On 6/6/23 18:07, Fabio Valentini wrote:
In general, I do like having software available as flatpaks,
especially if it's not available from Fedora repositories.
However, there's also the question of *trust* - do I trust the
software source and / or the people / projects providing them?

Let's take LibreOffice as an example, since it started this whole discussion.
The Fedora package appears to bundle only one "major" dependency,
hsqldb, and it's documented and justified why this is the case in the
spec file.

On the other hand, the libreoffice flatpak bundles ~80 projects:
- OpenJDK 17 (huh? is there no shared JDK flatpak runtime / SDK extension?)
- krb5 (huh?)
- xmlsec
- boost 1.80
- gpgme (huh?)
- mariadb-connector-c
- openldap (huh?)
- poppler
- PostgreSQL 13.10 (huh?)
- and about 70 more (but with less memorable names)

While I *do* trust the LibreOffice project (somewhat) to ship their
own software correctly, do I trust them regarding these ~80 bundled -
and partially security sensitive - libraries, as well? I'm not sure.
Do I trust the Fedora packages for these libraries? Probably. Many of
these libraries are installed by default on Fedora, and are not only
used by LibreOffice, so I basically placed implicit trust in these
when I first installed Fedora on my machine.

If you are talking about the LibreOffice upstream flatpak on Flathub (i.e., <https://github.com/flathub/org.libreoffice.LibreOffice/blob/06020bac005ef56305bcf5bc62ada8db2f259436/org.libreoffice.LibreOffice.json>):

* It bundles OpenJDK 17 provided by the org.freedesktop.Sdk.Extension.openjdk17 sdk-extension. Whenever a new version of the LibreOffice flatpak is provided, it automatically includes whatever latest version of that openjdk17 extension is provided. (And the assumption is that the providers of that extension take timely action in case of any relevant (security) issues.) Still, if there are urgent (security) issues in the extension, we would need to notice that and rebuild the LibreOffice flatpak accordingly. (It would be nicer if Java was provided as an org.freedesktop.Platform extension rather than only as an org.freedesktop.Sdk extension.)

* It bundles gvfs (see <https://github.com/flathub/org.libreoffice.LibreOffice/commit/800d0d553fec6bd093f813cb4aa2f10dcbe10aee> "Re-enable GIO support") and krb5 (see <https://github.com/flathub/org.libreoffice.LibreOffice/commit/5b49a9e3ca243910a094f9865e2cdda9e2cda098> "Add krb5" and <https://git.libreoffice.org/core/+/227350eb5a9881f795e9ae499c732f0148e4ac38%5E!> "Introduce optional krb5&gssapi support for internal PostgreSQL") "on its own": If there are any (security) issues with their upstream sources, we need to notice that and adapt the LibreOffice flatpak accordingly.

* It bundles another 83 packages (from pdfium-5408.tar.bz2 to f543e6e2d7275557a839a164941c0a86e5f2c3f2a0042bfc434c88c6dde9e140-opens___.ttf) that are "managed" by upstream LibreOffice: These are also used for other upstream LibreOffice builds (e.g., on macOS and Windows), and if there are any relevant (security) issues, upstream LibreOffice takes care of that and provides a new upstream LibreOffice version (and thus a new LibreOffice flatpak version).

* It includes ant as a build-time--only dependency.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to