Recent searches
Search options
Is it just me or can’t Fedora Silverblue install Flatpaks downloaded from the web (flatpakref) in GNOME Software?
(This is a valid, decentralised way of distributing software that doesn’t require centralised services like Flathub, etc. and should be supported as a first-class citizen in free and open operating systems.)
https://github.com/fedora-silverblue/issue-tracker/issues/267
@aral No, I have had the same problem recently.
@aral have you tested how this compares to the CLI? Just curious if it's a flatpak or a GNOME Software limitation.
@sheogorath Yep (see issue); it works via the command-line.
@aral definitely a bug. The intent is for Flatpaks to be trivially sideloadable with GNOME Software, regardless of the source.
@cassidyjames Good to know, thanks :)
@aral this is where I actually prefer the elementary Sideload approach with a small dedicated utility. Less to break, and more clear that it’s a sideload. Theoretically one could install Sideload on a GNOME distro and it should just work, too! You’d have to compile it in a toolbox or something on Silverblue, though.
@cassidyjames Yeah, and I’d really love to see the approach evolve so that the assumption is not “Beware: app from web bad… are you sure you want to potentially ruin your life?" to things like “Ah, this app is free and open source so you can verify the code (gorgeous check mark), etc.”
In other words, an approach that is supportive of decentralised app distribution :)
Perhaps even a whole new app (not just a dialog) that builds a great experience and community around this use case… 
@aral @cassidyjames not a fan of this tbh. Stalkerware and ransomware can easily be open source. Curation and trusted institutional app sources are a really good match for end user software.
@ryanprior @aral yeah it's absolutely a balance. I was going to suggest that yeah we could use AppData more extensively in Sideload, maybe, but the problem is: all that data is provided by the author so there is literally no guarantee.
Best you can do is something like, “Here is what this file claims. Only install it if you are sure you downloaded it from a trusted source. If you are unsure, visit the website and redownload it.”
@ryanprior @aral because yeah, a bad ad could definitely point you to install “Firefox” and the AppData could say all the right things! It’s open source, provided by Mozilla, official screenshots, even the right app ID so it shows the right reviews… and it could easily be a poisoned version.
The only way to progress on actually solving that IMHO is with SOME sort of centralized trust, e.g. verified signatures.
@ryanprior @aral you don't want to be unnecessarily scary, but you also have to be honest.
If you pretend every sideloaded app is totally fine and exactly what it says it is, you might as well have no speed bumps for installing sideloaded apps because you can't make any guarantees. But of course the other extreme of assuming every sideloaded app is bad and dangerous hurts the experience of installing indie apps from outside the store.
It's a very hard problem. 
@cassidyjames @aral @cassidyjames @aral decentralizing distribution of the bytes (eg bittorrent) is great, but decentralizing the source of information (app data, authorship claims, anti-abuse measures) is a gift to agents of misinformation and abuse.
@cassidyjames @aral this effect scales with the size & complexity of the community it's serving as well: when the stakes are higher, the decentralized approach gets even worse. I'm reminded of our back & forth on this GitHub issue: many UX choices are only acceptable at a small enough scale. https://github.com/elementary/appcenter-web/issues/42
@cassidyjames @aral small-scale decentralized distribution channels that adopt these assumptions and UX patterns become landmines—if a large enough community ever puts pressure on them, they'll blow up and hurt people.