at least you could keep their reviews so users could at least know if the app can be trusted.

You mean, don’t trust a flatpak uploaded by a random person, but if there are enough fake reviews, it can be trusted?

So they actually rewrote The Hurd in Rust.

There is no reason to “hate” Ubuntu but there are better choices.

What are those better choices then (for those who currently use the non-LTS Ubuntu releases and don’t want to move to rolling releases or LTS-only releases)?

I still think Ubuntu is the best option (particularly if you want to use the non-LTS releases)

Having said that I do hate snaps and also dislike flatpaks. So what I do is just use the Firefox deb package from the PPA and the chromium package from Linux Mint. Oh, and I have actually replaced ubuntu-advantage-tools with a no-op dummy package.

Only issue is they’re stored in my server as belonging to the server user (I assume everything in those directories should belong to root and I can just use chown?) But I also don’t know if they retain the same permissions when backed up.

Not everything will be owned by root, and some of the binaries will be setuid or setgid, some might even have extended attributes (e.g. ping will usually have a security.capability attribute). /var will also have a lot of different owners.

“secure alternative”? Others are not secure?

And mainline Linux and a Linux Desktop is still struggling today with power management. Like getting chat messages while it’s asleep.

And the really sad thing is that the power management improvements devs have been working on for the PinePhone are really very specific to that particular device and don’t help mobile Linux in general (so it’s basically wasted effort).

Jed when you want a simple, Emacs-like editor.

There is also Roundup Issue Tracker

jed

You don’t really need to switch to a different distro. Just avoid snaps/flatpack/… and use a more lightweight desktop like XFCE and you should be fine.

Don’t believe everything you hear. It’s still available as a .deb: https://launchpad.net/~mozillateam/+archive/ubuntu/ppa

Known-good meaning a tested and working configuration The bugs are fixed upstream and they get pushed via the method of distribution, which is Flathub in this case. Well, fixes don’t normally need to be backported because flatpaks are usually fresh.

There are a few assumptions in here in order for that to work: the known-good version needs to be the latest upstream version (otherwise you might not have the latest security fixes) and users need to be comfortable always using the latest flatpak version. Some users might be more comfortable staying on a known stable version for some time.

For notifications, you’d have to follow the relevant projects directly.

Right, and each project will have its own way of handling security issues (particularly when it comes to older versions). Will they point out that versions x - y of their flatpak are affected by a security issue in component z?

Flatpaks can guarantee you have a known-good dependency chain directly tested by the developers/maintainers themselves

What does known-good mean? What if a security vulnerability is found in one of the dependencies. With an old-style distribution there is a security team that monitors security reports and they will provide a fixed package. With flatpaks it’s not clear to me if those developers will monitor each dependency for security vulnerabilities and how they will handle that. Will users even be informed about a security issue, will a fix be backported or will it only be available in the latest version?

and newer versions won’t run due to library dependencies.

Mozilla seem to be able to limit library dependencies in their builds: https://www.mozilla.org/en-US/firefox/system-requirements/

But are they actually doing this? I am not seeing any changes: https://launchpad.net/~mozillateam/+archive/ubuntu/ppa still has the .deb packages

You mean like https://manpages.ubuntu.com/manpages/jammy/en/man8/snap.8.html

Still better than a random user claiming

This is a massive security vulnerability

with no justification whatsoever.

Verifying a snap package’s authenticity seems to suggest otherwise. What’s the source for your claim?

Was there even a change to the Firefox PPA? I am not seeing a change.

That link appears to be for a Windows driver.