Updated: Date, Year
Normally, I try to avoid Internet drama, so to speak, but something rather interesting caught my eye this week. The OBS Studio maintainers raised an issue with Fedora regarding their use of an unofficial OBS Studio Flatpak package. Naturally, the "incident" created quite a bit of furor in the Linux community. Specific IP issues aside, most people seem to think that Fedora folks are in the wrong for maintaining their own Flatpak repositories, rather than using the community-maintained FlatHub. Well.
I find this event to be so important that I decided to write an entire article dedicated to it. As it happens, I recently tested Fedora Kinoite, which uses Flatpaks for apps, and I wrote about the many, many problems with multi-source package management in my openSUSE Tumbleweed review. Now, with those in mind, once again, I would like to address the issue of official and unofficial software, chain of trust, and the way things are done in the Linux world.
First, very briefly on the "incident" ...
Let's start with what happened. OBS Studio developers - a very cool program I tested a while back, btw - have every right to demand their logos and protected trademarks and alike are used only in association with officially packaged software. That, in my mind, is the lesser part of the story. Perhaps the Fedora team could have communicated better about what they were doing, but that's not for me to judge.
Indeed, I don't want to focus on this. In fact, that OBS Studio issue isn't a problem at all. It is merely a manifestation of a much bigger problem is Linux software management ...
The Fedora choice
I don't like many things Fedora, but I actually fully agree with Fedora maintaining its own store, the recent events notwithstanding. If I put aside this specific case, Fedora has every right not to use third-party sources in their distribution. If you think about it logically, if you have a product, you're responsible for that product. It's YOUR name and reputation associated with what you provide. And you cannot control anything outside that very narrow and strictly defined remit. As soon as Fedora, or anyone else, allows default access to third-party content by default, they become accountable for what happens to their users. Furthermore, as a pure open-source distribution (well, almost), Fedora also must abide by its own licensing requirements.
These two hard criteria preclude Fedora from using third-party sources just because they are popular or open-source or community-driven. Indeed, we go back to the same problem I showed you in my Tumbleweed review. The distro had FlatHub enabled, and you could search for programs, which in turn would include entries from this remote, third-party source, including a variety of proprietary software, both officially packaged by their upstream vendors and unofficial packages, created by members of the wider Linux community.
Among the entries, there was the Chrome browser, offered as an unofficial Flatpak. Chrome, but not made by Google. Or rather, not packaged as a Flatpak, by Google. Even FlatHub said it wasn't official, and had big scary warnings all over the place. And so, how or why could the distro maintainers ever guarantee this program is legit and does what it's supposed to do? Even if it's 100% legit, if it doesn't have Google's stamp on it, then it's de facto not legit, even if all the binary bits and pieces align perfectly.
And if something goes wrong, who's responsible? FlatHub is a community-driven entity, despite heavy backing from various organization, including a strong Red Hat influence. But it's still its own independent place. Technically, it has nothing to do with Fedora (or openSUSE), nor does Fedora have anything to do with it. Again, I'll ask, if something goes wrong, who is responsible? Who carries the burden for a potentially broken, malicious or misbehaving piece of code?
This is actually a very simple question, with a simple answer. FlatHub is responsible for FlatHub. Fedora is responsible for Fedora and what happens in its operating system. And so if Fedora chooses to allow access (by default, that is) to third-party sources like FlatHub, then it's Fedora. Indeed, for years and years, you could always enable third-party sources in Fedora, if you wanted stuff like media codecs. I've shown you how to do this many times over, in my various tweaking guides. But each time, the user has control. It's the user's decision to enable these. Even if the distro "helps" by providing prompts and nudges and tells you that you can do this, it's an explicit opt-in.
This situation highlights a "funny" paradox in the Linux world. Linux folks seethe and gnash their teeth over the aggressive policies of Microsoft, whereby the company "opts in" its users into corporate decisions without consent. But when this is done in the Linux world, it's seemingly okay for some reason. Likewise, when it comes to Flatpaks, which do have a strong Red Hat influence, the community seems tolerant. When it comes to snaps, which are a Canonical solution, the community is not. I'm not saying this is good or bad, it's just an observation that I find somewhat entertaining, because it shows two completely different responses to the exact same mechanism.
