay for commercial support contracts. That avoids expecting volunteers to do complience work for free. In fact, it could be a useful revenue source for upstream projects!
(DIR) Post #AaBUwaA9utwqDs6BY8 by alwayscurious@infosec.exchange
2023-09-26T20:06:23Z
0 likes, 0 repeats
This isn’t a case of flatpak = good and distro package = bad. Rather, it is an indication that the huge amount of QA work needed for complex desktop applications is difficult to automate, and that debugging problems one cannot reproduce locally is nearly impossible.
(DIR) Post #AaBUwakfj99g37BLSi by amgine@mstdn.ca
2023-09-26T20:49:40Z
1 likes, 0 repeats
@alwayscurious For my workflows, every flatpak I have used has failed disastrously at one point or another. I do not use many; down to two.For the 'upstreams' who have abandoned making it possible, let alone easy, to compile locally - the instant that fails I am without any recourse.When a repo is behind the times, I have options like compiling it myself, finding another repo, downloading it directly.You see flatpak as solution. I see it as a single point of failure. Both right.
(DIR) Post #AaBVJwe0UuCSblCT6e by tyil@fedi.tyil.nl
2023-09-27T06:51:10.482Z
0 likes, 0 repeats
@alwayscurious@infosec.exchange Sure, QA work is hard, but that's exactly why you want to keep the distro maintainers in the loop, they are a big part of QA. If you leave it up to upstream they'll do a piss-poor job for only their own machine, package it in Flatpak and call it a day. The distro maintainers are exactly the ones who will be telling them "yeah this isn't gonna work, you need to fix $whatever before I'm going to package this".Everytime I look at #Flatpak (and similar systems like #Snaps or #AppImages) I am just confronted with low-quality garbage that no sane person would want.
(DIR) Post #AaCWYQaCHH5ocwqck4 by alwayscurious@infosec.exchange
2023-09-27T16:52:28Z
0 likes, 0 repeats
@tyil Who is going to pay for all of that extra work? Upstream developers can spend their own time, working around downstream limitations, dealing with bug reports that should have gone to downstream package maintainers, etc. Or they can just ship a flatpak and say that everything else isn’t supported.This is not a technical problem. Whether a flatpak or a distribution package is technically better is irrelevant. What is relevant is that many of these projects are developed by volunteers, and these volunteers choose Flatpak and Flathub because it is what works best for them. And they are the only ones who have a say in these decisions.
(DIR) Post #AaCWYRRj4FuXIxtNB2 by tyil@fedi.tyil.nl
2023-09-27T18:39:43.008Z
0 likes, 0 repeats
@alwayscurious@infosec.exchange Who is going to pay for all of that extra workAll that "extra" work is already done. Who's paying them now? Not everything in life must always come with a financial benefit. This kind of thinking is a big reason as to why modern tech is such a hellscape.Upstream developers can spend their own time, working around downstream limitationsWhich they don't, which is why they don't want to cooperate with downstream maintainers and rather just bundle all their garbage into a #Flatpak and call it a day.Or they can just ship a flatpakThey can, and you, the user, will have an inferiour and ridiculously insecure experience. It doesn't run on your PC? Tough shit, the developers don't care about you or your situation.This is not a technical problemI would agree here somewhat. The problem is the ridiculously low standards of developers these days, combined with a massive ego problem where everyone who can write garbage-tier Python or Javascript thinks they're a literal god for writing software.What is relevant is that many of these projects are developed by volunteers,Whether you are paid or not for low-quality software hardly matters. Doing it for free doesn't magically turn your code into a better quality version of it. The type of package is irrelevant to some degree, but the QA process around it most definitely is. You're arguing to completely drop any and all QA because those poor devs (who do it for free!) are being told to not fuck up all the time.And they are the only ones who have a say in these decisions.Sure, they can do whatever they want. But this will result in them being laughed at and never taken seriously, when they could just write better software and let the distro maintainers package it.A good software repo is easy to package for maintainers, and such packaging is rarely done by the software developers of the package. You're somehow pretending that the software devs should also make all the packages for all distros which is simply not how packaging works most of the time. The distro maintainers do that, and they ensure a certain level of quality for all packages, so that the distro users are guaranteed that the software works well and doesn't do anything stupid (depending on your distro, of course). This is a good system that improves the quality of the software.
