Hi,
This is a direct response to flatkill.org 2020.
I’ve heard a lot of misinformation about Flatpak spread by the community and by a website called flatkill.org. I took the time to write my own response with the help of Flatpak contributors and developers to debunk the claims of flatkill.org to stop the spread of false information.
No much of a response. The sandbox is indeed still a lie. And the response pretty much admits it.
For FlatHub OK but nothing prevent you from providing a Flatpak repo only with sandboxed apps.
Still, nothing makes it trustworthy to end users. If I have to trust a random person on the internet to create a flatpack it’s not more secure than running a binary found on 4chan.
To provide acceptable security to all users a real software supply chain process is needed:
…which is a less meticolous version of what Debian does. Various large companies have similar processes for internal use.
Another clarification: nothing prevents sandboxing application deployed with deb or RPM packages. It’s routinely done for system daemons, for example, and by firejail and similar for applications.
Also nothing prevents bundling dependencies inside a package when there’s a good reason to do so.
Why are you mentioning GitHub that is used by FlatHub project while in my comment I just said FlatHub =! Flatpak?
It was just an example of a random person on the Internet. I rephrased it to clarify.
That’s not the point, Flatpak is like DEB or RPM, at a certain point Debian(-based distros) could offer apps as Flatpak while still using DEB for system packages.
Fedora already provides Flatpak apps and Fedora Silverblue is supposed to only install apps with Flatpak from Fedora’s Flatpak repos, from FlatHub or whatever repo the user decides to add.
Mozilla and Libreoffice are already providing official Flatpak builds.
OpenSUSE’s OBS service supports building Flatpak packages too.
Probably you know you can find a lot of third party apps like Google Chrome that supports Linux by providing DEB and RPM packages on their sites. This has been tje case for ages.
So what’s the difference with Flatpak? It’s even better for the use case of distributing untrustworthy apps because they can be properly sandboxed. Flatpak + Wayland is the minimum to make third party software available on Linux distros. Instead DEB/RPM + X11 are meant only for internal use of the distro you choose to trust. Before Flatpak and Wayland you can’t even talk about Linux distros as a real platforms for third party apps.
Think better about what you want to criticize, because your arguments that follow are never that great.