How will Flatpak prevent proliferation of out-to-date libraries?
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
With the current package system (RPM or Deb), there is usually only one major version of each library and program installed. All libraries should use Semantic Versioning, so new minor versions can easily be installed without breaking anything. If there is a security issue, the library is fixed and all dependent code directly benefits from the patch.
Now with Flatpak I see that people will just bundle everything, perhaps because they have slightly modified the upstream library. If there is a security update, all upstream developers need to update the library. Even with the “runtime†concept, an app could still depend on an outdated version of the library.
To me, dependency hell only comes from a lack of API stability discipline. If the libraries would properly keep their APIs stable or issue a new major release, it would all be just fine. In the Ruby and Python world I often see that there are lists of requirements with exact version numbers. All that is installed into a virtual environment and will never be updated once the software is deployed.
How is Flatpak going to prevent the proliferation of convenience copies of libraries with security issues?
flatpak
asked Jul 30 '17 at 8:52
Martin Ueding
1,27311027
add a comment |Â
up vote
3
down vote
favorite
With the current package system (RPM or Deb), there is usually only one major version of each library and program installed. All libraries should use Semantic Versioning, so new minor versions can easily be installed without breaking anything. If there is a security issue, the library is fixed and all dependent code directly benefits from the patch.
Now with Flatpak I see that people will just bundle everything, perhaps because they have slightly modified the upstream library. If there is a security update, all upstream developers need to update the library. Even with the “runtime†concept, an app could still depend on an outdated version of the library.
To me, dependency hell only comes from a lack of API stability discipline. If the libraries would properly keep their APIs stable or issue a new major release, it would all be just fine. In the Ruby and Python world I often see that there are lists of requirements with exact version numbers. All that is installed into a virtual environment and will never be updated once the software is deployed.
How is Flatpak going to prevent the proliferation of convenience copies of libraries with security issues?
flatpak
asked Jul 30 '17 at 8:52
Martin Ueding
1,27311027
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
With the current package system (RPM or Deb), there is usually only one major version of each library and program installed. All libraries should use Semantic Versioning, so new minor versions can easily be installed without breaking anything. If there is a security issue, the library is fixed and all dependent code directly benefits from the patch.
Now with Flatpak I see that people will just bundle everything, perhaps because they have slightly modified the upstream library. If there is a security update, all upstream developers need to update the library. Even with the “runtime†concept, an app could still depend on an outdated version of the library.
To me, dependency hell only comes from a lack of API stability discipline. If the libraries would properly keep their APIs stable or issue a new major release, it would all be just fine. In the Ruby and Python world I often see that there are lists of requirements with exact version numbers. All that is installed into a virtual environment and will never be updated once the software is deployed.
How is Flatpak going to prevent the proliferation of convenience copies of libraries with security issues?
flatpak
asked Jul 30 '17 at 8:52
Martin Ueding
1,27311027
With the current package system (RPM or Deb), there is usually only one major version of each library and program installed. All libraries should use Semantic Versioning, so new minor versions can easily be installed without breaking anything. If there is a security issue, the library is fixed and all dependent code directly benefits from the patch.
Now with Flatpak I see that people will just bundle everything, perhaps because they have slightly modified the upstream library. If there is a security update, all upstream developers need to update the library. Even with the “runtime†concept, an app could still depend on an outdated version of the library.
To me, dependency hell only comes from a lack of API stability discipline. If the libraries would properly keep their APIs stable or issue a new major release, it would all be just fine. In the Ruby and Python world I often see that there are lists of requirements with exact version numbers. All that is installed into a virtual environment and will never be updated once the software is deployed.
How is Flatpak going to prevent the proliferation of convenience copies of libraries with security issues?
flatpak
flatpak
asked Jul 30 '17 at 8:52
Martin Ueding
1,27311027
asked Jul 30 '17 at 8:52
Martin Ueding
1,27311027
asked Jul 30 '17 at 8:52
Martin Ueding
1,27311027
asked Jul 30 '17 at 8:52
Martin Ueding
1,27311027
asked Jul 30 '17 at 8:52
Martin Ueding
1,27311027
1,27311027
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
At least for the basic libraries like OpenSSL and so on they have the concept of runtimes. These are e.g. GNOME, KDE, etc. And these can be upgraded, even if the flatpak itself was build with an earlier version of the runtime.
Other than that, however, the other libraries in the flatpaks need to be maintained. Obviously here the author of the application should maintain that, otherwise the main application is likely also not maintained, so you may have this problem for the main application too.
answered 1 min ago
rugk
288320
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
At least for the basic libraries like OpenSSL and so on they have the concept of runtimes. These are e.g. GNOME, KDE, etc. And these can be upgraded, even if the flatpak itself was build with an earlier version of the runtime.
Other than that, however, the other libraries in the flatpaks need to be maintained. Obviously here the author of the application should maintain that, otherwise the main application is likely also not maintained, so you may have this problem for the main application too.
answered 1 min ago
rugk
288320
add a comment |Â
up vote
0
down vote
At least for the basic libraries like OpenSSL and so on they have the concept of runtimes. These are e.g. GNOME, KDE, etc. And these can be upgraded, even if the flatpak itself was build with an earlier version of the runtime.
Other than that, however, the other libraries in the flatpaks need to be maintained. Obviously here the author of the application should maintain that, otherwise the main application is likely also not maintained, so you may have this problem for the main application too.
answered 1 min ago
rugk
288320
add a comment |Â
up vote
0
down vote
up vote
0
down vote
At least for the basic libraries like OpenSSL and so on they have the concept of runtimes. These are e.g. GNOME, KDE, etc. And these can be upgraded, even if the flatpak itself was build with an earlier version of the runtime.
Other than that, however, the other libraries in the flatpaks need to be maintained. Obviously here the author of the application should maintain that, otherwise the main application is likely also not maintained, so you may have this problem for the main application too.
answered 1 min ago
rugk
288320
At least for the basic libraries like OpenSSL and so on they have the concept of runtimes. These are e.g. GNOME, KDE, etc. And these can be upgraded, even if the flatpak itself was build with an earlier version of the runtime.
Other than that, however, the other libraries in the flatpaks need to be maintained. Obviously here the author of the application should maintain that, otherwise the main application is likely also not maintained, so you may have this problem for the main application too.
answered 1 min ago
rugk
288320
answered 1 min ago
rugk
288320
answered 1 min ago
rugk
288320
answered 1 min ago
rugk
288320
288320
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f382706%2fhow-will-flatpak-prevent-proliferation-of-out-to-date-libraries%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
