this post was submitted on 16 Jun 2024
52 points (100.0% liked)

Free and Open Source Software

17957 readers
154 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

How is it possible, that Signal still only provides a .deb package and no .rpm, or even better AppImage or Flatpak? There is an unofficial Flatpak but is it secure?

top 50 comments
sorted by: hot top controversial new old
[–] thesmokingman@programming.dev 11 points 5 months ago (1 children)

I mean it’s FOSS. Have you considered opening a PR to contribute what’s missing? You can be the change you want to see. I wouldn’t normally comment something like this. Your emphasis on “still” raised my hackles a little bit and led me to ask why you still haven’t made your own.

[–] theorangeninja@lemmy.today 7 points 5 months ago (1 children)

Not everyone is a developer and they closed issues on github so why bother?

[–] thesmokingman@programming.dev 4 points 5 months ago (1 children)

All of these packaging systems have plenty of tutorials. Speaking from experience, many maintainers were not developers when they started maintaining packages for distros other than the official distros. I have worked with several maintainers who do work in tech and know socially several who had no background. This could be a great place for you to start!

You bother because FOSS is as much paying it forward as it is getting shit for free.

[–] theorangeninja@lemmy.today 3 points 5 months ago (1 children)

I will not bother because issues are closed and pull requests rejected left and right from signal for years.

[–] dysprosium@lemmy.dbzer0.com 1 points 5 months ago (1 children)

any idea why? Perhaps it's the same as the gnome-mentality, following a very strict philosophy?

[–] theorangeninja@lemmy.today 1 points 5 months ago
[–] Hirom@beehaw.org 8 points 5 months ago* (last edited 5 months ago) (1 children)

Some projects of Signal-compatible clients and forks received a message from a Signal representrive requesting they stop distributing unofficial clients that connect to their servers.

That probably has on shilling effect on Linux distribution that may be considering building and distributing Signal in their repository.

[–] theorangeninja@lemmy.today 5 points 5 months ago (1 children)

They should provide an app for other distros then!

[–] Hirom@beehaw.org 3 points 5 months ago* (last edited 5 months ago) (2 children)

They can't possibly provide a package for every distro.

Signal's model, ie keep tight control over development and distribution of the client, and the absence of federation, it well suited for Apple/Google's stores, but not at all for open-source and Linux' ecosystem.

[–] theorangeninja@lemmy.today 9 points 5 months ago (1 children)

AppImages run on nearly every distro. Why arw they not providing that instead of a .deb?

[–] Hirom@beehaw.org 4 points 5 months ago

Yes, AppImage can run on more distro.

Still AppImage has disadvantages over DEB: No auto-update, No/less system integration, Bigger install packages.

[–] ulkesh@beehaw.org 8 points 5 months ago (1 children)

You are right. They can’t for every distro.

But fedora/rhel, Ubuntu/debian, and arch-based distros are the most commonly used. So they can provide official packages for those, and/or as the OP said, provide an official flatpak.

And to be fair, it’s a nice-to-have to have a better sense of trust, but given the unofficial ones are open source, it’s quite likely any maliciousness would be rooted out very quickly.

[–] TimLovesTech@badatbeing.social 2 points 5 months ago

Or, if you are running one of those distros you could just take the .deb and repackage it for whatever distro you're running. Expecting a project to package for every distro, and then be required to support them for every release is a lot of work. And unfortunately some people have no issues expecting from others, but baulk at the idea of doing it themselves.

[–] TimLovesTech@badatbeing.social 7 points 5 months ago (2 children)

Could always do what looks like the Arch AUR package is doing and build it yourself from source. Or if you are running a Fedora/OpenSuse distro you could find a package on COPR or something that converts a package from a .deb to .rpm and just change source and stuff to match signal.

[–] theorangeninja@lemmy.today 3 points 5 months ago (1 children)

Sounds like a hacky way to do things, I don't think I'm comfortable with that.

[–] ericjmorey@programming.dev 13 points 5 months ago* (last edited 5 months ago) (2 children)

Building from source is the opposite of hacky. It's the recommended way to deal with things like this where you are concerned about trust and security. I understand that it's not something you've done before, but it not as complicated as it sounds. There are many tutorials on how to build programs from source.

