[digiKam-users] Future of digiKam bundles...

Chris Green cl at isbd.net
Mon May 25 09:11:36 BST 2020


On Sun, May 24, 2020 at 02:26:43PM -0700, Mica Semrick wrote:
> On 5/24/20 1:38 PM, Chris Green wrote:
> 
> > > Perhaps you should come to a full understand of the technology before
> > > throwing your opinion into the mix.
> > Why?  I doubt if anyone here fully understands rpm, deb or whatever.
> > I'm just trying to get my mind round what flatpack might mean in terms
> > of keeping my installation safe and easily maintained.
> 
> Again, using Plasma Discover, Gnome Sotftware, or the cli with "flatpak
> update" is how you maintain your system. Since flatpak is repo based,
> getting your flatpaks from a trusted source is how you keep it secure. Just
> like you don't install software from random deb/rpm archives, you'd do the
> same for flatpaks.
> 
OK, I tend to be a CLI person so there's a CLI with the flatpak
software, I had a bit of a problem to start with because I was
searching for 'flatpack' rather than 'flatpak'.  

It wasn't at all clear from the first announcement that the
flatpak utilities *do* come from the standard repositories, that was
my initial worry.  There seemed to be two layers of 'off repository'
software involved.   So that's not as difficult as I thought.

> > 
> > It may very well be a good alternative/improvement over appimage, I'm
> > just trying to ensure that we're not losing the huge benefits that
> > well maintained repositories provide.
> 
> AppImages aren't in a repo. You download them like you would an exe, then
> run them. There is no inherent sandboxing in AppImage (you'd need to use
> something like firejail), but flatpak has built in sandboxing. AppImages
> can't be signed, but flatpak includes GPG signing verification
> out-of-the-box.
> 
But would the Dokuwiki images used by flatpack be inherently any
safer?  OK, there's GPG signing but that only guarantees that I'm
getting what the 'sender' wanted me to get, not that it's necessarily
safe.  Is it a big improvement that makes it worth yet another change?
There seem to be several approaches to this issue at the moment and
I'm a bit concerned that moving from one to another too often is
counter-productive.


> > I already stopped using snap.  Appimage is Ok'ish and if flatpack is
> > as good then I'm happy, I'm just trying to convince myself that
> > flatpack*is*  as good/safe as appimage.
> 
> I wouldn't consider AppImage to be "safe" by any means. There is nothing
> inherent to AppImage that makes it safe to run on your system.

Yes, I quite agree, I'm not particularly happy using Appimage but
given that I want to cintinue to use Digikam (very much) I have to
really.  If we move to flatpak then I guess I'll move too.  

My questions are just my OCD/Paranoia about moving 'off repository'
and whether moving from one solution to another is necessary.

So, thank you for explaining this some more and thank you to the
Digikam development team for Digikam.  :-)

-- 
Chris Green


More information about the Digikam-users mailing list