Flathub, initial proposal
Alexander Larsson
alexl at redhat.com
Thu Sep 1 15:21:41 UTC 2016
On Thu, 2016-09-01 at 15:59 +0200, Jorge García wrote:
>
> Hi,
>
> I'm interested in participating in the design & development of the
> proposal.
Cool!
>
> Some days ago I shared with this list [1] a design document [2] that
> matches quite a lot with the "App Store" side of your proposal.
>
> For the developer's side, I considered this options:
> * Develop something like GitHub but using OSTree
> * Develop something like Docker Hub
> * Develop something like "Google Play Developer console"
>
> In the end I opted for the Google Play model (the developer generates
> a bundle "application.flatpack" file and uploads it to the store).
>
> PROS:
> * It solves the principal need: provide an easy channel for devs to
> publish their apps
> * It's a well known process used in other platforms (Android, iOs,
> ...)
> * It can be more agile (no need to wait for a build server)
> * This kind of service seems easier to implement than the other
> options (GitHub & Docker Hub)
>
> I personally don't see the need of controlling the build process and
> keep the sources. If we trust a developer to control his source code
> and publish it in his own git repo, why don't we trust him to build
> his code and upload it to the store?
>
> However, there should be some kind of control for the apps before
> being published, like controlling that the the "official Firefox" is
> published by Mozilla and no 3rd parties.
There are two answers here. First of all, in many cases its *easier*
for the user to just upload something, and get access to fast build
machines on various architectures. So, many people actually want this.
Secondly, and more importantly, some organization has to take some
legal responsibility on what is being distributed. If for instance
we're distributing a build of a GPL application, we're bound under the
license to also ship the sources. Its also generally easier to verify
that nothing weird is going in with sources than with binaries. For
instance, you can easily check if the tarball matches the upstream
checksums. Also, as long as we are hosted by the gnome foundation, we
can only ship free software, and only having the source makes that
possible to verify.
Long term I think we want to allow users to upload pre-build releases
(and I mentioned this in the mail), but that will be somewhat out in
the future.
More information about the xdg-app
mailing list