And flatpak is actually sandboxed for security. So what's your point?
The only news the author of this hype website told us is that
1) there was a vulnerability,
2) lots of application have broad privileges and
3) apps have bundled dependencies.
--
1) Bugs happen. Deal with it.
2) Flatpak actually tells you which privileges an app is going to use. What do you suggest as a solution? Is it technical problem or social problem? What is the state of art? I'd say the state of Art is Android in that it asks for permissions individually as they're required. Still, this problem is not fundamental issue in Flatpak. It certainly doesn't deserve "Flatkill" logo and domain.
3) Is Flatpak actually an exception to the rule?
- Making Python app? Use pyenv, pipenv, venv or ${popular_venv_of_the_year} and bundle all your dependencies!
- Making .NET app? Use NuGet and bundle all your DLLs!
- Making Java app? Use Maven, Gradle, SBT and bundle all your JARs!
- Making Rust app? Use Cargo and glue everything together.
- Etc. Etc.
So yeah, for every programming language we're encouraged to treat our dependencies as unique, fix their versions to prevent possible breakages and take the responsibility for monitoring security issues. Developers just like it. I don't like it but it's everywhere.
And as other posters said, Flatpak actually have runtimes which carry core dependencies like libc that get updated independently of the app.
So what is the novelty here deserving the flatkill domain? Where is that juicy security vulnerability?
The only news the author of this hype website told us is that
1) there was a vulnerability,
2) lots of application have broad privileges and
3) apps have bundled dependencies.
--
1) Bugs happen. Deal with it.
2) Flatpak actually tells you which privileges an app is going to use. What do you suggest as a solution? Is it technical problem or social problem? What is the state of art? I'd say the state of Art is Android in that it asks for permissions individually as they're required. Still, this problem is not fundamental issue in Flatpak. It certainly doesn't deserve "Flatkill" logo and domain.
3) Is Flatpak actually an exception to the rule?
- Making Python app? Use pyenv, pipenv, venv or ${popular_venv_of_the_year} and bundle all your dependencies!
- Making .NET app? Use NuGet and bundle all your DLLs!
- Making Java app? Use Maven, Gradle, SBT and bundle all your JARs!
- Making Rust app? Use Cargo and glue everything together.
- Etc. Etc.
So yeah, for every programming language we're encouraged to treat our dependencies as unique, fix their versions to prevent possible breakages and take the responsibility for monitoring security issues. Developers just like it. I don't like it but it's everywhere.
And as other posters said, Flatpak actually have runtimes which carry core dependencies like libc that get updated independently of the app.
So what is the novelty here deserving the flatkill domain? Where is that juicy security vulnerability?