Open eht16 opened 7 months ago
AtomicRobotMan0101
commented
6 months ago Seconded.
@eht16 raus-ed me today and I'm a bit pissed that this package LOOKS DAMNED OFFICIAL.
Fan submissions are 100% excellent, but this is blatant passing-off. On the Flatpak and searches within it (via terminal) one cannot distinguish legit packages as the checkmark is missing there.
Change the "By" tag on Flatpak please.
barthalion
commented
6 months ago The website clearly marks unverified applications as such, so do recent KDE Discover and GNOME software releases.
If you're using CLI, you can switch to the verified subset as described in the documentation: https://docs.flathub.org/docs/for-users/installation#subsets
eht16
commented
6 months ago @barthalion the root issue isn't resolved I think.
To me, it is confusing that the above mentioned Flatpak site looks like the Genay Flatpak package is maintained by the Geany developers. This is because of the "by Geany Team" term below the title and in the blog "Community built" there is a link to the project website directly.
But at no point there is any reference to who really maintains this package and that bug reports related to the Flatpak packaging should be reported there and not to the Geany project itself.
I think it would help all parties, if this could be made more clear that project developers and package maintainers are not the same people.
Thank you.
TiZ-HugLife
commented
6 months ago Hi there. Sorry it took me a while to get around to responding to this.
So, there is definitely a developer / packager disjoint in regards to the package's presentation, and I agree that it is a problem. This software is indeed by the Geany team. But the person maintaining the package here is mainly just me, and I'm not an upstream developer at all. It seems like you want me to be the person listed on Flathub's page, but then that's inaccurate too. I don't do any upstream work on Geany at all, so now there's a new piece of unintentional deception, and the actual Geany developers would be right to say, "who's this TiZ hack and why is he taking all the credit for our software?!" It would be just the same for if you looked it up in your software manager and the person who maintains the native package was somehow presented as the person responsible for making the overarching software. So I agree that all the information inherent in this particular type of disjoint should be available somehow.
I'm not here to trick people; I'm just here to make a good piece of software available in Flathub the best way that it can function with the inherent limitations in place. And that's still not even the full story. Someone else packaged it before they left it to languish and then I took it over. There are certain families of distro that benefit from having packages available in this manner, as well as certain philosophies to software management that benefit as well. To be specific, you can install Geany this way in locations that will persist across distro migrations and distro reinstalls.
@eht16, you seem to be a member of the Geany team, and compared to elextr, your opinions on Flatpak are much stronger. I'll just ask you outright: Do you even want this package to exist? I have strong fundamental disagreements with people who simply hate Flatpak as a format universally, but that doesn't quite seem to be the case for you, and even if it was, I don't really want to package software as an act of spite! I don't want to subvert upstream desires. (EDITED to add stuff.)
I'm going to reopen this issue until we come to a solution that everyone finds satisfactory.
eht16
commented
6 months ago @TiZ-HugLife I do appreciate your work on packaging Geany as Flatpak. At no point I wanted to say you or other Flatpak maintainers want to trick users or do any sort of bad behavior.
The main point of this issue is for me that it is not clear on the Flatpak page to users that this is a package created and maintained by a third party and not the developers of the software itself. The disjoint of software developers and packagers is totally fine IMO and very common. It just should be more visible on the Flatpak pages, so users have the chance to learn the difference. Also, as it is common for distributions, bug reports should be either directed to the package maintainers or at least there should be some help for users to learn where to report bugs (package related bugs to the package maintainer, everything else to the developers).
Do you even want this package to exist?
I don't want to judge the Geany FlatPak package should exist or not. In general I think might be some need for FlatPak packages. Specifically for Geany, I'm not sure if there are much benefits. By design, a text editor needs access to various places on the host system, to open and edit files, to use compilers, linters and other tools and probably more. So what is the advantage of isolating Geany into its own environment and have to break the isolation at the same time.
