[Interest] Official linuxdeployqt ?

Wed Aug 10 13:49:45 CEST 2022

<analysis on>

On 8/10/22 05:00, Konrad Rosenbaum wrote:
> <rant excuse="sorry folks">
>
> Not ever in my career have I used an IBM Mainframe. Doesn't mean it is a
> bad machine...;-)
Well you should have because now it pays more than Qt work! I get 
roughly 3 calls per week on it and my blue box is way out of date. Just 
signed a $120/hr RTR for brown box work yesterday though. :-)
>
>
> I seriously used AppImage once, without even noticing: KDevelop 5 before
> it was available in Debian. I just downloaded, chmod +x, run, happy.
> Tried it again today to check the impact on my system - still happy.
> (Single hidden FUSE mount, runs without any other impact, cleans itself
> up after exit. No pre-install dependencies needed.)

<snipped rant - good rant, but snipped for length>

https://forums.linuxmint.com/viewtopic.php?t=336342
Post by karichen Dec 01, 2020 7:56 am and again at 9:46 am
Post by antikythera Dec 01, 2020 11:37 am

=====
solution - run the questionably sourced appimage in firejail, snap and 
flatpak are already sandboxed by default. Casing point, if you use 
Thunderbird snap you have to enable printer access for it.

so yes, appimage do pose a bit more of a risk than other packaging 
formats without end users being aware of the need to run them in firejail.
=====

I don't remember karichen's job exactly but that user was deploying 
Linux Mint on corporate desktops for a not tiny company. Two not short 
but measured responses from the corporate "there be viruses" world.

I quoted the entire antikythera post to point out what was and probably 
is still true. Flatpak is sandboxed by default, AppImage is not.

I snipped your tale of woe with both Snap and Flatpak because yes, naive 
developers that never went to college can turn off all sandboxing to 
"make it work" then release trash on their own Web site. In the early 
days of Snap that trash also made it into the repos. I've not heard of 
anything in Flathub that is signed and behaves in a non-sandboxed manner.

> Tar: even easier and users that install external software can usually
> handle it. The update path is a bit ...well ...nonexistent. It works as
> long as you do not hard-code pathes.
Tar also walks on existing libraries.
> What you want to use very much depends on your target audience. Do they
> need system packages, easy download, or even source preferred over
> binaries? What distribution do they run and what is the preferred
> mechanism there? There is no one answer.
>
>
> All we can say for sure after all this discussion is: Qt is used on many
> different styles of Linux distribution with at least as many preferred
> package formats. Feelings seem to run a bit hot on that topic, so any
> choice will p*ss off someone.

Qt isn't used on as many Linux platforms as one would like to believe, 
not anymore. There are some legacy packages that haven't ported to other 
libraries, but not much in the way of new development post FeatherPad 
after the licensing shenanigans. Most distros have dropped KDE as a 
supported desktop because of that.

So, for the legacy applications still using Qt on Linux some will be for 
developers, but most will be for "consumers." Even Wireshark is flatpak 
today.

https://flathub.org/apps/details/org.wireshark.Wireshark

I will let karichen's posts stand for the corporate world and basically 
mine. I don't care how awesome something claims to be. I will only test 
install it on a sacrificial machine that is not on my network then I run 
a full antivirus scan. Yes, I have Clamshell running on all my Linux 
machines.

> So after all of this it seems to me that the sanest choice would be to
> just populate a directory hierarchy and let some other tool deal with
> all the anguish and innuendo that comes with the (wrong) choice of
> distribution package.
Not really, no. You are building on a 64-bit machine but cross compiling 
for 32-bit ARM so your application can run on a Raspberry Pi II. 64-bit 
ARM for a later PI or possibly a MAC. The RPM distro tree wants each 
library in its own directory. /lib for 32-bit /lib64 for 64-bit etc. 
Debian does it different.
>> Most companies and many Linux distros have started making it more
>> difficult for someone to "just download and install from a Web site"
>> because Malware is everywhere.
> Examples? All I've noticed is that Linux is now easy enough for users
> that don't understand how to unpack a tar or how to sudo to a root shell.

https://www.zdnet.com/article/linux-malware-attacks-are-on-the-rise-and-businesses-arent-ready-for-it/

https://jetpatch.com/blog/patch-management/rising-ransomware-trend-why-is-linux-suddenly-a-target/

Lots of chatter now where companies deploying Linux desktops are 
changing the GUI app sources to point to internal company maintained 
applications. This has been done for Windows for years in the 
corporate/medical device world. Joe Palluka can't install from the 
Microsoft Store but they can install from the company store. Usually has 
half a dozen IDEs and editors. A few "office" type things that help with 
the standard office package, etc.

>
>> Does any distro actually put AppImage files in their repo? I'm asking.
>> I have never heard of it but that doesn't mean there isn't some
>> obscure distro doing that.
> Why would they? The point of AppImage is that you DON'T need to put it
> into the distro package store.
The point of the GUI installers and all of the Linux security articles 
about Ransomware and Linux now being one of the primary targets for such 
Malware is to restrict user ability to install software such that they 
can only install trusted vetted signed packages that mostly run in 
sandboxes. By default AppImage is not sandboxed but Flatpak is. As 
another poster pointed out Flathub will sign trusted vetted sandboxed 
packages.
>
>> In fact, Ubuntu has already started their migration away from Snap by
>> installing Flatpak out of the box in Ubuntu Mate 22.04
>>
>> https://www.omgubuntu.co.uk/2022/02/ubuntu-mate-22-04-flatpak-support
> That's Mate. Not Ubuntu proper.