I understand that providing official packages for fedora/rhel, Ubuntu/debian, and arch-based distro packages along with a flatpack and Appimage would make a lot of sense, but for whatever reason, signal has decided not to. Perhaps you can message the signal team to ask why they choose not to do this.

[–] theorangeninja@lemmy.today 4 points 5 months ago

Appreciated, maybe I'll try it in the future.

[–] TimLovesTech@badatbeing.social 2 points 5 months ago

Sometimes it comes down to support. For every distro specific format you build and package for, the more you need to do with every release (and need the proper config and to be comfortable packaging for each).

[–] Petter1@lemm.ee 2 points 5 months ago* (last edited 5 months ago)

That is why I recommend arch based distros that are build on AUR (using yay) Like EndeavourOS

[–] BentiGorlich@gehirneimer.de 6 points 5 months ago

been using the flatpack for months and had no issues so far

[–] hellfire103@lemmy.ca 5 points 5 months ago* (last edited 5 months ago) (1 children)

You could try running the .deb through alien(1p), although it can be hit-and-miss if the package has a lot of scripts or dependencies.

[–] theorangeninja@lemmy.today 2 points 5 months ago (1 children)

What is that if I may ask?

[–] hellfire103@lemmy.ca 7 points 5 months ago

It's an old program that converts between .deb (Debian), .rpm (RedHat), .tgz (Slackware), .slp (Stampede), .pkg (Solaris), and LSB packages.

I don't use it much, but it can be handy in a pinch for installing software that isn't packaged for your distribution. Just don't use it for anything low-level or that's already packaged natively, or you'll break stuff.

[–] rimu@piefed.social 4 points 5 months ago (1 children)

I have the official Signal Desktop flatpak installed through Discover. It exists.

[–] theorangeninja@lemmy.today 6 points 5 months ago (2 children)
[–] Lemongrab@lemmy.one 4 points 5 months ago

Its not official, but you can read the manifest to see what is done during building.

[–] rimu@piefed.social 2 points 5 months ago

Yeah, I think it's that one. Does Discover pull it's content from flathub.org?

It says "by Signal Foundation" on it and 900,000 people have installed it so it seems good enough to me.

[–] lorgo_numputz@beehaw.org 4 points 5 months ago* (last edited 5 months ago) (1 children)

AppImages, ~~which have no automated update facility, are terrible idea for software that is based on the security of the messaging syatem.

AppImage for The Powder Toy (a great game) - no problem.

For Signal? Bad idea.~~

I'm looking at you, SimpleX.

rpm? Yeah, you've got a very valid point.

Update: I'm wrong - see replies to this message.

[–] Samueru@lemmy.ml 4 points 5 months ago (1 children)

AppImages, which have no automated update facility, are terrible idea for software that is based on the security of the messaging syatem.

https://docs.appimage.org/packaging-guide/optional/updates.html

And if you want an example of one that self updates, ferdium.

[–] lorgo_numputz@beehaw.org 4 points 5 months ago

Ah, I'm wrong. Actually, that's a good thing.

TIL - and thank you.

[–] Vitaly 3 points 5 months ago (1 children)

You can always build it yourself if you want

[–] theorangeninja@lemmy.today 2 points 5 months ago (1 children)

Not everyone feels comfortable doing that.

[–] Vitaly 1 points 5 months ago (3 children)

true, then just use the flatpak version

load more comments (3 replies)
[–] fr0g@feddit.de 2 points 5 months ago
[–] TimLovesTech@badatbeing.social 2 points 5 months ago (2 children)

OP, what distro are you running? You mention a whole bunch of package formats they don't provide, but never mention what format you require. Depending on the distro, making a build script (or converting the .deb) really isn't Rocket Surgery ™.

load more comments (2 replies)
[–] delirious_owl@discuss.online 1 points 5 months ago (1 children)
[–] theorangeninja@lemmy.today 2 points 5 months ago (1 children)

rpm is less secure than deb?

[–] delirious_owl@discuss.online 1 points 5 months ago

Depends if its signed and how you get the key

Apt and yum are almost always more secure

load more comments
view more: next ›