(DIR) Post #AaDVI1wwBqHync3t20 by alwayscurious@infosec.exchange
2023-09-28T05:59:38Z
0 likes, 0 repeats
@tyil Insulting upstream developers is neither constructive nor acceptable.
(DIR) Post #AaDVI2hNPBR57dmyPo by tyil@fedi.tyil.nl
2023-09-28T06:00:15.640Z
0 likes, 0 repeats
@alwayscurious@infosec.exchange "Yes I'm just going to be upset now because I have no arguments".Ok.
(DIR) Post #AaFepublHPifmNJ7mi by alwayscurious@infosec.exchange
2023-09-28T20:41:40Z
0 likes, 0 repeats
@tyil I still think you are missing the point here.Suppose maintainer A maintains desktop application Z. Z depends on a recent version of library L. However, Debian stable and the most recent Ubuntu LTS only ship an old version of L, causing Z to break.A’s options are:Do not support Debian stable or Ubuntu LTS, and lose out on a large number of users.Change Z to support the old version of L as well. When this is possible at all, it is likely to be very uninteresting and tedious work.Try to get a new version of L included via backports. This is a bunch of extra work for A, and might well cause problems for A’s users because other programs or even parts of the system might require the old version of L (and be incompatible with the new one).Bundle L and support everyone, without any workarounds needed.In this situation, many maintainers will pick option 4 every single time, unless someone is paying them to pick one of the others. It’s the only solution that allows many people to use their product and does not require them to perform a lot of unpaid, uninteresting labor.This is not a result of “ridiculously low standards” or “a massive ego problem”. It is a result of the extreme difficulty of supporting many different Linux distributions without bundling dependencies.To be clear, Nix and Guix provide every single one of Flatpak’s advantages except for sandboxing, and provides much better visibility into what one has installed. However, neither Nix nor Guix is accessible to the average user, wheras Flatpak is thanks to various GUIs. Most distributions don’t have Nix or Guix packaged, whereas Flatpak is packaged by a huge number of Linux distros.
(DIR) Post #AaFepvJMfIb7xbhwkS by tyil@fedi.tyil.nl
2023-09-29T06:56:35.931Z
0 likes, 0 repeats
@alwayscurious@infosec.exchange Once more you're conflating "developer" and "maintainer". They are not the same people. The developer can (and should) chose not to support insecure dependencies. In reality, the developer doesn't care, we can see that clearly with stuff like Electron, but that's another story.The maintainer is the one packaging it, in your example for Debian stable. If Debian is missing the dependency, this maintainer, or another one, can package that too. That's what they do after all. If Debian has a good reason not to accept such a dependency, they most likely don't want application Z to begin with, and there's nothing to do to begin with. The Debian maintainers are the one who perform the QA for what goes into the repos after all, if the developer disagrees he is completely free to change whatever he needs to get it accepted anyway.Or he could throw a tantrum, complain Debian is evil, and ship a flatpak to get his sub-par software out to Debian users anyway, lowering the software quality just a little further.Before you continue, please wrap your head around the idea that developers and maintainers are not the same, and most definitely shouldn't be the same.every single one of Flatpak’s advantagesConflating concerns which should be clearly separated, resulting in ever-lowering quality of software packages? Not sure if I consider this an "advantage".sandboxingOh boy, you actually believe the marketing. You might want to rethink your position on this statement, I'll even give you a little start. https://flatkill.org/However, neither Nix nor Guix is accessible to the average userI am actually in favour of having a little learning curve for most distros. It results in more intelligent and knowledgeable users, which in turn results in a smarter society that doesn't consider their computer "this magic box" that they just click every pop-up on and then become nodes in someone's DDoS network.Having some form of intelligence check isn't a horrible idea, we already do it for various other things in our society, in order to protect the person and the people around them.Flatpak is packaged by a huge number of Linux distrosJust because it's widely available doesn't mean it's a good idea to use it. If you care for popularity over quality, Twitter and Facebook still exist, and you can get yourself a Windows installer right from Microsoft's website. Enjoy your life with all this popular software, and please stop destroying the happy little places we have here.