Fedora threatened with legal action from OBS Studio due to their Flatpak packaging : linux

[–] [email protected] 130 points 4 months ago* (last edited 4 months ago) (3 children)

I'm not surprised that the OBS devs are considering suing Fedora for their Fedora Flatpaks.

For anyone out of the loop:
Fedora's been packaging and providing apps as Fedora Flatpaks which cause users trouble cause they're honestly pretty shit and known to be unreliable. The issue is that users assume that these faulty packages are provided by the Original Devs and complain towards the ODevs.

As endless waves of users complain towards the ODevs it causes them unnecessary headache as well as costing valuable time and resources to tell users that it's actually Fedora fucking things for everyone.

All of this is unnecessary because if Fedora stopped installing Fedora Flatpaks as the default then there wouldn't be this problem in the first place.

[–] [email protected] 46 points 4 months ago (2 children)

Wait, why is Fedora making their own flatpaks? I thought the entire point is that they work on any distro and everybody gets the original source from flathub.

[–] [email protected] 33 points 4 months ago (2 children)

IMO, same reason they have their own repo, which eventually feeds into Red Hat enterprise, to have a trustworthy, curated set of safe (ish) software that's had eyeballs on it. A worthy enough goal, but that said, it applies a lot less to flatpaks. I personally used to remove theirs because I didn't like having multiple sources, now I'm on Bazzite which ships with flathub.

[–] [email protected] 19 points 4 months ago

This is pretty much how Ubuntu turned into the shitshow it is now.

[–] [email protected] 16 points 4 months ago

I don't see much of a reason to create a customized flatpak, since at this point you might as well just create a binary for dnf.

[–] [email protected] 23 points 4 months ago

I asked this exact thing somewhere else, and the best answers I got were:

there is a somewhat legitimate motivation for fedora to package their own flatpaks in the context of their atomic desktops project.
they started doing this before flathub was established, and it was a better idea at that time.

So, as per usual with Linux, there are some obscure and historical reasons this is a thing, but it is useless for the majority of users. Fedora should really not have it configured as the default source for flatpaks out of the box

[–] [email protected] 7 points 4 months ago (2 children)

Thank you for the context. I've been kind of out of the loop with Linux on general and have been using fedora... But now a question. What's the most stable form of package and which distros use it by default? I've been kind of confused my the whole all image, flatpack, etc thing.

[–] [email protected] 5 points 4 months ago* (last edited 4 months ago)

Personally I'd recommend installing in this order:

Packages from your distro's native repository.
Flatpaks from Flathub (please avoid Fedora's Flatpaks).
AppImages/Debs usually provided on the app developer's site.
The Arch User Repository (AUR) if compatible.
Tarballs.
Ubuntu Snaps.
Fedora Flatpaks.

[–] [email protected] 5 points 4 months ago (1 children)

There isn't one. It's still a shit show.

The most reliable way to distribute software on Linux is still to make a statically linked binary (linking with a very old glibc is fine) and use curl | bash. But that isn't always possible depending on the language used and the app.

Seems like OBS Studio is C++/Qt, so it shouldn't be too difficult though. I've done it before in the distant past. But looking at their releases they only provide .deb for Linux, so I can understand why people would want something else.

[–] [email protected] 4 points 4 months ago

I've made several Qt apps (in C++) easily packaged using AppImage. Perhaps OBS is harder because they require some level of integration with the hardware (e.g. the virtual camera perhaps requires something WRT drivers, I don't know), but in the general case of a Qt app doing "normal GUI stuff" and "normal user stuff" is a piece of cake. To overcome the glibc problem, it's true that it's recommended using an old distro, but it's not a must. Depends on what you want to support.

As a user, I prefer a native package, though (deb in my case).

[–] [email protected] 3 points 4 months ago (1 children)

cause they're honestly pretty shit and known to be unreliable.

Can you elaborate here? I've had very few issues with Flatpaks and the documentation is pretty thorough. I'm curious what wider issues it has to make the whole ecosystem "pretty shit" and unreliable.

[–] [email protected] 7 points 4 months ago (1 children)

They have individual people maintaining over a thousand flatpacks. There's no time to test anything.

Additionally, if you go to install the real flatpack, Fedora pushes you to use their poorly-maintained unofficial one instead.

[–] [email protected] 2 points 4 months ago (1 children)

They have individual people maintaining over a thousand flatpacks.

I don't believe this to be the case with Flathub, only the Fedora repo. I'm asking about the wider flatpak ecosystem, not the fedora-specific repo or how it's setup.

Additionally, if you go to install the real flatpack, Fedora pushes you to use their poorly-maintained unofficial one instead.

I'd agree that seems like a needless hoop at the very least, but my concern is more to do with the growing trend to shit on Flatpaks as an ecosystem, not just this particular instance of Fedora head-assery.

I think it's decent software and has really solid use-cases, far from unreliable shit at least in my own anecdotal experience. But my experience is limited, which was why I asked the OP to elaborate on actual flaws they see with the Flatpak ecosystem.

