<analysis on>

On 8/10/22 05:00, Konrad Rosenbaum wrote:
<rant excuse="sorry folks">

Not ever in my career have I used an IBM Mainframe. Doesn't mean it is a
bad machine...;-)
Well you should have because now it pays more than Qt work! I get roughly 3 calls per week on it and my blue box is way out of date. Just signed a $120/hr RTR for brown box work yesterday though. :-)

I seriously used AppImage once, without even noticing: KDevelop 5 before
it was available in Debian. I just downloaded, chmod +x, run, happy.
Tried it again today to check the impact on my system - still happy.
(Single hidden FUSE mount, runs without any other impact, cleans itself
up after exit. No pre-install dependencies needed.)

<snipped rant - good rant, but snipped for length>

Post by karichen Dec 01, 2020 7:56 am and again at 9:46 am
Post by antikythera Dec 01, 2020 11:37 am

solution - run the questionably sourced appimage in firejail, snap and flatpak are already sandboxed by default. Casing point, if you use Thunderbird snap you have to enable printer access for it.

so yes, appimage do pose a bit more of a risk than other packaging formats without end users being aware of the need to run them in firejail.

I don't remember karichen's job exactly but that user was deploying Linux Mint on corporate desktops for a not tiny company. Two not short but measured responses from the corporate "there be viruses" world.

I quoted the entire antikythera post to point out what was and probably is still true. Flatpak is sandboxed by default, AppImage is not.

I snipped your tale of woe with both Snap and Flatpak because yes, naive developers that never went to college can turn off all sandboxing to "make it work" then release trash on their own Web site. In the early days of Snap that trash also made it into the repos. I've not heard of anything in Flathub that is signed and behaves in a non-sandboxed manner.

Tar: even easier and users that install external software can usually
handle it. The update path is a bit ...well ...nonexistent. It works as
long as you do not hard-code pathes.
Tar also walks on existing libraries.
What you want to use very much depends on your target audience. Do they
need system packages, easy download, or even source preferred over
binaries? What distribution do they run and what is the preferred
mechanism there? There is no one answer.

All we can say for sure after all this discussion is: Qt is used on many
different styles of Linux distribution with at least as many preferred
package formats. Feelings seem to run a bit hot on that topic, so any
choice will p*ss off someone.

Qt isn't used on as many Linux platforms as one would like to believe, not anymore. There are some legacy packages that haven't ported to other libraries, but not much in the way of new development post FeatherPad after the licensing shenanigans. Most distros have dropped KDE as a supported desktop because of that.

So, for the legacy applications still using Qt on Linux some will be for developers, but most will be for "consumers." Even Wireshark is flatpak today.


I will let karichen's posts stand for the corporate world and basically mine. I don't care how awesome something claims to be. I will only test install it on a sacrificial machine that is not on my network then I run a full antivirus scan. Yes, I have Clamshell running on all my Linux machines.

So after all of this it seems to me that the sanest choice would be to
just populate a directory hierarchy and let some other tool deal with
all the anguish and innuendo that comes with the (wrong) choice of
distribution package.
Not really, no. You are building on a 64-bit machine but cross compiling for 32-bit ARM so your application can run on a Raspberry Pi II. 64-bit ARM for a later PI or possibly a MAC. The RPM distro tree wants each library in its own directory. /lib for 32-bit /lib64 for 64-bit etc. Debian does it different.
Most companies and many Linux distros have started making it more
difficult for someone to "just download and install from a Web site"
because Malware is everywhere.
Examples? All I've noticed is that Linux is now easy enough for users
that don't understand how to unpack a tar or how to sudo to a root shell.



Lots of chatter now where companies deploying Linux desktops are changing the GUI app sources to point to internal company maintained applications. This has been done for Windows for years in the corporate/medical device world. Joe Palluka can't install from the Microsoft Store but they can install from the company store. Usually has half a dozen IDEs and editors. A few "office" type things that help with the standard office package, etc.

