@kurisu Dependencies on compiled Python libraries. And Tor. And GnuPG, ideally a specific version so I don't have to worry about the shifting API.
If you've made your application so difficult to package that it'll never be included in distro repositories because it has unmanageable dependencies, that's *your* problem, and flatpak and snaps are just ways that developers push that problem on users.
@kurisu Hi, I asked for opinions, but now you're just lecturing.
Thanks for your input, please stop now.
I hope you see that users really do dislike appimage, flatpak and snaps though. Dismissing users expressing their opinion as just being smug is unhelpful imo.
@kurisu Yes, I see that opinionated people who don't know what I'm dealing with or what I've already considered, are still quite eager to preach and tell me my question is wrong.
I hear that people don't like it, but honestly, every tech has haters. Saying you dislike something has almost zero signal, it's just noise.
Tell me WHY, and I'll listen. If you just tell me something sucks, I probably won't.
@sir @kurisu Later in the app's lifecycle, I fully expect the distros to take over.
At this early stage though (the app is honestly a bit shit and will need frequent fixing), I expect being able to ship updates faster than the distro release cycle has a lot of value to my users.
So I'm considering what options I have for doing that.
my dream package manager stores individual packages in their own special path that includes information that can be used to verify the integrity of the build. dependencies are overlayed into the runtime path for a particular application. app can only write into a sandboxed path. app cannot escape.
i have a proof of concept for parts of this idea. i'd like to find a way to extend APK to work with this idea so i can reuse the alpine packaging tools.
https://source.heropunch.io/tomo/grid/src/branch/latest/grid
@kurisu @sir This is what I am doing now, for Debian derived distros.
And from a security POV, I feel REALLY bad about it. Once you add my repo to your apt sources, I can update any package on your system. I can do so selectively based on your IP address.
Shipping a Snap or Flatpak does imply bloat and does put the onus on me to rebuild and ship when dependencies have security flaws - but at least I can't replace your /usr/sbin/sshd.
Everything has pros and cons.
@sir @HerraBRE @kurisu my other big problem is my distro already has a great package manager. If I can't get packages from my package manager, I can either build from source (and I think possibly the people who will most care about your product will be capable of this), or use the AUR. It's easy, simple, and efficient. Flatpak et al. Require something like a 200mb download, along with the software. It's massive. It's bloated. It doesn't fit with my philosophy.
@sir @kurisu The security problems depend on how good a job I do shipping updates. This is indeed a concern.
The security benefits of sandboxing are very real and I disagree with you on that point.
But thank you for having a real opinion! ๐