[–] [email protected] 7 points 4 months ago

The Fedora flatpacks are pretty shit, not the overall concept.

[–] [email protected] 48 points 4 months ago (1 children)

Funny, I always thought it would be Canonical getting into this kind of trouble with snaps. Oh well...

[–] [email protected] 7 points 4 months ago

oh snap

[–] [email protected] 33 points 4 months ago

Fair enough. If you’re going to repackage something, at least do it right.

[–] [email protected] 24 points 4 months ago (1 children)

I installed fedora to replace windows on the 31/12/2023. I wasn't a complete Linux noob by any measure but haven't run it as a main OS before. Thank you proton for getting me over the edge.

The whole repo situation on fedora is honestly pretty meh, things are out of date or broken too often. Or they just don't exist. I have put arch on a number of machines since and find it significantly better. My main box will move away from fedora next time I'm enthused to mess with it and this is the primary reason.

[–] [email protected] 4 points 4 months ago (1 children)

Yikes... One would expect stability and reliability from main distros, it's funny to me that Linux Mint is the thing you recommend your family to try because Fedora and Ubuntu, formerly popular distros, went to shit.

[–] [email protected] 6 points 4 months ago

Fedora was always a bleeding-edge distro and never all that stable or reliable.

The problem is RedHat/IBM have been fucking with everything, and Fedora has suffered along with everything else and it's just kinda decayed a bit over the past few years.

....Ubuntu went to shit at least a decade ago, if not longer.

[–] [email protected] 7 points 4 months ago

Lmao, to think that not even the snap got sued but the fedora flatpal did...lol

[–] [email protected] 5 points 4 months ago (1 children)

Don't use flatpak. Its extremely insecure.

[–] [email protected] 17 points 4 months ago (1 children)

Source?

[–] [email protected] 6 points 4 months ago (1 children)

It doesn't have package signing. The source is their documentation.

[–] [email protected] 10 points 4 months ago (1 children)

flatpak build-sign, is what I can find in the documentation.

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago) (1 children)

Yeah, thats optional. Unlike actual secure package managers like apt, where signing has been required since 2005.

What you need to look at is the docs for installing, and note it doesn't say anything about requiring valid signatures after downloading a payload.

Flatpak doesn't care about security. avoid them.

[–] [email protected] 8 points 4 months ago* (last edited 4 months ago) (1 children)

This seems to be blatant misinformation.
The default seems to require a gpg signature. It can be disabled for a remote with --no-gpg-verify, but the default for installing and building definitely requires a signature.
You keep talking about the docs, so please show me where is says that in the Flatpak Documentation.

[–] [email protected] 2 points 4 months ago (2 children)

You're the one spreading misinformation.

The burden of proof is on you. I linked you to the docs showing how package signatures have been required in apt since 2005. Most package managers do not have signature verification.

Point me to where the docs say signatures are required to be verified after download.

[–] [email protected] 8 points 4 months ago* (last edited 4 months ago) (1 children)

The burden of proof is on you.

You accused flatpak of being insecure. The burden to prove that is totally on you.

[–] [email protected] 1 points 4 months ago

Nah, tech is insecure by default.

[–] [email protected] 7 points 4 months ago (1 children)

You have not provided a single link.

I'm am no expert on flatpak and just did some basic searching.
From reading the command reference it seems GPG-Verification is enabled for each remote and can't be disabled/enabled for each install. I can just find some issues where gpg verification fails

Error: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)
error: Failed to install bundle fr.handbrake.ghb: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)

Documentation seems to be more user oriented and not developer oriented maybe someone more knowledgeble can go in the source code and tell us how it actually works.

[–] [email protected] 2 points 4 months ago (1 children)

Sorry here's the link

https://wiki.debian.org/SecureApt

[–] [email protected] 6 points 4 months ago (1 children)

So you linked to apt.
I guess good for anyone who finds this interesting…
But more on topic here is is a link to answer from 2020 from an flatpak maintainer:

If a user installs or updates a specific app-id the code verifies that:

The new app is gpg signed by a trusted key

Checksum verifying that all files are untampered with

The new app has that app id

The new app has a later timestamp on update

[–] [email protected] 2 points 4 months ago (1 children)

Link me to the docs that say this

[–] [email protected] 6 points 4 months ago (1 children)

You are not arguing in good faith.
I have linked multiple times to the docs and to the GitHub repository of flatpak.
Now how about you link to something useful in the docs that proves your point or maybe just a random article as source to your misinformation.

[–] [email protected] 1 points 4 months ago

You have failed to find a doc that say signatures are required to be valid on the client for everything it downloads.

This software isn't secure. You can live in la-la land, pretending it has features it doesn't, but that doesn't change the facts.

[–] [email protected] 5 points 4 months ago

Wow, Fedora is being a little bitch about it, aren’t they?

[–] [email protected] 1 points 4 months ago

Debian debian, something debian.