[nickysielicki]

1. None of this has anything to do with Flatpak, it has everything to do with Flathub and how particular software is packaged.

2. Your preferred distribution can host their own Flatpak repository and ensure that things like security updates get dealt with properly. Flatpak is not Flathub.

3. This ecosystem is growing, so it's putting some things on the backburner, prioritizing application availability over holding a package to make sure that permissions are perfect. There is no reason that these issues can't be ironed out going forward.

[bubblethink]

>There is no reason that these issues can't be ironed out going forward.

That's true in principle, but selinux still doesn't see that much adoption outside of the distro configured policies for typical server usecases. A lot of desktop apps run unconfined. So I think this is where openbsd's approach to stuff like this is more practical. They iterate and wait before rolling out features like pledge or unveil so that they know that 1) It can be made to work with at least 50 apps (read this is one of their slide decks) 2) They can tackle a complex enough application like chromium. Flatpak, selinux or any of the other security mechanisms are completely ineffective if users or developers are largely ignoring them.

[cyphar]

> selinux or any of the other security mechanisms are completely ineffective if users or developers are largely ignoring them

SELinux works by default on Fedora, and even has a nice GUI popup that explains to you what happened when an SELinux policy blocked an action (so that you can reconfigure it). It's pretty neat, and is massive improvement to SELinux of old -- I would recommend trying it if you haven't recently.

[bubblethink]

Yes, I think my point still stands that a large number of desktop apps either have lax policies or run unconfined. I don't know if things have changed that much recently. Confinement is opposite of ease of use. So Fedora/RHEL have selinux in enforcing mode, but the policies are still more effective for servers. I don't know how far they go with the policies for desktop.

[Conan_Kudo]

It'd be nice to see this stuff in (open)SUSE too. wink wink

[Natela]

Thank you ! This should be 1st. Many people don't understand this it seems

[aritmo]

But Flathub is flatpak. Also, does flatpak have the full support of redhat?

[gbraad]

Flatpak is still a side project worked on by my colleague. Although he is employed by Red Hat, it is not a project led by our employer. AFAIK there hasn't been any work done to get it in RHEL, ...

[Natela]

No. Flathub has nothing to do with flatpak technology itself. Flathub is just one server hosting some flatpack repos.

It's like saying .deb is Ubuntu Store. Well no, it is just one PPA among many other you could add to get your apps

[int_19h]

Isn't the whole point of Flatpak to prevent the same app from being packaged multiple times for different distros?

[Natela]

Ideally , Firefox would be downloaded from official Mozilla Flatpak repo, Blender from Blender Flatpak repo on Blender server, etc... And we would have this list of those repo on our distro.

However because the official adoption is slow (very few software have official flatpak repo), flathub allowed the community to build packages themselves. But this is clearly not how it should be.

The second (more legit) reason of flathub is that small developer might not want to pay a server to host their app and flathub proposes to host their repo.

[fouc]

Probably a good idea to get the permissions correct up front.

[jopsen]

Spot on.. expecting the latest open source software to be perfect is not reasonable..

People who wants stable and secure to go with Debian stable... Some day when starts recommending flatpak, I'm sure flatpak will be solid :)