Why promoting flatpak for PureOS Store?

First let’s make my point of view clear : for me, flatpak is a bad thing for the linux
ecosystem in general. It eases the use of proprietary software and outdated software.
As security and FLOSS is the aim of Purism and so PureOS, I think that PureOS Store
should not use flatpak and encourage user not to use it.

The arguments of the above assertion are provided in this article : http://kmkeen.com/maintainers-matter/.
You really should read this article as this guy explained the problem much better than me.

Firstly, Linux is free for malware for one reason, there are maintainers that add a
solid protection layer against attacks from software providers (in the article ISV). If
you allow with flatpak, millions of developers to push software without any control,
you will go to disaster. Requiring that the app is libre is not sufficient because the user
do not have the competences (or do not have the time) to study the software to be
sure that it does not act as evil. Precisely, Stallman explains us that even if you do not
understand IT, other people do and this people can filtrate good from bad FLOSS software.
If a software does not want to want to implement a feature, another will appear and
implement it. If a software implement a bad feature, another software will appear with
the bad feature removed. Perfect no ! But the truth is how does the user can select
the software with the good functionality and without the bad one, it does not understand IT !
Yes, the response is the maintainer. Moreover, Sandbox will not help neither because
the user is known to ignore permission (in Android, a torch app with phone permission
will get download anyway by users…) and because there is no control over how the
permission is used (once you get gps permission, you can track the user all the time
without his explicit consent using for example a background services). For PureOS
that is a FSF-endorsed distribution, it is a very bad thing and this go against its values
(yes, libre softwares should auto-regulate and without maintainer it cannot which void
all benefits from libre software. You (and I) probably do not know all software that you
use, with the flatpak system, you will probably get exploited without knowing it).

Secondly, flatpak lowers the barrier for obsolete software because one of its major goal
is compatibility (packaging libraries with the software). Without flatpak, maintainers have
power to force an application to use newer libraries and, thus, to do not use outdated
ones with security vulnerabilities. With flatpak, you strip power from the maintainer
and thus encourage this behavior. And no, this is not the fault of the user to use
an outdated software because users are not a security expert and if they buy a librem
device, he will normally think that all software in the approved software center (PureOS Store)
are secured. (And no, sandboxing is not the solution as sandboxing does not protect
against vulnerability exploitation, it only limit the scope of exploitation). Once again,
for PureOS that sell itself as a secure distribution, this is a bad thing.

Now, why maintainers are better than software providers. This is because maintainers
live in an ecosystem that force them to be good. If a maintainer provide bad software,
it get fired. Moreover, maintainers can patch software if the software does not follow the
distribution vision. For example, maintainer will patch Firefox and remove EME because
this thing does not share the FSF vision (and thus the PureOS vision). You should
ask why EME is included and activate by default in Firefox (even if Mozilla is a very
good company that promote freedom in the WEB). This is because Mozilla does
not live in the same ecosystem than maintainers (Mozilla need that the most large
amount of users use firefox to survive and promote WEB freedom in our current
capitalist system but a maintainer need only to follow the distribution vision and
does not play the rules of capitalism. Yes, by playing the capitalism rules, Mozilla
had to infect its own software and shot itself. I do not want to critic Mozilla but if I
understand well, Purism goal is to promote the FSF vision of free software. and
thus, should not allow bad application or feature to infiltrate in his software center).

Finally, to provide an example for outdated package, gnucash was removed from
archlinux repository because it has a outdated dependency full of CVE (webkitgtk).
This force gnucash dev to use newer libraries (GTK3 and WebKit2Gtk) and thus
correct the security vulnerabilities. Without maintainer, gnucash will probably still
use this outdated library. Here are some sources :
1. https://lists.archlinux.org/pipermail/arch-dev-public/2017-June/028900.html
2. [see following post]
3. [see following post]

From the last source link :

The headline item for this release is that GnuCash now uses the Gtk±3.0 Toolkit and the WebKit2Gtk API.
This change was forced on us by some major Linux distributions dropping support for the WebKit1 API.
Unfortunately the Webkit project doesn’t support Microsoft Windows so that platform will continue to use
the WebKit1 API, though with Gtk3. We’ve selected Gtk±3.14.0 as the minimum version because it fully
supports CSS theming.

You should note that the second link prove well that Flatpak was used by not-expert people (ignoring IT)
to bypass the restriction from the maintainer. (Even If your absolutely need to use a software, you should
probably use a VM solution like XEN or QEMU/KVM to protect yourself instead of flatpak…).

