Announcement

Collapse
No announcement yet.

Snaps & Ubuntu Core Desktop Talked Up At FOSDEM 2024

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • TheJackiNonster
    replied
    Originally posted by Sesivany View Post

    I hate to spoil it for you, but the package maintainer can do the same. The package goes through a proper review only once, then you can make changes and don't have to ask.
    I maintain applications both on Flathub and in a distro repository and I have to say that Flathub has been much more pushy about doing things right. They for example forced me to remove permission that became unnecessary when the app had already been on Flathub for 3 years. My packages in distro repos have never received so much scrutiny after they got in.
    I made a different experience. On Flathub I never received any hint to lower permission requirements. Neither I did notice anyone checking my app for changes after initial verification. With snaps on the other hand my apps are continuously verified manually which I get notified about after a new build and they automatically notify me about outdated dependencies in my apps. Flathub doesn't seem to care at all about deprecated dependencies which is why a lot of apps probably contain known security issues inside.

    That makes me prefer the way snap utilizes the .deb packages from the Ubuntu repository for most dependencies much more than runtimes and extensions for flatpaks. Because while developers might arrange custom runtimes and extensions to update their apps dependencies more easily, most people don't.

    I've also made the experience with a flatpak from me, where I restricted the permission requirements to not be marked as "unsafe" on the Flathub page, that a user wasn't able to use it as intended anymore without manually adjusting permissions. The permission systems for both flatpaks and snaps are still horrible in my opinion because you either have to much access or too little - especially when it comes to filesystem access.

    So from my point of view both systems are still extremely annoying and I still prefer native packages quite a lot, no matter the distro or implementation (.deb, .rpm or PKGBUILD).

    Leave a comment:


  • Daktyl198
    replied
    Originally posted by Alexmitter View Post
    I love how Canonical just has to double down on a double down on a double down. Years of wild ideas, and still the fundamental issues of snap aren't addressed at all, at best worked around with changes on the app.
    I have bad news for you if you’re a fan of Flatpaks, buddy.

    Leave a comment:


  • user1
    replied
    Originally posted by mirmirmir View Post
    Nah, I don't think distro packagers catch more bugs than other people. Problem in compiling process? Sure, but how the software is actually used, everyone has same chance to encounter a bug.
    I'm not claiming packagers catch more bugs than users. When you get the software directly from the developer, then who will test it for bugs? only the user. On the other hand with traditional packaging not only the users test it, but also distro packagers. Remember Linus's law? "given enough eyeballs, all bugs are shallow".

    Originally posted by mirmirmir View Post
    And about downstream patches, there's a reason why a patch doesn't get merged. If you want to include those patches in your distro. Fine, you do you... Not really. There's just so many bug reports in upstream caused by downstream patches. Did I say so many? I mean fuckton of them, thousand of hours of developers time wasted just to find out that that bug a user reports, doesn't even exist in their software.
    Honestly, this is the first time I'm hearing downstream patches may cause bugs that don't exist in upstream. And even if this is true you really seem to overblow the issue. Can you give at least some examples please? Personally, I know that if there's a bug in a package that doesn't exist upstream, it's most likely because the package is an older version.
    Even in Debian, which probably has the most downstream patches in its packages (which some of them do get upstreamed eventually btw), it's not like most of them even cause a noticeable difference in the app behavior.

    Leave a comment:


  • DumbFsck
    replied
    Originally posted by mirmirmir View Post

    Nah, I don't think distro packagers catch more bugs than other people. Problem in compiling process? Sure, but how the software is actually used, everyone has same chance to encounter a bug.
    The OBS and openQA beg to differ.

    Leave a comment:


  • ssokolow
    replied
    Originally posted by user1 View Post
    I've looked at the sandbox permissions of a lot of Flathub apps and I have to say many of them are too lax. Like why in the world does LibreOffice and image viewers have full filesystem read/write access when it should at the very least be limited just to your home directory?
    Probably because of a forest of little things like "If you plug a USB stick in, it mounts under /media, not /home", combined with how you need --filesystem=host to get /usr/share/doc available at /var/run/host/usr/share/doc. so LibreOffice can be used as a reader for RTF- or ODT-format documentation (they're rare but do exist) before they get around to supporting the file chooser portal.