I don't "hate" ("hate" is a very strong word especially when using in contexts of software) Flatpak in general. Though I think there are some disadvantages not all users might be aware of. Most distributions doing a great job in keeping their packages up to date, especially in terms of security issues and users get notified by their system and only have to install the recommended package updates. At least the bigger distributions have some sort of quality assurance and/or review process to ensure a constant level of quality. I don't know enough about Flatpak and FlatHub if there is some equivalent. Also, regarding security updates of a software itself or some package in the dependency chain, users of FlatPak packages are highly dependent on the package maintainers of each FlatPak package which uses the affected package as a dependency. To be honest, I don't know how this is handled in the FlatPak world but at least for bigger distributions this works pretty good as there are usually multiple maintainers for packages and in case of security updates only the affected package needs to be updated and not all depending packages as well.
You see, I'm rather old fashioned in this regard and prefer the "traditional" distribution package system. But this is just my personal opinion and I do not and I cannot decide a FlatPak package should exist or not. But I can choose not to use it for me personally.
What I wish is that it is as clear to users that this is a third party created packages as it is when they install Geany from the Debian package repositories or from Fedora or from ArchLinux, etc.
TiZ-HugLife
commented
5 months ago Okay. So... I'm probably going to bounce out of all of this pretty soon. The ecosystem has been developing in a way that has killed all of my passion for it, and having any sort of maintenance responsibility has become sort of soul-crushing. But before I do that, and this package effectively becomes unmaintained; what specifically do you want this package to look like? You've only asked that you want it to be clear that it's a third-party created package, which means that you want changes to Flathub itself whose discussion simply isn't going anywhere. So let's focus on what I can do right now.
Do you want one, both, or neither?
AsciiWolf
commented
1 week ago @eht16
You see, I'm rather old fashioned in this regard and prefer the "traditional" distribution package system.
Are these distribution packages all clearly marked as unofficial?
Regarding the developer name, you should probably learn how AppStream metadata work.
AsciiWolf
commented
1 week ago On the Flatpak and searches within it (via terminal) one cannot distinguish legit packages as the checkmark is missing there.
Yeah, I can confirm that the verified apps support seems to be missing in the "flatpak" command. You should report it here.
Still, this is the same as downstream distributions packaging geany without any of its official developers being involved. But I agree that the verified checkbox in "flatpak search", "flatpak install" etc. would be useful.
TiZ-HugLife
commented
1 week ago Dragging up this discussion again, huh?
Now that I'm looking at this a few months later, I do have to say that the Geany developers' attitude toward this package with the stated reasoning is kind of whack. In terms of maintainership and accessiblity of that info, it's not really any different from distribution packages.
Let's say I want to use Ubuntu's geany package. And let's say I want more information about it. That information appears to be here. And honestly, it's way less clear about who is doing what than Flathub's page is. Who's packaging it for Ubuntu? A team who is apparently not on Launchpad, so you can't find out any information on them. Well, how do we find out who developed it? Apparently you use the "Upstream Connections" section to get to this page, which is one step removed from Geany's actual homepage, and is one step removed from finding a list of people who allegedly work on it. When you look at the list of members of this group, you see that there are membership applications left stagnant from over ten years ago.
So this information that Ubuntu presents does not seem particularly verifiable, and is pretty far removed from what the actual current development process is. You want to find out who works on this package? You're looking at him. There's a links section on the app page in Flathub that brings you to this repo, where you can easily see that I've been the primary maintainer of this package since November 2021. And yet Ubuntu is somehow more endorseable, more official, more trustworthy, than this package?
I'm tired of this nonsense. There's so much nonsense in the Linux app ecosystem that I've been tired of for so long, so I'm done with it. It doesn't even make sense for me to be maintaining this anyways. My primary text editor is actually CudaText.
eht16
commented
5 days ago @AsciiWolf
You see, I'm rather old fashioned in this regard and prefer the "traditional" distribution package system.
Are these distribution packages all clearly marked as unofficial?