Note : I am not against sandboxing, I am against sandboxing as the unique layer of protection
against bad software. But yes, sandboxing is a must as an extra layer of protection against
external attack. For example, it is useful to limit the scope of exploitation of a web attack
through a malformed webpage against firefox. With sandboxing, you limit the scope and so
the attack can get your browser history but not all you personal images in your computer (it need
to first evade the sandbox before getting your personal files). Other example, it is useful to
sandbox VLC in order to avoid to get exploited when you see a malformed video file that you just
download through torrent on non-recommended websites. You see, in each of these examples,
the threat is external because and cannot be internal because all software that you run
is trusted and secure. And again, I think that using sandboxed evil-application is worst than
just using a trusted application…

Second link and thrid link from the gnucash example :
2. https://www.reddit.com/r/archlinux/comments/7j30q1/gnucash_broken_by_dependence_on_gtkwebkit/
3. https://gnucash.org/news.phtml

Note : It is gnucash version 3.0 that used the new libraries (without vulnerabilities)

I think Linux enjoys the freedom from many viruses and malware for the reason you mention but also because of its relative obscurity in the consumer marketspace. For one the hacker community is normally a bunch of script kiddies looking for low hanging fruit. Linux is not low hanging, and the people that gravitate to it are usually a bit more savy than your average computer user.

However, should Linux ever go mainstream, as is the goal of Purism, it will no longer fit into this paradigm. People love to bash on Windows because of the lack of ethics in some of Microsoft’s business practices, etc., but Windows in general is the primary target of all malware in existence. That is a target the likes of which Linux has never had to bear. And should it, I think you worry about embracing flatpack is going to be small peanuts indeed.

My point being that, as the phone is FOSS based, you don’t have to use one flatpack if you don’t want to. Load up your own repos and go to town.

Maybe you’re right maybe you’re not. The truth is that nobody can see the future.
As you say Linux never got mainstream in the average user world, but Android is
mainstream. When you see how Android users get infected, you see too much times
that the cause is a download of a malicious applications from the Play Store. I do
not worry about peanuts, I see how user got infected nowadays. Now, yes user can
get infected using social engineering (like asking the user to run application that is
launched by email, etc). But, why trying to limit these kind of attack if you can’t even
trust your applications. So yes Windows is the primary target due to its user base, but
Linux issues attack too (just see how gentoo’s github was attacked some month ago).
Moreover, there exists malwares for Linux but when we see how Linux user are infected,
it is always by adding an extra ppa (or another similar stuff) that is not approved by
maintainers. If you make clear that trusted and approved package is only from the
official software center, the user should be mostly ok.

As a said before, the standard user does not have the competences to choose the
good app (which is flatpak or other kind of apps). Moreover, you are now experienced
but you probably was a noob when you first discovered Linux (as everybody including me).
If you do not get infected or absused at the time, it is probably because the ecosystem is
sane no ? I cannot say the same from Windows, for example, when I was a noob in windows,
I was used to have publicity banner on my browser because when I want to download an app
I was downloading it from websites packing my application with a lot pub stuff.

There’s a lot to unpack here but some topics can be extracted;

• Isolation
• maintainers (or curation)
• well maintained software

I’ll try and address each topic but let me tackle curation first. I’m using the word here to talk about “curating” software, that is to take care of something. Wikipedia defines it as “A curator (from Latin: cura, meaning “to take care”)[1] is a manager or overseer” and this is what I mean when I use the word “curation”. Purism has every intention of overseeing the apps in our app store in the same manner that we oversee the packages in PureOS. Free Software is a hard requirement which means we’ll have access to the source code of any app so we can see what it is doing. We’ll also extend our oversight beyond just software license. You can read a high-level explanation of our goals here: https://puri.sm/posts/purism-announces-pureos-store/

How does flatpak fit in with our goals? flatpak offers the advantages of an emerging standard that provides greater isolation and portability and is not controlled by one entity or vendor. For Purism flatpak will not enable proprietary apps because that doesn’t match our policy. Perhaps somewhere else there will be proprietary flatpaks, but not in our store because we intend to maintain it in such a manner that only free software gets in.

So hopefully you can see that 1. the choice of flatpak will not enable proprietary apps 2. our use of flatpak will be carefully overseen and help keep software up-to-date, just as we try to do in PureOS.

I would like to point out that Flatpak is a software distribution method. Anybody can create a Flatpak without utilizing Flathub. I highly doubt Purism would recommend Flathub for the reasons listed. It is likely that Purism plans to create their own repo for Flatpaks with their own review process.
AppImages will also be supported.

yes!

and further more: a shop based on that concept is. do we talk about free software? why is a shop needed to sell something? i am a bit lost. if someone needs a program she can just apt install it. what’s the benefit of a shop on top of that simplicity?

flatpak just allows to bundle software with obsolete libs in a pak to distribute those. so in the end you pay for obsolete libs? and the providers saves resources for maintanance the
proper, fitting libs? nice marketing model…

Free software can be found for free (as in gratis), but even Richard Stallman has no qualms about selling software for money, as long as that software is free as in freedom. There was some discussion in the Matrix channels about what the name of the PureOS store might convey, but much like many of the apps in the Google Play Store are free (as in gratis), most (if not all) of the software in Purism’s store will not cost money (Disclaimer: this is a guess currently).