Wait. I know the answer. Choice. Lots of community folks don't like snaps because they come pre-enabled in Ubuntu and family, and the users are opted into the experience without consent. Choice. But then, when Fedora does what the community actually expects - gives users a choice, i.e., does not include third-party stuff or non-native packages by default, the community is ALSO angry. So, in one case, users have no choice, community angry. In the other, users have choice, community still angry. Perhaps the conclusion is the community will always be angry, no matter what? I find it hard to reconcile with this paradox.
Chain of trust
A big "problem" with the open-source and Linux communities is that they are founded in humanistic, altruistic principles. The tenets of sharing and working together were applicable when the movement, so to speak, started, back in the late 1970s and early 1980s. But in those days, the sharing was restricted to academics, scientists and engineers, and these people were all part of a tiny, friendly, familiar club. Like Cheers, where everybody knows your name. In those days, the Internet was a pristine thing, not the ugly, festering, diseased monstrosity we have today.
When I look at the Internet, I see it as an inherently hostile place. For me, the concept of communities is very hard to accept, because unless you know, truly and deeply know everyone - the actual definition of what a community ought to be in the human sense - then it's not a community but a group of strangers working toward a common goal, at best. In these scenarios, there will always be mistakes, and possibly even deliberate harm, as the XZ utility backdoor problem showed. But even if we don't go that far, it's extremely hard to trust random code created by random people out there. Dejecting, depressing, call it what you will. I see it as the cruel, harsh reality of the modern Web. And there's really nothing we can do about it except apply even more rigor than we normally would.
This rigor clashes directly and explicitly with the idea of communities. And so, in many ways, community-packaged software is an extremely difficult concept. Even if 99% of software on FlatHub is totally fine, and made by their upstream, original owners, that still leaves 1% that is too risky to accept if you must do serious stuff on your machine, like banking, medical stuff, you name it. You want the chain of trust to be as short as possible, and there must be accountable owners every step of the way. Otherwise, you're playing with fire.
So how can people enjoy modern software then?
In a lot of ways, the pain we're all experiencing as one large Linux community is mostly self-inflicted. There are way too many distributions, and they all do things their own mutually incompatible way. This prevents easy code sharing, but worse, it deters commercial software vendors from making applications for Linux. I mean, they do, but only when there's big financial interest (enterprise), and even then, you only get stuff for Red Hat and Ubuntu, and that's about it. If the landscape was simpler, we'd have more official programs. We'd not need to worry about creating an entire abstraction layer - Flatpaks, AppImages, snaps - just to solve clunky, fragmented package management.
If Linux distros had proper stores - which, again, I brought up in my Tumbleweed review - the commercial entities would be more inclined to offer their content to Linux folks. Alas, we've regressed in this space, too. Ten years ago, you could buy stuff through the Ubuntu Software Center, the closest thing Linux ever came to being accessible to normies. Today, you get none. Nothing at all.
And so, it comes down to community sources. Repositories or places like FlatHub. So where does that leave Fedora? Well, they can do as they've always done, you toggle on what you need it, but that makes stuff inaccessible to 100% of the normies. Or they enable a few things by default.
The question is, what or how. Well, Fedora tried to do its own Flatpak thing. In many ways, this is a duplication of effort, but a sort of necessary one. No different from how Canonical manages its Snap Store. Perhaps even more restrictive, as community folks can upload their stuff to the latter. But then, keeping things simple is the only way to guarantee your distro contains only what you want. Sad, but true.
Sure, Fedora can apply all sorts of filters. Theoretically, it could only source official packages from FlatHub, or only those with an open-source license, and whatnot. But then, what if there's a mistake in this filtering process, or the sourced content isn't what it says it should be, something as innocuous as a misapplied license. What happens then? Who becomes responsible? We go back to the very beginning, only now, we've added store-like processing into the loop, for no added benefit. Not just duplication. Triplication of effort.
Fedora's implementation, quite confusing.
In Kinoite, I was baffled with how Fedora did it. I had to hit the command line to figure out the difference between Fedora Project and fedora, or the fact the same program was offered twice, from two separate sources. Ideally, there should never be more than one source. On a technical level, there needs to be clarity, because random names, especially names so similar, don't help the user user in any way. And this before we add any third-party software into the mix.
