Linux

50838 readers

1205 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

144

Can I ignore flatpak indefinitely? (lemmy.sdf.org)

submitted 2 days ago by [email protected] to c/[email protected]

82 comments fedilink hide all child comments

I'm admittedly yelling at cloud a bit here, but I like package managers just fine. I don't want to have to have a plurality of software management tools. However, I also don't want to be caught off guard in the future if applications I rely on begin releasing exclusively with flatpak.

I don't develop distributed applications, but Im not understanding how it simplifies dependency management. Isn't it just shifting the work into the app bundle? Stuff still has to be updated or replaced all the time, right?

Don't maintainers have to release new bundles if they contain dependencies with vulnerabilities?

Is it because developers are often using dependencies that are ahead of release versions?

Also, how is it so much better than images for your applications on Docker Hub?

Never say never, I guess, but nothing about flatpak really appeals to my instincts. I really just want to know if it's something I should adopt, or if I can continue to blissfully ignore.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 6 points 2 days ago (1 children)

The risk of dependency vulnerabilities is real.

Also, flatpak packages are not digitally signed, unlike apt and all other major Linux distro package managers.

[–] [email protected] 1 points 2 days ago (1 children)

Do you have a resource I can take a look at for what this implies at what it accomplishes?

[–] [email protected] 1 points 1 day ago (1 children)

Sure, here are some:

http://security.stackexchange.com/questions/259088/ddg#270934

https://en.wikipedia.org/wiki/Digital_signature

The main feature would be that if flathub (or a hacker with access to flathub) acted maliciously, digital signatures would prevent them from issuing malware infested updates to flatpaks. Only the software's originator would have the cryptographic key needed to sign releases of the software.

[–] [email protected] 1 points 1 day ago

Thanks!