I do think Purism hopes to enable developers to earn money from their work by making donations/purchases easy. Perhaps something like “install for free by compiling source code, or pay the developer’s suggested price for easy installation” - again, total guess. Maybe there will only be a donate button and nothing will require payment. And yes, for it to be listed in Purism’s store, Purism will review it.

I see the PureOS store much as I see the current GNOME Software program - effectively a graphical interface for navigating the repo, though also facilitating monetary contributions to developers.

exactly. that 's why i posted my post. just as a heads-up for purism to do some transparency on what they want to do.

point is: these guys need to earn money, i have no problem with that. but they should not just blindly follow all the bad patterns of the big companies for it.

i put alot of money (for me) into the L5 project because i like it. i said in the beginning already: it’s won’t be enough (i think they needed to put several hundret additional dollars per devkit). so any idea welcome to make money but not by involving bad technology like flatpak.

The thread-starter brings up a very good point. Distribution maintainers play an important role. It seems to me that the difference between a Linux distribution and a platform with an app store (e.g. Android/iOS) is analogous to the difference in how drivers are managed in Linux vs. Windows.

If all apps/drivers are made available as FOSS, they can all be merged in and managed centrally by a team responsible for making the collection as a whole work together – as well as auditing the code to make sure nothing inappropriate is going on.

The Windows model, on the other hand, which I argue is analogous to the “flatpak and app store” model, has every driver distributed by its vendor – with no coordination or auditing. This requires the system to somehow manage compatibility and trust issues. Usually not completely successfully.

The latter model seems to mostly benefit proprietary software and doesn’t seem to be needed for FOSS.

Anyway, some specific questions:

• How does the user know that the source code of an app in the store matches the published binary? I think I saw something about working on reproducible builds…? (In a regular Linux distribution this is solved by delegating to the already trusted distribution maintainers.)

• Have you looked at F-Droid (the Android FOSS app store) at all and how they do things? They tend towards the distribution/repository model, compiling apps themselves. Combined with sandboxing this leads to some issues if you want to switch between their version and the authors version, like all your data being erased. (Also, their “anti-features” feature is perhaps a good model.)

flatpak offers the advantages of an emerging standard that provides greater isolation
and portability and is not controlled by one entity or vendor.

Why portability is need ? The apps on PureOS Store need only to run in PureOS. The
problem here is that the only reason to have portability is to run obsolete program or
to make easier for external software (and so probably proprietary ones) to run on PureOS.
This portability is what is killing maintainers. Moreover, are you sure that you can support
the extra effort introduce by the multiplication of libraries due to the way how flatpak packs
libraries ?

From your link :

We envision PureOS Store as the primary community interface for app developers to contribute
to the wider ecosystem, without having to understand the underlying technology like packaging
or the mechanism of pushing apps upstream.

This is exactly what I call giving more power to developer and striping it to maintainers. Why
does the dev need to know how packaging ? This is the role of the maintainer. Using flatpak
does not enable better contribution from the dev, It allows them to distribute the software
more easily which weaken the extra layer of defense provide by the maintainer.

Perhaps somewhere else there will be proprietary flatpaks, but not in our store because
we intend to maintain it in such a manner that only free software gets in.

You’re enabling all the flathub package to run on PureOS by default. When, you search
for internet for flatpack, the user will get flathub as first link… Moreover, flatpack makes
proprietary software and malwares easier to develop and distribute in the Linux ecosystem.

To sum-up, what is the goal to use an universal packaging format ?

Presumably developers may wish to target the broader Linux ecosystem, rather than just PureOS. A developer can create a Flatpak and have it work on Fedora, Ubuntu, Debian, PureOS, openSUSE, etc (as far as I know anyway). Since I think (could be wrong), Purism’s efforts with the Librem 5 have resulted in a tool which can take a GTK program and “mobilize” it (as in, make the interface mobile-friendly), a developer using a Flatpak can hit the entire Linux ecosystem, mobile+desktop. If I’m wrong, though, please correct me.

Maintainers already do this stuff. Developper only need to publish its source code.
Maintainer will do the rest.

Moreover, Firefox is packed in all Linux distribution but with some differences depending
of the philosophy of the distribution. How a single package can satisfy all the Linux distributions ?
Some distribution will want the firefox package as is, and some will want to strip EME out of Firefox
(sorry for the duplication of this example but I think that it resumes well the idea).

