Patrick
January 18, 2024, 1:48pm
61
Recent releases,
come with Flathub system-wide enabled by default.
do not come with Flathub per-user enabled by default.
References for Flathub system-wide:
committed 07:55AM - 18 Jan 24 UTC
`/etc/flatpak/remotes.d/flathub.flatpakrepo`
source: https://flathub.org/repo/f… lathub.flatpakrepo
https://forums.whonix.org/t/flatpak-as-a-software-source-flathub-as-a-source-of-software/8500
committed 10:44AM - 18 Jan 24 UTC
this is equivalent to the `flatpak` `--subset=verified_floss` option
Patrick
September 25, 2024, 4:40am
62
The flathub repository is enabled by default system-wide. This means, by default:
flatpak install flathub org.mozilla.firefox
can be used.
However, the flathub repository is not enabled by default yet per-user or for user user. Therefore,
flatpak --user install flathub org.mozilla.firefox
would fail. To make it work, the following command would be required.
flatpak --user remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
Now, the obvious thing to suggest would be “enable flathub by default for per-user too”. But first, there are some Linux permission specific issues.
Also if flathub was enabled, both system-wide and per-user, once trying to install a flatpak, it would show the following confusing message.
Looking for matches…
Remote ‘flathub’ found in multiple installations:
1) system
2) user
Which do you want to use (0 to abort)? [0-2]:
Due to flatpak bad security design in mind, and require even more privileges , i suggest to have it ditched and rely on the old style of only having packages downloaded&installed from the distro main repos.
As a replacement, i suggest something more secure with the same upgraded packages, a stable and secure rolling distro.
e.g Tumbleweed:
I have installed Tumbleweed and have been using it for the past few days. It really surprised me with how many features come as the default.
[suse2]
Btrfs is used by default, with other options available like XFS and Ext4:
[suse4]
Support LVM:
[suse3]
UTC as an option for time zone:
[suse5]
It’s odd that ‘host name’ should appears here, but it actually exists in the network configuration.…
extraextra:
What specifically?
One crazier than the other e.g: Downloading the binaries not the source code from the developers (firefox, vscodium…etc), doesnt pass TUF as it suffers from indefinite freeze attacks, blobs,…etc just garbage way to have newer software.
extraextra:
What kind of blobs?
" Flathub’s build process of downloading binaries poses certain risks. Since builds are automated, it is unlikely and not enforced that the packager verifies that the source code is complete, can be compiled, and is free of binary blobs, Embedded Code Copies of libraries, other software, or non-freedom software."
Patrick
October 18, 2024, 11:38am
69
Flathub feature request (written just now):
opened 11:30AM - 18 Oct 24 UTC
### Problem Statement:
Flathub currently lacks transparency in showing whether … a Flatpak application is built from source code or if prebuilt binaries are used during the build process. Many users who care about software freedom, security, and reproducibility prefer source-built applications over precompiled binaries. While an application may be open-source, it could still be downloaded as a binary from upstream, bypassing the benefits of building from source. This distinction is especially important for those who value transparency and the integrity of software distribution.
### Importance of Source-built Applications:
Reproducible builds, which are becoming a critical goal in software distribution, hold more value if the software is compiled from source, rather than being downloaded as a precompiled binary. While Flathub may eventually accomplish the goal of reproducible builds, its value would be diminished if many of the Flatpaks available are simply redistributed binaries from upstream. Transparency in this area would empower users to trust the builds more and make informed decisions.
### Comparison with Other Ecosystems:
In the Debian community, the idea of removing embedded copies of code or binaries from upstream source packages is strongly encouraged to improve security and clarity in open-source software development. As the [Debian Wiki on Embedded Copies](https://wiki.debian.org/EmbeddedCopies) explains:
> “Embedded copies (of code, data, fonts or other things) should be removed from the upstream VCS and source tarballs. Upstream might want to only embed the copies in the binary packages they distribute.”
This concept is highly relevant to Flatpak's goals as well, as users expect the same level of scrutiny and transparency.
### Proposed Solution:
1. **Metadata Update**: Introduce a new field in the app metadata indicating whether a Flatpak is built from source or downloaded as a binary during the build process.
2. **UI Integration**: Display this information prominently on the Flathub website for each application, alongside existing metadata such as developer and license details.
3. **CLI Support**: Extend the Flatpak CLI to display this information when querying app details, such as using `flatpak info`.
4. **Automated Detection**: As part of the build process, have the build system automatically detect and log whether the build was from source or binary and update the metadata accordingly.
5. **Subset**: `verified_floss_source`
### Benefits:
- **Increased Transparency**: Users can make more informed choices about the software they install, especially if they prioritize open-source and source-built applications.
- **Support for Reproducible Builds**: Providing transparency into whether a build is from source or binary would add credibility to reproducible builds efforts on Flathub.
- **Trust and Security**: Source-built applications reduce the risk of hidden vulnerabilities or proprietary code being introduced during the build process, improving trust in the ecosystem.
This shows that a Linux distribution or any software delivery mechanism is also a curator that performs a software quality review. For example,
in Debian embedded code copies are prohibited, source code is scanned for binaries are build servers have no network access.
on Flathub, some flatpaks are a simpler a wrapper around the binaries from the original developers, where no such checks are performed.
Both approaches have advantages and disadvantages. Flathub provides often more recent software than Debian but Debian performs a more stringent quality review and always buils all software in its main repository component from source code.
1 Like
I think its game over, they just dont want to take the effort and do it correctly. Happy with the stupid mechanism they have.