Okay. LUbuntu is in the Ubuntu repositories. KUbuntu is in the Ubuntu 
repositories. Ubuntu-Mate is in the Ubuntu repositories. Ubuntu is in 
the Ubuntu repositories. Are we seeing a pattern? ;-)

>
>> Why? Because the Linux distros that matter, some of them YABUs
>> themselves have all integrated Flatpak.
>>
>> https://www.omgubuntu.co.uk/2022/02/ubuntu-mate-22-04-flatpak-support
> BTW: repeating the same link four times does not make it any truer or
> more prophetic.
>
> Flatpak is a Debian package, so of course it turns up in all Ubuntus.

Sorry. After the last update Firefox hasn't consistently copied urls to 
paste buffer.

https://www.makeuseof.com/linux-distros-adopted-flatpak/

Last I checked CentOS wasn't a Debian based version, nor was Fedora.

>> The Linux world demands a single trusted vetted repository. Then Linux
>> can seriously be considered for corporate desktops. It already has
>> applications like TextMaker and OnlyOffice, etc. What it doesn't have
>> is a single trusted repository.
> Read my lips: not, going, to, happen.

Read my lips: corporations running Linux are going to force this on the 
community and shower the distros that go this route with seemingly 
limitless support contract dollars. Oracle didn't thieve a version of 
Red Hat because they were bored. Red Hat revenues are approaching $5 
Billion.

https://www.bizjournals.com/triangle/news/2021/06/04/ibm-ceo-talks-red-hat-success.html

Red Hat and OpenSuSE have been locking down their worlds for a while. it 
has even trickled out to Fedora where it has to reboot in maintenance 
mode to apply updates. Well, updates to anything that might matter.

https://www.redhat.com/en/topics/linux/what-is-selinux

Will there always be fly-by-night distros that allow traditional Linux 
Anarchy? You bet. They will become increasingly obscure though.

Right now the bulk of the mainstream is pushing the workload and the 
signing to Flathub. Is it perfect? No. It is way better than what we 
had. It also has unbelievably deep pockets behind it. One of the main 
listed investors is: Cloud Native Computing Foundation

https://www.cncf.io/about/members/

They all need Flathub to work too.

> Obviously the single central repository is also not the criterion for
> corporate IT - Windows has none either. Please keep searching and let me
> know what else you find.
>
> [hint: inertia]

I have no idea where you got that. I've been working at some of the 
major medical device manufacturers for the past decade.

Every one of them has their own central software repository.

Every one of them has the Windows laptops and desktops configured to 
pull updates only from a corporate Windows update site. Only about half 
of them actually maintain that site. You have to have Admin priv to 
navigate into settings to check the box allowing your machine to look at 
official Microsoft repositories.

Every non-medical device corporation I've worked for issues you a 
laptop/desktop computer where you have zero priv to install anything. 
Most have security software install so if you download and unzip a 
single file text editor executable in your own directory then create a 
desktop shortcut for it, security comes and has a chat with you. Others 
just nuke it remotely.

How long has it been since you worked in the Fortunate 500 world? ;-)

>
> [80% of rant cut, unexpected trigger...]
>
>> Snap wasn't the correct idea. Flatpak is. It's basically a better
>> Docker and now many distros are having their graphical application
>> installer use Flathub directly.
> Say what?
>
> Flatpak has absolutely nothing to do with Docker. It just uses similar
> APIs. FP is an alternative app distribution path with dependencies in
> image files. It does not isolate the app from the system. Docker allows
> easy deployment of server components (using image files) with dozens of
> versions in parallel, hundreds of instances running in isolated
> environments and some network magic to tie it all together.
>
> Following your logic I proudly pronounce Apache to be a better FTP
> server, because it uses the same socket APIs, just a slightly different
> purpose.;-)
>
Flatpak, like Docker, uses "layers". If the Flatpak you are installing 
uses some of the same "layers," like say the same version and build of 
SQLite3 libraries, those layers don't get pulled down.

Flatpak is by default sandboxed. Someone has to really forcibly try to 
impact the system. By default you usually get access to the user $HOME 
directory if that.

https://docs.flatpak.org/en/latest/sandbox-permissions.html

>> https://www.omgubuntu.co.uk/2022/02/ubuntu-mate-22-04-flatpak-support
> Still not prophetic.
I wish you would have included the snippet above so I could fix the cut 
& paste error.
>
>
> [cut...]
>
The really deep pockets have spoken. Flathub is where we are going. Even 
Apple and Microsoft are on the list of members.

https://www.cncf.io/about/members/

That time I posted again for real.

https://winaero.com/flatpak-coming-wsl-windows-10/

Which is a big improvement from 2019

https://www.neowin.net/news/initial-flatpak-support-arrives-for-windows-subsystem-for-linux/

</analysis off>

-- 
Roland Hughes, President
Logikal Solutions
(630)-205-1593

http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com
http://www.logikalblog.com
http://www.interestingauthors.com/blog