Does any distro actually put AppImage files in their repo? I'm asking.
I have never heard of it but that doesn't mean there isn't some
obscure distro doing that.
Why would they? The point of AppImage is that you DON'T need to put it
into the distro package store.
The point of the GUI installers and all of the Linux security articles about Ransomware and Linux now being one of the primary targets for such Malware is to restrict user ability to install software such that they can only install trusted vetted signed packages that mostly run in sandboxes. By default AppImage is not sandboxed but Flatpak is. As another poster pointed out Flathub will sign trusted vetted sandboxed packages.

In fact, Ubuntu has already started their migration away from Snap by
installing Flatpak out of the box in Ubuntu Mate 22.04

That's Mate. Not Ubuntu proper.

Okay. LUbuntu is in the Ubuntu repositories. KUbuntu is in the Ubuntu repositories. Ubuntu-Mate is in the Ubuntu repositories. Ubuntu is in the Ubuntu repositories. Are we seeing a pattern? ;-)

Why? Because the Linux distros that matter, some of them YABUs
themselves have all integrated Flatpak.

BTW: repeating the same link four times does not make it any truer or
more prophetic.

Flatpak is a Debian package, so of course it turns up in all Ubuntus.

Sorry. After the last update Firefox hasn't consistently copied urls to paste buffer.


Last I checked CentOS wasn't a Debian based version, nor was Fedora.

The Linux world demands a single trusted vetted repository. Then Linux
can seriously be considered for corporate desktops. It already has
applications like TextMaker and OnlyOffice, etc. What it doesn't have
is a single trusted repository.
Read my lips: not, going, to, happen.

Read my lips: corporations running Linux are going to force this on the community and shower the distros that go this route with seemingly limitless support contract dollars. Oracle didn't thieve a version of Red Hat because they were bored. Red Hat revenues are approaching $5 Billion.


Red Hat and OpenSuSE have been locking down their worlds for a while. it has even trickled out to Fedora where it has to reboot in maintenance mode to apply updates. Well, updates to anything that might matter.


Will there always be fly-by-night distros that allow traditional Linux Anarchy? You bet. They will become increasingly obscure though.

Right now the bulk of the mainstream is pushing the workload and the signing to Flathub. Is it perfect? No. It is way better than what we had. It also has unbelievably deep pockets behind it. One of the main listed investors is: Cloud Native Computing Foundation


They all need Flathub to work too.

Obviously the single central repository is also not the criterion for
corporate IT - Windows has none either. Please keep searching and let me
know what else you find.

[hint: inertia]

I have no idea where you got that. I've been working at some of the major medical device manufacturers for the past decade.

Every one of them has their own central software repository.

Every one of them has the Windows laptops and desktops configured to pull updates only from a corporate Windows update site. Only about half of them actually maintain that site. You have to have Admin priv to navigate into settings to check the box allowing your machine to look at official Microsoft repositories.

Every non-medical device corporation I've worked for issues you a laptop/desktop computer where you have zero priv to install anything. Most have security software install so if you download and unzip a single file text editor executable in your own directory then create a desktop shortcut for it, security comes and has a chat with you. Others just nuke it remotely.

How long has it been since you worked in the Fortunate 500 world? ;-)

[80% of rant cut, unexpected trigger...]

Snap wasn't the correct idea. Flatpak is. It's basically a better
Docker and now many distros are having their graphical application
installer use Flathub directly.
Say what?

Flatpak has absolutely nothing to do with Docker. It just uses similar
APIs. FP is an alternative app distribution path with dependencies in
image files. It does not isolate the app from the system. Docker allows
easy deployment of server components (using image files) with dozens of
versions in parallel, hundreds of instances running in isolated
environments and some network magic to tie it all together.

Following your logic I proudly pronounce Apache to be a better FTP
server, because it uses the same socket APIs, just a slightly different

Flatpak, like Docker, uses "layers". If the Flatpak you are installing uses some of the same "layers," like say the same version and build of SQLite3 libraries, those layers don't get pulled down.

Flatpak is by default sandboxed. Someone has to really forcibly try to impact the system. By default you usually get access to the user $HOME directory if that.


Still not prophetic.
I wish you would have included the snippet above so I could fix the cut & paste error.


The really deep pockets have spoken. Flathub is where we are going. Even Apple and Microsoft are on the list of members.


That time I posted again for real.


Which is a big improvement from 2019


</analysis off>

Roland Hughes, President
Logikal Solutions


Interest mailing list

Reply via email to