To resume, when you use flatpak, you do not follow the distribution
view of the Linux ecosystem (which is bad, if you really cannot stand without
a particular software, you should either change your distribution or, as last
resort, use a real VM solution and setup your VM yourself to be sure of
its security).

Don’t get me wrong, I hate flatpak, I ise pacman as an Arch user, but, is it really so wrong to want the FREEDOM to add repositories you wish? And who gets to decide that users should be protected from themselves. I am very interested in the L5 and it’s development. If the l5 is going to be dumbed down to protect the user it loses almost all it’s allure. They say it should run other distros, but, then you would lose out on all the wonderful advances made so far. The only other phone I know of that ran Gnu/Linux was the ubuntu phone, and, that’s a fate worse than death. I currently run an Android custom Rom with Fdroid and Nanodroid to prevent tracking and replace proprietary software. I am used to freedom to do with my device what I wish. It is already secure and I make it look the way I wish. Why would I change to a l5 if I could not enjoy that same freedom? It will be my device. That is the whole point right? Security and a device you can truly own. It is very presumptuous to assume the user is going to be a newb that needs protecting. I wish Purism had a wider market, but, how many customers are you really expecting to be newbies?

Arch user here too (well not necessary to mention that but it’s just that I really love pacman and AUR), Flatpak is just one way to install a program, you won’t be restricted to it, if you wish to install things with only the package manager then you’ll be fine, if you want to add new repos then just do. (it’s Linux buddy, do what you like, you’re free)
By the way, I’m pretty sure that you’ll be able to run Arch in a short amount of time with all the packages needed for the Librem 5 to work as it does will on PureOS if you really don’t like Debian bases and/or if you want the benefit of pacman (and AUR).
About the use of Flatpaks I’m not really against it (even if I don’t like it for what I tried, I’ll stick to good old apt or maybe go on the Arch way for the fun of it) but I think it’s a good way to target a bigger market that is people that care about their privacy but are not very tech people or just newbies on Linux (I used to be that newbie and I would have really welcomed that 5 years ago before even trying to distro-hop and find what fits me).

I’m actually on Antergos, and, my only experience with flatpak was on a few month trial run of rebornos which is like Antergos plus another repo. Didn’t like it at all. That said it is the reasons given by the op and other commentor that I was refferencing. I don’t care what kind of package management it has honestly.

One thing I think you are being too optimistic about using the l5 as a phone with other distros out in the beginning. Other distros are going to be missing a lot of the software that pureos is putting in the work to make. The upstream stuff for GNOME sure, but, it is going to take time to get some of that stuff ported to other distros. It is not like I can buy a l5 and throw arch on it out of the box and use it as a phone. I’m looking forward to trying out pureos, but, I can’t say I am a fan of debian based systems. I spent a year and a half distrohopping to end up where I am and debian was not one of my favorites.

Well I know that I won’t be able to throw any distro on that puppy right out of the box, that’s why I plan to use it on PureOS for a few months then when everything is considered as “good” and “stable” on other distros (well Arch in my case) I’ll go take a look. (sorry I got a bit out of the topic)

Interesting debate here I’ll try to fan the flames as best as I can…

Flatpaks and stores
Different from Canonical’s Snap package format, flatpak doesn’t mandate a single repository controlled by a central authority. That’s why Flathub was possible as an initiative from outside of flatpak development. That’s the reason Purism can set up their own repository, with their own rules, and have that be the default on the phone.

Maybe the term store or shop is what puts some people off, but I don’t think the concept is much different from the repositories already provided by distros. It’s just the place you get stuff from.

Flathub
I don’t quite understand the need to worry about proprietary applications potentially being available from Flathub or anywhere else. Don’t install them and you should be fine? Stick to the Purims repository/store/shop/app center, where you can be sure source code is available and everything is free as in freedom.

As a side note, and correct me if I’m wrong, my understanding is that a flatpak is built for a specific processor and thus not portable across architectures. Flathub is for Intel/AMD only - at least I see no place where I can select anything else there. The Librem 5 will have an ARM-based chip, which is completely different. So, the flatpaks currently available from Flathub will not be usable on the Librem 5.

Portability between distributions and application availability
Portability matters because distros are different: Linux is a single thing only for command line usage, there is no equivalent to the LSB if you want anything windowy or desktopy. This is a major sticking point for developers who want to make their apps widely available. Using the features of flatpak, developers can target a single environment - of their choice - and still have their apps run on any distro with flatpak support.

Most people can not be expected to download source, resolving dependencies, and compiling applications. I can see the benefit on a major distro like desktop Fedora here, where flatpaks let me install missing apps easily.

This should even more be a good thing for a distro with just a couple of thousand users world-wide. Like the mobile version of PureOS. Just have a look at the different threads here, were people are concerned about which applications will be available on the phone.