"unofficial" maybe specific for Flatpaks but usually distribution packages are maintained by the distribution, so this might translate to "unofficial" in terms of not maintained by the application developers.
Regarding the developer name, you should probably learn how AppStream metadata work.
I'm not sure if I should learn this.
@TiZ-HugLife
Now that I'm looking at this a few months later, I do have to say that the Geany developers' attitude toward this package with the stated
Just to be clear, I'm expressing here my personal attitude and I'm not speaking for the other Geany developers.
reasoning is kind of whack. In terms of maintainership and accessiblity of that info, it's not really any different from distribution packages.
To me the difference is that usually on the distribution package info pages there is a note where is the software is coming from (e.g. a website link) and who is maintaining the package. Examples: https://packages.fedoraproject.org/pkgs/geany/geany/ https://packages.debian.org/bookworm/geany
Let's say I want to use Ubuntu's geany package. And let's say I want more information about it. That information appears to be here. And honestly, it's way less clear about who is doing what than Flathub's page is. Who's packaging it for Ubuntu? A team who is apparently not on Launchpad, so you can't find out any information on them. Well, how do we find
Admittedly, Ubuntu is a bad example as the information there is outdated and so might be misleading. At least it is clear that the package is not provided by the upstream application developers.
In the essence, I think a rather small change which could help users already a lot is to replace the "by Geany Team" slug above the "Unverified" badge by "provided by Flathub community" or something like this. Optionally add a link to https://github.com/flathub/org.geany.Geany. Or as suggested in https://github.com/flathub-infra/website/issues/3125 an additional "Packaged by" item.
IMO this would already make it more obvious that package maintainers and software developers are different parties.
I'm tired of this nonsense. There's so much nonsense in the Linux app ecosystem that I've been tired of for so long, so I'm done with it.
Sad to hear :(.
AsciiWolf
commented
5 days ago @eht16
"unofficial" maybe specific for Flatpaks but usually distribution packages are maintained by the distribution, so this might translate to "unofficial" in terms of not maintained by the application developers.
That's not necessary true. Many packages are maintained by unaffiliated community members and uploaded (with distribution's packagers approval) into the repositories. It is a common practice for example in Debian.
And there even are some distributions that have no actualy maintainers for most of their packages - for example Ubuntu, they just sync them from Debian (and then left them to rot for many years in case of LTS releases).
Regarding the developer name, you should probably learn how AppStream metadata work.
I'm not sure if I should learn this.
If you want to develop and distribute any desktop Linux apps in upcoming years, you definitely should. It has become a de-facto standard in most distributions and packaging systems.
eht16
commented
5 days ago @eht16
"unofficial" maybe specific for Flatpaks but usually distribution packages are maintained by the distribution, so this might translate to "unofficial" in terms of not maintained by the application developers.
That's not necessary true. Many packages are maintained by unaffiliated community members and uploaded (with distribution's packagers approval) into the repositories. It is a common practice for example in Debian.
And there even are some distributions that have no actualy maintainers for most of their packages - for example Ubuntu, they just sync them from Debian (and then left them to rot for many years in case of LTS releases).
I think we are talking about the same, I actually had Debian in mind in my explanation. Sure, not all uploaders are DDs or DMs but after all, it's the Debian community who maintains the packages in the distribution. I just wanted to differentiate between upstream and downstream. And I assume this is for Flathub similarly, maybe just with different terms.
Regarding the developer name, you should probably learn how AppStream metadata work.
I'm not sure if I should learn this.
If you want to develop and distribute any desktop Linux apps in upcoming years, you definitely should. It has become a de-facto standard in most distributions and packaging systems.
Ok. Might still be not relevant for the topic here.
In the essence, I think a rather small change which could help users already a lot is to replace the "by Geany Team" slug above the "Unverified" badge by "provided by Flathub community" or something like this. Optionally add a link to https://github.com/flathub/org.geany.Geany. Or as suggested in https://github.com/flathub-infra/website/issues/3125 an additional "Packaged by" item.