Not a new problem, and solvable, just not how Linux does it
RPM Fusion, EPEL, Ubuntu PPA, Packman for openSUSE, AUR for Arch. The Linux ecosystem has tens of community sources, but they are all ever so slightly different, serve different distros, offer different programs, or offer the same programs in slightly different ways. This is semi-controlled chaos, and it has worked fine for the intended audience, the 1% hardcore nerds. Sort of.
But now, it's 2025, and we want the normies to be using Linux, right. Flatpaks are meant to do so. But they don't really. The reason there are three standalone app management mechanisms is the same reason why there are seventeen package formats and twenty-three command-line package managers and fifteen GUIs to manage a relatively small, finite set of programs on some 200+ distros. A complete waste of time and effort, because every single incarnation of this formula does exactly the same thing. Not invented here syndrome, designed for nerds by nerds, designed by software developers who usually if not exclusively have zero UI sense let alone understand what normies need or want, and always completed only up to 85%, and then forked or abandoned.
Steam proved this can be done. It's one store, but it does everything. In fact, thanks to Steam's would-be monopoly on gaming, we have the amazing Proton layer, and we can play so many Windows games in Linux. The question of service and availability. Not technology, not ideology. Simple, pragmatic user-centric approach, the opposite of how Linux does it.
Distributions are indeed the opposite of centrism. Alas, what seems to work is centrism. Steam, Apple Store, Google Play. Sad, whatever. That's how it is. The distribution model might even work if there were only four or five distros, and frankly, we don't need more than that. But not with 200-300 almost-identical copies of the same thing fighting for the tiniest of turfs, and without any financial compensation, so it's work overload, volunteer effort, and hostile, angry communities that are never happy.
Conclusion
The OBS Studio issue is just the latest manifestation of the much bigger problem. Fedora did make a bunch of mistakes, as it happens. The primary one, it tried to combine two opposite, unresolvable concepts. First- and third-party software offered together, at a seemingly identical level of trust. The end result is, the Fedora team is maintaining an ecosystem that already exists, but has to do so because of its own licensing restrictions, plus the very correct approach to security and trust. At the same time, it's a paradox. Because this is entirely unnecessary. FlatHub exists, people can use it, end of story.
Only then, technically, nothing has changed. There's really no difference from using a one-liner to add an RPM repo, and a one-liner to add a Flatpak remote. The fact both these are invoked on the command line is already a big usability no no, but hey. And, at the end of the day, we can't quite ignore security, not with this pointless modern Internet we have today. What Fedora did was more secure.
So, we go back to the paradox. We can do the centric model - one store, FlatHub. Somehow, the nerds love this, whereas they hate the Snap Store, Apple Store, or Google Play. But then, you can't trust the software. I know I don't. For instance, I'll only ever install one or two applications on my phones. I consider everything else to be pure poison. On the desktop, in the same vein, I sure trust developer and distro repos far far more than community sources. There's someone accountable, one entity, one address.
Or we can do the distributed thingie, as before. The problem with the repo-managed software access is that it sucks oh so deeply, and blocks Linux from being used more extensively. No one wants to have to rebuild and recompile their program ninety times over to satisfy a tiny percentage of the overall userbase, and often without any monetary incentive. Why bother? And so, we keep looping and looping, recreating problems and solutions that cannot be solved. They never will be solved as long as Linux remains so heavily fragmented. As long as there are hundreds of distros using a dozen or so designs, there will be tons of software management ideas, and no specific one will ever really work fully and correctly.
I wish it were 1986. I could be watching Miami Vice and Magnum P.I. Alas, the naivety and the simplicity of the past times are gone. We have the corporate-owned Internet, and it's a filthy, filthy brothel. The only way to ensure any level of reasonable usability and security is through a tight, controlled, centric model. Steam did it, and they rule the gaming world. But this clashes with how Linux works. Canonical tried with the Snap Store, an imperfect solution and closest to being the most practical one, and they are reviled for it. Fedora has tried something similar, and they are reviled for it. Back to the 1% then. Cushty, self-defeating elitism.
Cheers.