    If not for that last one, I could definitely see a case being made for specifically enumerating the places to grant but, with it, it's very tricky to have a setup that Just Works™ reliably for users... and prioritizing "Just Works™" over "best sandboxing" is the name of the game for a lot of these Flatpak maintainers because they don't want people trying the Flatpak option, seeing something broken, and writing off Flatpak entirely as "it sucks".
    Last edited by ssokolow; 07 February 2024, 09:28 AM.

    Leave a comment:


  • sherlock
    replied
    Well... Can't wait to try it out!

    Leave a comment:


  • user1
    replied
    Originally posted by Sesivany View Post
    I hate to spoil it for you, but the package maintainer can do the same. The package goes through a proper review only once, then you can make changes and don't have to ask.
    Which distro are you talking about? Cause I'm sure not all distros have the absolute same level of scrutiny.

    Originally posted by Sesivany View Post
    I maintain applications both on Flathub and in a distro repository and I have to say that Flathub has been much more pushy about doing things right. They for example forced me to remove permission that became unnecessary when the app had already been on Flathub for 3 years. My packages in distro repos have never received so much scrutiny after they got in.
    I've looked at the sandbox permissions of a lot of Flathub apps and I have to say many of them are too lax. Like why in the world does LibreOffice and image viewers have full filesystem read/write access when it should at the very least be limited just to your home directory? Maybe the fact that your app has been 3 years on Flathub is most likely the reason why at some point someone scrutinised your app and asked you to remove unnecessary permissions.
    There are now over 2400 apps on Flathub, which is a lot, so I think there's no way someone constantly sits and manually checks if every single app has proper permissions.

    On another note, I do agree that Flathub really tries to do things right. That's unlike the SNAP Store, which clearly prioritises quantity over quality, the speed of publishing the app and the overreliance on automatic reviews, which afair the reason it was hit by malware twice now.

    Leave a comment:


  • mirmirmir
    replied
    Originally posted by user1 View Post
    I like the fact that packaging provides additional wall of security which you don't have if you get the software directly from the developer. What if the developer makes his software do something malicious and no one catches it before it gets to the user?
    I also like the fact that at least some distros like Debian work closely with upstream. For example, Debian packagers may find bugs and report them to upstream. One thing I dislike about open source software in general is the over-reliance on users for reporting bugs. At least with distros like Debian, the packagers essentially also participate in bug reporting, not just the users. Again, something that's impossible if you get the software directly from the developer.
    Nah, I don't think distro packagers catch more bugs than other people. Problem in compiling process? Sure, but how the software is actually used, everyone has same chance to encounter a bug.

    And about downstream patches, there's a reason why a patch doesn't get merged. If you want to include those patches in your distro. Fine, you do you... Not really. There's just so many bug reports in upstream caused by downstream patches. Did I say so many? I mean fuckton of them, thousand of hours of developers time wasted just to find out that that bug a user reports, doesn't even exist in their software.

    Remember, a packager will never be smarter than the developer. (No offense packagers out there thanks for keeping open source alive 🥰🥰). Devs just have more thingz to consider, more responsibility to users than packagers

    Leave a comment:


  • Sesivany
    replied
    Originally posted by user1 View Post
    What if the developer makes his software do something malicious and no one catches it before it gets to the user?
    I hate to spoil it for you, but the package maintainer can do the same. The package goes through a proper review only once, then you can make changes and don't have to ask.
    I maintain applications both on Flathub and in a distro repository and I have to say that Flathub has been much more pushy about doing things right. They for example forced me to remove permission that became unnecessary when the app had already been on Flathub for 3 years. My packages in distro repos have never received so much scrutiny after they got in.

    Leave a comment:


  • Danny3
    replied
    For fucks sake Canonical, just drop it!
    How long are you still willing to try to force push this crap, while people are resisting?

    Leave a comment:

Working...
X