I feel that the term “misunderstanding” kind of applies here. I think I might have a slight grasp of where both sides are coming from, so I will attempt to help.
My take on compis1
I feel that compis1 is at a beginner level of linux knowledge based on looking at their post history here. They have also probably seen the slander against flatpaks that has been going around the internet for years. Of course, anyone at an average level of linux experience and some grasp of logic can easily see through the arguments at sites like flatkill once they think about the logical fallacies there. However, we can guess that compis1 is a noob to linux and is worried about security. Some people have been burned by malware, and others do get targeted more than others for various reasons. So compis1 might possibly have reasons to be paranoid about applications, especially if they were a former Windows user. So when a noob who has been burned by malware in the past and isn’t sure about the lies about flatpak security sees that their flatpak got updated, but notices that the version number of the app did not change, that could be even more confusing than my run-on sentences. Due to unfounded slander against flatpaks from an “unknown” group or company through third parties, they might even be suspicious of the answers they get and come across as mildly confrontational or stubborn until they understand the answer.
My take on the response to compis1
I know it is hard to deal with people when they are skeptical of you, especially when you are all volunteers trying to contribute. I really don’t think that compis1 has a good grasp on how flatpaks work. Since they seem to be a noob to linux, I don’t think they understand the responses they are getting.
This answer is absolutely correct, plus it shows users how to find and check the changes themselves in complete transparency. However, I doubt many noobs will understand how helpful that answer really is. While I don’t remember interacting with CodedOre personally, I have interacted with Hub and I really appreciated his help when he seemed to notice that I really was trying to solve an issue but was in over my head. I know Hub seems like a good guy and I appreciate that CodedOre took the time to try answering the question here. So please don’t take this as an attack, but rather my way of portraying how a normal user might understand the answer.
- A noob will know of distribution repositories, but might not understand that flathub has a repository at github for each app.
- A noob might not know this use of the word “manifest”. Until I looked at the documentation at flatpak, I only knew of the term “manifest” in regards to shipping or physical inventory. I think we used manifests when we loaded a conex, PCS’d, or got detailed out to S4. Now that sentence I just used will make perfect sense to other US Army veterans, and some guys could even spit out the form number 20 years after winning their DD214 blanket. However, that probably won’t make much sense to the majority of the world’s population. This is the point I am trying to make for talking about any technical field. Layman terms and technical terms often don’t overlap in a meaningful way regardless of the field involved. Sometimes laymen will show up here from a Google search, and try to interact instead of slowly backing away and closing the door before anyone notices.
github.com/flathub/APP_IDI personally would not have known what to do with that thing there until I tried to learn flatpaks and got some help at a subreddit. I would have known that it was supposed to be a url and I might have tried pasting it into a browser unless I was suspicious of whoever posted it. Laypeople do not normally use the term “APP_ID”.- Unless someone has dealt with github before, they might not know that “check the commit history” means “There is a webpage at https://github.com that will show you which lines got changed in the most recent update.”
So my answer to compis1 and anyone else in a similar situation, even though I know compis1 can’t respond anymore:
The flatpak system was developed by someone who worked in the Red Hat Enterprise Linux branch. Red Hat Linux has survived selling and supporting Linux distributions to businesses for decades. They are a reputable company with a successful working model. The problem with any long term support distribution is that the apps in the distribution repository will get obsolete for many users. You mentioned that an app, I think the Brave Browser, got updated from Flathub to a newer version than what was in the Debian repositories. Yes, that is how long term distributions work. Long term support (LTS) distributions like Debian Stable and Red Hat (RHEL) often use old apps that already have the bugs worked out of them. If you want newer apps from the Debian repository, you can either switch to Debian Testing, add the Debian Backports repository, or keep using Flatpaks. It is your choice. If you are uncomfortable with flatpaks, then by all means check out backports or testing. We ain’t Microsoft, you can do whatever you want. So enjoy your freedom, at your own pace.
Here is Debian’s page on backports https://backports.debian.org/
Here is Debian’s page on Debian Testing DebianTesting - Debian Wiki
You can read more about flatpaks if interested at this 2018 blog post Flatpak – a history – Alexander Larsson
If you are unsure about how reputable a flatpak is, you can check for the blue checkmark at the flathub website. If you go to Install GNU Image Manipulation Program on Linux | Flathub you can see that Flathub has verified that the Gimp flatpak maintainer is involved with the developers who provide Gimp.
As for the answer about github, here is another way check what got updated.
- Go to Flathub · GitHub
- Click on the search bar at the top right of the page, and type in Gimp or whatever app you want to check.
- Gimp in particular has a lot of plugin repositories at flathub separate from the app itself. The one I highlighted in the screenshot is the app. See how it has a part that says “org.gimp.GIMP”? That is the APP_ID mentioned in an earlier answer. Click on it at github.
- This is the Gimp repository for Flathub. GitHub - flathub/org.gimp.GIMP I will attach a screenshot.
Do you see that grey number combo in front of “yesterday” some clock symbol, and “380 Commits”? If you put your mouse pointer on it, you get a popup like in the screenshot. Click on the number. - This is one of the commit manifests you were supposed to look at. manifest: Bump qoi commit (#482) · flathub/org.gimp.GIMP@6e54975 · GitHub
You can see the old code in red and the new code in green. This manifest is in .json format. I don’t understand json well, and so I use the other .yml format for manifests myself. But this shows that a dependency named qoi got updated in yesterday’s Gimp flatpak update.
If you go back to step 4 and click on the “380 Commits” it will show you every single update that the Gimp team has made for the Gimp flatpak. Here is what the page looks like
You can see that Gimp frequently updates dependencies. On Aug 2, the Gimp flatpak update was due to the Gimp maintainers changing how a dependency got added to the Gimp flatpak. It looks like the Gimp maintainers might use an automated update script. You can expect frequent dependency updates from the Gimp flatpak.