A lot of flatkill.org’s statements are made to incite fear in the Linux community. Given that all Flatpak packages and application build scripts are available and able to be edited by anyone, the appropriate response is to educate on why this is a problem, and then fix it. The way that flatkill.org approached this issue says a lot.

Hi,

This is a direct response to flatkill.org 2020.

I’ve heard a lot of misinformation about Flatpak spread by the community and by a website called flatkill.org. I took the time to write my own response with the help of Flatpak contributors and developers to debunk the claims of flatkill.org to stop the spread of false information.

  • federico3
    72·
    4 years ago

    Still, nothing makes it trustworthy to end users. If I have to trust a random person on the internet to create a flatpack it’s not more secure than running a binary found on 4chan.

    To provide acceptable security to all users a real software supply chain process is needed:

    • software and sandbox configuration from upstream developers need to be reviewed by a second pair of eyes: package managers
    • package managers work needs to vetted as well through peer review, at least, or more “senior” package managers
    • the people involved need to be vetted in the first place

    …which is a less meticolous version of what Debian does. Various large companies have similar processes for internal use.

    Another clarification: nothing prevents sandboxing application deployed with deb or RPM packages. It’s routinely done for system daemons, for example, and by firejail and similar for applications.

    Also nothing prevents bundling dependencies inside a package when there’s a good reason to do so.

    • disrooter
      62·
      4 years ago

      Why are you mentioning GitHub that is used by FlatHub project while in my comment I just said FlatHub =! Flatpak?

      • federico3
        21·
        4 years ago

        It was just an example of a random person on the Internet. I rephrased it to clarify.

        • disrooter
          13·
          4 years ago

          That’s not the point, Flatpak is like DEB or RPM, at a certain point Debian(-based distros) could offer apps as Flatpak while still using DEB for system packages.

          Fedora already provides Flatpak apps and Fedora Silverblue is supposed to only install apps with Flatpak from Fedora’s Flatpak repos, from FlatHub or whatever repo the user decides to add.

          Mozilla and Libreoffice are already providing official Flatpak builds.

          OpenSUSE’s OBS service supports building Flatpak packages too.

          Probably you know you can find a lot of third party apps like Google Chrome that supports Linux by providing DEB and RPM packages on their sites. This has been tje case for ages.

          So what’s the difference with Flatpak? It’s even better for the use case of distributing untrustworthy apps because they can be properly sandboxed. Flatpak + Wayland is the minimum to make third party software available on Linux distros. Instead DEB/RPM + X11 are meant only for internal use of the distro you choose to trust. Before Flatpak and Wayland you can’t even talk about Linux distros as a real platforms for third party apps.

          Think better about what you want to criticize, because your arguments that follow are never that great.