Fedora threatened with legal action from OBS Studio due to their Flatpak packaging
-
Worse than that, the issue the article states isn't that it's a flat pack, it's that fedora is pushing their rebuilt flat pack of obs that's buggy instead of the official obs one from flat hub that works, and then the obs project is getting bug reports for a third party distribution that's broken.
Because fedora isn't just pushing flat packs, they're pushing made by fedora versions of them instead of the official builds from the maintainers.
-
Having distro-specific flatpaks really seems to be defeating the whole purpose
-
It doesn't mean they are pushing flatpaks, but rather for whatever reason they decided to package their own flatpaks.
It is kinda of strange as Flatpak can support different repos, so of course fedora can host its own. The strange bit is why bother repackaging and hosting software that is already packaged by the project itself on flathub?
One argument might me the security risk of poorly packaged flatpaks relying on eol of dependencies. Fedora may feel it is better to have a version that it packages in line with what it packages in its own repos?
I have some sympathy for that position. But it makes sense that it is causing confusion of its broken, and worse it sounds like things got very petty fast. I think OBS request that fedora flag this up as being different from the flathub version wasn't unreasonable - but not sure what went down for it to get to thepoint of threatening legal action under misuse of the branding.
-
What is the lesson we can learn here as stated by the author of the post?
A messy situation but hopefully one some lessons can be learned from.
There is no info why packaging failed. I can't draw any lesson from this post
-
That wouldn’t work. Flathub and Fedora Flatpaks have different goals.
Fedora Flatpaks must meet legal requirement set by Fedora, so no proprietary or patented software.
Flathub also encourages upstream to maintain their packages. But upstream may not meet the security requirements set by Fedora. Fedora has much stricter packaging guidelines which don’t permit vendored dependencies.
-
inb4 Iceweasel
-
It’s not distro specific. Fedora Flatpaks are just built from Fedora RPMs, but they work on all distros.
If you care about FOSS spirit, security, and a higher packaging standard, then Fedora Flatpaks may be of interest.
If you want a package that just works, then Flathub may be of interest. But those packages may be using EOL runtimes and may include vendored dependencies that have security issues.
-
The lesson is that Fedora Flatpak Repo needs to fuck off. It's an anti-pattern to have an obscure flatpak repo with software that is packaged differently from everything else.
The entire point of flatpaks was to have a universal packaging format that upstream devs could make themselves, and Fedora is completely undermining it.
-
Obviously, the best solution is that the gets settled out-of-court. However, Fedora has had a long time to listen to the OBS devs' request to stop packaging broken software, so maybe they won't listen to reason.
Fedora needs to get their heads out of their asses and kill the Fedora Flatpak repo.
-
I'm sorry, but you've completely missed either the point, or how it works.
Flathub is really the problem here for not properly verifying package owners/maintainers and allowing them to moderate other versions of their work.
There honestly just needs to finally be a way to sort official packages from community packages. Right now it's a mess. Fedora should just take theirs down.
-
Fedora has always been one of the flatpak friendly distros.
No, it’s not like snap. Fedora is not removing RPMs and replacing them with flatpaks. It just defaults to flatpaks. Fedora Flatpaks are built entirely from existing RPMs.
-
Totally forget that I still was in fedora's flatpak repo until the news dropped. Took the opportunity to remove and replace it with flathub.
-
I prefer flatpaks that work.
-
And Fedora Flatpaks are universal, they work on any distros.
Flatpak by design allows you to install Flatpaks from multiple stores. The fact that snap only allows one store is a common criticism of snap.
Fedora Flatpaks were created because Fedora has strict guidelines for packages. They must be FOSS, they must not included patented software, and they need to be secure.
Flathub allows proprietary and patented software, so not all Flathub packages could be preinstalled. And if a Flathub package was preinstalled, it could add proprietary or patented bits without Fedora having a say.
Flathub packages are also allowed to use EOL runtimes and include vendored dependencies that have security issues. Fedora does not want this. Fedora Flatpaks are built entirely from Fedora RPMs so they get security updates from Fedora repos.
-
And that’s a perfectly fine position to have. I get most of my apps from Flathub.
I also think that Fedora Flatpaks should be allowed to exist. And most of them work without issues. They just don’t get as much testing as Flathub since the user base is smaller.
-
Just gonna leave this here...
-
That honestly doesn't sound like a bad mission, but it seems like there's a couple other requirements they should impose on their mission and then there wouldn't be any controversy.
They should require that their package works as well as the upstream, and, in the even that it doesn't, they need to be very blatant and open that this is a downstream package, and support for it will only be provided by Fedora Flatpaks, and that you may have better results with the official packages.
The primary issues in this case is that it doesn't work, and it's not been clear to users who to ask for help.
-
Why don't you like fedora flatpaks?
Among other reasons, Fedora ensure that apps get a flatpak. Imagine there was no official flatpak, fedora would've made one. Just like fedora ensures that there are native ways to install it via dnf. On atomic distros, you want to use flatpaks very often. Hence it makes sense to package apps via flatpak.
Fedora ensures that there is not additional code in the app kind of like fdroid on phones.
Anyone can make flatpaks, not just the main dev.
-
Confidentally incorrect.
Flathub has nothing to do with this
-
Honestly, that sounds great.
My biggest problem with Flatpak is that Flathub has all sorts of weird crap, and depending on your UI it's not always easy to tell what's official and what's just from some rando. I don't want a repo full of "unverified" packages to be a first-class citizen in my distro.
Distros can and should curate packages. That's half the point of a distro.
And yes, the idea of packaging dependencies in their own isolated container per-app comes with real downsides: I can't simply patch a library once at the system level.
I'm running a Fedora derivative and I wasn't even aware of this option. I'm going to look into it now because it sounds better than Flathub.