This is the main part of this issue. Do we want to focus on this?
TiZ-HugLife
commented
5 days ago I think we are talking about the same, I actually had Debian in mind in my explanation. Sure, not all uploaders are DDs or DMs but after all, it's the Debian community who maintains the packages in the distribution. I just wanted to differentiate between upstream and downstream. And I assume this is for Flathub similarly, maybe just with different terms.
This is the same thing. Debian has a packaging community, so does Flathub. And you're right that Ubuntu is a poor example, but that's the distro that I'm currently using. The app store applications are worse; if I search for Geany in Discover, Plasma's application store, the distribution package for Geany says "unknown author" and distributed by "unknown source". The optics are worse than if you look at the Flathub package, even though "Geany Team" doesn't actually provide any more info than "unknown author".
[...]
This is the main part of this issue. Do we want to focus on this?
IMO, even though I'm getting out of the game, I think you should focus on that. Or rather, flathub-infra/website#3131 because it has more discussion.
Flathub has this weird false dichotomy thing going on: it's either packaged by the developers, or it's unverified. There's no middle ground, and that's not reflective of reality, nor of how distributions actually handle packaging. And the unverified terminology stinks. They want developers to be involved so badly; well, here you are, and you have a request that they refuse to act on. And despite how I feel about how this package has been treated, your request is really quite reasonable; if Flathub wants to be the Linux app store, they need to be better than the status quo, which means finding a way to meaningfully display the differentiation between developers and packagers. They can't just force people to be involved in packaging if they don't want to be by blackmailing people with the unverified badge that is meant to scare users and distributors. That's the socially coercive behavior I'm so sick of from GNOME, and it does not meet people's needs.
AsciiWolf
commented
5 days ago @eht16
If you want to develop and distribute any desktop Linux apps in upcoming years, you definitely should. It has become a de-facto standard in most distributions and packaging systems.
Ok. Might still be not relevant for the topic here.
It is very relevant. All the app (package) information are defined in AppStream metadata. So, maybe extending the AppStream metadata standard with "downstream bug tracker" entry could be a good idea? (And it would partially solve the problem described in this ticket.)
TiZ-HugLife
commented
5 days ago It is very relevant. All the app (package) information are defined in AppStream metadata. So, maybe extending the AppStream metadata standard with "downstream bug tracker" entry could be a good idea? (And it would partially solve the problem described in this ticket.)
It is relevant to them being a desktop application, but it is not relevant to this issue. This issue is about the fact that to a layperson, the package from Flathub looks like it comes directly from the Geany developers, and the "unverified" badge is not a sufficient way to address that. Should they eventually have their own metadata.xml file? Yes, probably. But that actually wouldn't solve the problem at all. Whatever they choose to put as the developer name would be displayed on Flathub, because we're not supposed to modify the metadata to make it look like we--that is to say, the packagers--made it.
Downstream bug tracker would be a bad extension to the metadata because then there would be a perceived burden to keep track of all the downstreams' bug trackers. Not just Flathub, but all the distros. If this is about making sure that bugs reach the right trackers and the right people, that is a different conversation. I actually think it's more important than this conversation, but it's also harder than this conversation, because it requires all the stakeholders to completely change the way they do things to make it hard or impossible for users to put bugs in the wrong place, and make it easy to send bugs that do end up in the wrong place to the right place. It would need to be possible to pass bugs around among different stakeholders as people involved figure out where the bug resides, and the tools we have don't work very well for that.
But this issue isn't about that. Issues being filed upstream when they're most relevant here is a symptom, but it's not the problem. The problem is that Flathub does not meaningfully differentiate between developers and packagers. It's Flathub's problem to fix.
I don't know who is maintaining this Flathub package, I couldn't find any note on https://flathub.org/apps/org.geany.Geany.
Even worse, the only reference visible is "by Geany Team" which suggests these builds are provided by the Geany developer team.
Could you please add some information to the Flathub package page to provide information who is responsible for this package?
Thank you.