@kurisu Dependencies on compiled Python libraries. And Tor. And GnuPG, ideally a specific version so I don't have to worry about the shifting API.
If you've made your application so difficult to package that it'll never be included in distro repositories because it has unmanageable dependencies, that's *your* problem, and flatpak and snaps are just ways that developers push that problem on users.
@kurisu Hi, I asked for opinions, but now you're just lecturing.
Thanks for your input, please stop now.
I hope you see that users really do dislike appimage, flatpak and snaps though. Dismissing users expressing their opinion as just being smug is unhelpful imo.
@kurisu Yes, I see that opinionated people who don't know what I'm dealing with or what I've already considered, are still quite eager to preach and tell me my question is wrong.
I hear that people don't like it, but honestly, every tech has haters. Saying you dislike something has almost zero signal, it's just noise.
Tell me WHY, and I'll listen. If you just tell me something sucks, I probably won't.
@sir @kurisu Later in the app's lifecycle, I fully expect the distros to take over.
At this early stage though (the app is honestly a bit shit and will need frequent fixing), I expect being able to ship updates faster than the distro release cycle has a lot of value to my users.
So I'm considering what options I have for doing that.
my dream package manager stores individual packages in their own special path that includes information that can be used to verify the integrity of the build. dependencies are overlayed into the runtime path for a particular application. app can only write into a sandboxed path. app cannot escape.
i have a proof of concept for parts of this idea. i'd like to find a way to extend APK to work with this idea so i can reuse the alpine packaging tools.
https://source.heropunch.io/tomo/grid/src/branch/latest/grid
@kurisu @sir This is what I am doing now, for Debian derived distros.
And from a security POV, I feel REALLY bad about it. Once you add my repo to your apt sources, I can update any package on your system. I can do so selectively based on your IP address.
Shipping a Snap or Flatpak does imply bloat and does put the onus on me to rebuild and ship when dependencies have security flaws - but at least I can't replace your /usr/sbin/sshd.
Everything has pros and cons.
@sir @HerraBRE @kurisu my other big problem is my distro already has a great package manager. If I can't get packages from my package manager, I can either build from source (and I think possibly the people who will most care about your product will be capable of this), or use the AUR. It's easy, simple, and efficient. Flatpak et al. Require something like a 200mb download, along with the software. It's massive. It's bloated. It doesn't fit with my philosophy.
Being in a distro package is to me a guarantee that I can remove it safely from my system. None of the above three systems have gained my trust that they'll do the same.
Hope that helps.
@kurisu That does help, those are criteria I would like to consider. Thank you!
And FWIW, I'm already building proper Debian packages.
I'm considering what else to teach the build-bot that is likely to give me the most bang for my buck.
@kurisu Maybe I am! But I'd still like to understand the alternatives out there.
As a developer *and* a user I don't want to take that risk.
The sandboxing is nice though, it takes some of that risk away but for an email program, at the very least any RCE will have acess to my email even if it doesn't escape the sandbox.
@kurisu Dependencies that some platforms may have preinstalled, but others will not. Flatpacks and Snaps let me ship my dependencies without breaking other apps.
A binary tarball will either be insufficient (things missing), or it will start overwriting OS default packages.
So it either breaks, or is hideously impolite... or it includes hacks which basically reinvent Snaps or Flatpak (or AppImage).
