Wow, Fedora is being a little bitch about it, aren’t they?
I'm not surprised that the OBS devs are considering suing Fedora for their Fedora Flatpaks.
For anyone out of the loop:
Fedora's been packaging and providing apps as Fedora Flatpaks which cause users trouble cause they're honestly pretty shit and known to be unreliable. The issue is that users assume that these faulty packages are provided by the Original Devs and complain towards the ODevs.
As endless waves of users complain towards the ODevs it causes them unnecessary headache as well as costing valuable time and resources to tell users that it's actually Fedora fucking things for everyone.
All of this is unnecessary because if Fedora stopped installing Fedora Flatpaks as the default then there wouldn't be this problem in the first place.
Thank you for the context. I've been kind of out of the loop with Linux on general and have been using fedora... But now a question. What's the most stable form of package and which distros use it by default? I've been kind of confused my the whole all image, flatpack, etc thing.
Personally I'd recommend installing in this order:
There isn't one. It's still a shit show.
The most reliable way to distribute software on Linux is still to make a statically linked binary (linking with a very old glibc is fine) and use curl | bash. But that isn't always possible depending on the language used and the app.
Seems like OBS Studio is C++/Qt, so it shouldn't be too difficult though. I've done it before in the distant past. But looking at their releases they only provide .deb for Linux, so I can understand why people would want something else.
I've made several Qt apps (in C++) easily packaged using AppImage. Perhaps OBS is harder because they require some level of integration with the hardware (e.g. the virtual camera perhaps requires something WRT drivers, I don't know), but in the general case of a Qt app doing "normal GUI stuff" and "normal user stuff" is a piece of cake. To overcome the glibc problem, it's true that it's recommended using an old distro, but it's not a must. Depends on what you want to support.
As a user, I prefer a native package, though (deb in my case).
cause they're honestly pretty shit and known to be unreliable.
Can you elaborate here? I've had very few issues with Flatpaks and the documentation is pretty thorough. I'm curious what wider issues it has to make the whole ecosystem "pretty shit" and unreliable.
They have individual people maintaining over a thousand flatpacks. There's no time to test anything.
Additionally, if you go to install the real flatpack, Fedora pushes you to use their poorly-maintained unofficial one instead.
They have individual people maintaining over a thousand flatpacks.
I don't believe this to be the case with Flathub, only the Fedora repo. I'm asking about the wider flatpak ecosystem, not the fedora-specific repo or how it's setup.
Additionally, if you go to install the real flatpack, Fedora pushes you to use their poorly-maintained unofficial one instead.
I'd agree that seems like a needless hoop at the very least, but my concern is more to do with the growing trend to shit on Flatpaks as an ecosystem, not just this particular instance of Fedora head-assery.
I think it's decent software and has really solid use-cases, far from unreliable shit at least in my own anecdotal experience. But my experience is limited, which was why I asked the OP to elaborate on actual flaws they see with the Flatpak ecosystem.
The Fedora flatpacks are pretty shit, not the overall concept.
Funny, I always thought it would be Canonical getting into this kind of trouble with snaps. Oh well...
oh snap
Fair enough. If you’re going to repackage something, at least do it right.
I installed fedora to replace windows on the 31/12/2023. I wasn't a complete Linux noob by any measure but haven't run it as a main OS before. Thank you proton for getting me over the edge.
The whole repo situation on fedora is honestly pretty meh, things are out of date or broken too often. Or they just don't exist. I have put arch on a number of machines since and find it significantly better. My main box will move away from fedora next time I'm enthused to mess with it and this is the primary reason.
Yikes... One would expect stability and reliability from main distros, it's funny to me that Linux Mint is the thing you recommend your family to try because Fedora and Ubuntu, formerly popular distros, went to shit.
Fedora was always a bleeding-edge distro and never all that stable or reliable.
The problem is RedHat/IBM have been fucking with everything, and Fedora has suffered along with everything else and it's just kinda decayed a bit over the past few years.
....Ubuntu went to shit at least a decade ago, if not longer.
Don't use flatpak. Its extremely insecure.
Source?
It doesn't have package signing. The source is their documentation.
flatpak build-sign, is what I can find in the documentation.
Yeah, thats optional. Unlike actual secure package managers like apt, where signing has been required since 2005.
What you need to look at is the docs for installing, and note it doesn't say anything about requiring valid signatures after downloading a payload.
Flatpak doesn't care about security. avoid them.
This seems to be blatant misinformation.
The default seems to require a gpg signature. It can be disabled for a remote with --no-gpg-verify, but the default for installing and building definitely requires a signature.
You keep talking about the docs, so please show me where is says that in the Flatpak Documentation.
You're the one spreading misinformation.
The burden of proof is on you. I linked you to the docs showing how package signatures have been required in apt since 2005. Most package managers do not have signature verification.
Point me to where the docs say signatures are required to be verified after download.
The burden of proof is on you.
You accused flatpak of being insecure. The burden to prove that is totally on you.
Nah, tech is insecure by default.
You have not provided a single link.
I'm am no expert on flatpak and just did some basic searching.
From reading the command reference it seems GPG-Verification is enabled for each remote and can't be disabled/enabled for each install.
I can just find some issues where gpg verification fails
Error: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)
error: Failed to install bundle fr.handbrake.ghb: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)
Documentation seems to be more user oriented and not developer oriented maybe someone more knowledgeble can go in the source code and tell us how it actually works.
Sorry here's the link
So you linked to apt.
I guess good for anyone who finds this interesting…
But more on topic here is is a link to answer from 2020 from an flatpak maintainer:
If a user installs or updates a specific app-id the code verifies that:
- The new app is gpg signed by a trusted key
- Checksum verifying that all files are untampered with
- The new app has that app id
- The new app has a later timestamp on update
Link me to the docs that say this
You are not arguing in good faith.
I have linked multiple times to the docs and to the GitHub repository of flatpak.
Now how about you link to something useful in the docs that proves your point or maybe just a random article as source to your misinformation.
You have failed to find a doc that say signatures are required to be valid on the client for everything it downloads.
This software isn't secure. You can live in la-la land, pretending it has features it doesn't, but that doesn't change the facts.
Lmao, to think that not even the snap got sued but the fedora flatpal did...lol
Debian debian, something debian.
A community for everything relating to the GNU/Linux operating system
Also check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP