On Tue, Jun 14, 2016 at 6:36 PM, Neal Gompa <ngomp...@gmail.com> wrote: > > On Tue, Jun 14, 2016 at 9:04 PM, Michael Catanzaro <mcatanz...@gnome.org> > wrote: > > On Tue, 2016-06-14 at 16:45 -0400, Ben Rosser wrote: > >> Well, if a packager wants to maintain it, why not? > >> > >> As someone who's a bit skeptical about containers as the future of > >> software > >> distribution, I'd like to continue getting "traditionally packaged" > >> applications from Fedora where possible. I became a Fedora packager > >> as a > >> large part because I wanted to expand the pool of such software that > >> was > >> available in Fedora, by making it available to other users. It seems > >> like > >> that's not a thing we're going to care about as much going forward, > >> which I > >> guess is... fine, but I kind of have mixed feelings about the whole > >> thing. > >> > >> I suspect I am in a minority here, though. > > > > No, we'll still need RPM packages for lots and lots and lots of > > applications. They're not going away. > > > > In the specific case where upstream decides to ship a Flatpak and wants > > to distribute that Flatpak in Fedora, then it seems advantageous to > > make that available in Fedora rather than our RPMs, so you get updates > > from upstream, exactly the way upstream intends, on upstream's > > schedule, that run the same on every distro, without conflicting with > > Fedora packages. There's a huge technical advantage to that. But most > > upstreams are not going to adopt this technology; it's just an option > > to make distributing your application easier. Packagers are still > > needed to package stuff that's not yet available on Fedora, same as > > always. > > That's a weird position to take. The main selling point of Flatpaks is > that they operate fully confined in the user's session space, separate > from the rest of the system. I find it extremely hard to believe that > we can't make these things coexist safely. In fact, there may even be > advantages to having a Flatpak and a system version installed in > parallel (especially for those who'd like to do certain things in a > confined environment and other things in the regular one). > > If you're saying that the GNOME people can't handle this use case, > then that's a huge problem. I expect this to be the most common one by > far. > > On top of that, what you're suggesting implies that the work we all do > as Fedora packagers is without value. We work very hard to provide a > neatly integrated system that provides maximum functionality in a > secure manner. > > To a certain extent, I also fundamentally disagree with the approach > of modularity via the means of Docker containers and whatnot. I don't > even like Flatpaks and Snaps and whatever other thing you want to come > up with. At the end of the day, none of these things are solving the > problem you are attempting to solve, and may introduce their own > issues. > > Both Windows and macOS have a lot of security issues stemming from the > lack of easy introspection of the state of the system due to the > nature of how software delivery is done for these platforms. Docker, > Flatpak, and Snaps all introduce this problem to the Linux platform, > and make it far easier for Linux systems to become permanently > vulnerable. > > The container/security thing is nothing specific or special to Flatpak > and others, in fact it's more theater than anything else anyway, as it > only works when conditions are "just right" (i.e., Wayland, > supercharged containerization with SELinux, etc.).
I *strongly* disagree here. The xdg-app folks seem to be doing a pretty good job with their sandbox. The kernel attack surface is reduced considerably, as is the attack surface against the user via ptrace and filesystem access. If Wayland is available (which is should be!) then so is the attack surface against X. --Andy -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
