Michael Catanzaro (Epiphany developer and contributor to the GNOME and Fedora projects) has proposed a solution that could change the way Fedora Workstation manages Flatpak packages.
In his proposal, he proposes prioritizing FlatHub as the default source for packages installed by users, limiting Fedora's Flatpak repository to those packages that come pre-installed in the distribution.
The debate over Flatpak management in Fedora Workstation
Today, Fedora uses its own Flatpak repository as default configuration. This repository It is generated by rebuilding RPM packages and has a higher priority than FlatHubWhile it's possible to enable downloads from FlatHub after installing the system, this requires the user to manually enable the "third-party repositories" option in the GNOME Software Manager. However, even with this setting enabled, Fedora packages still take priority.
Michael maintains that most users would prefer to get their packages directly From FlatHub. This platform brings together packages created and maintained by the application developers themselves, ensuring better understanding of their specific features, greater stability, and more thorough testing. According to data cited by Catanzaro, 80% of the panelists surveyed expressed their preference for FlatHub over the Fedora repository.
This situation has also generated confusion among users., who assume that when installing a Flatpak application on Fedora they do so from FlatHub, as is the case with other distributions. However, Packages come from the internal Fedora repository, with possible notable differences in quality.
The Fedora Workstation of the future must be:
Secure and image-based by default: an atomic operating system composed of bootc-based RPMs. Most users should opt for image-based mode, as it's much harder to damage the operating system and easier to troubleshoot when something goes wrong.
Flexible if desired: Conversion from an image-based operating system to a traditional package-based operating system, managed by RPM and dnf, should be allowed for users who prefer or require it. Alternatively, if conversion isn't possible, installing a traditional, non-atomic Fedora should remain possible. In any case, we shouldn't force users to use image-based desktops if they don't want to, so there's no need to worry. But image-based desktops should eventually become the default.
Silverblue isn't ready yet, but Fedora has a great developer community and should eventually be able to resolve the remaining issues.
When bugs arise, complaints are often directed at the official developers of the apps, creating unnecessary tension, as happened in the case of OBS Studio, whose problematic package on Fedora was given higher priority than its version on FlatHub.
Uno of the arguments in favor of maintaining the custom repository dand Fedora is security: Packages are built in controlled environments, based on the declared source code, and comply only with open licenses approved by Fedora. Additionally, it's possible to include specific patches that aren't yet part of the original projects' source code.
However, Catanzaro recognizes the need to strengthen security on FlatHub as well. The proposal includes working together to enable package building on verifiable infrastructure, incorporate reproducible builds, and combat the presence of outdated runtimes. Currently, nearly a third of verified packages on FlatHub use runtimes whose support has already expired, posing a security risk.
Also Other issues were detected, such as outdated dependencies and the disabling of isolation measures. by some developers, which compromises the effectiveness of sandboxing. As a solution, we propose implementing automatic runtime checks, strengthening isolation measures, and ensuring ongoing maintenance of Flatpak packages.
The transition to using FlatHub is not an abrupt one. The idea is to allow Fedora Workstation, in its atomic edition, to facilitate the default installation of free software from FlatHub, keeping the packages pre-installed from the Fedora repository. The modification would only affect packages that users choose to install. subsequently using the GNOME software manager.
Timothée Ravier, another Fedora developer, has backed up this line of thinking with a parallel proposal for Fedora 43. This would allow select and vetted FlatHub applications to be available for direct installation, while pre-installed packages would continue to be managed from Fedora. This change would reduce the workload for maintainers, eliminate user confusion, and contribute to better collaboration between Fedora and the core projects.
Finally, if you are interested in knowing more about it, you can consult the details in the following link