Even without such Microsoft-introduced crap, the better question is what's good about Edge? Why use it over any other Chromium-based browser or Firefox? At the moment there's exactly one good reason - if you have a Steam Deck and want cloud gaming, because it's the only browser that supports it.
That's a matter of repository policy, but yes, Flathub (by far the largest and most popular repository) allows for this. I believe that they generally put a disclaimer that it's not an official package in the description, and allow the upstream developer to claim the application ID for themselves if they wish to maintain it.
I'm pretty sure OP is referring to the use of reverse DNS names for unofficial apps in particular, not the naming scheme's general use.
It's also not really "pushed" onto Flatpak: significant parts of the ecosystem already use the scheme, so Flatpak following along allows an app to keep the same name across multiple different places (desktop file, D-Bus name, etc).
However, flatpak is only mentioned twice, both as "run this command" in step 4 - hardly a "We at microsoft wrote this and you should use it" type of "promotion".
As someone who uses very little Microsoft and doesn't use Steam, I don't even know what "Edge flatpak" is, nor even what the flatpak command does or is.
I don't think there's going to be much "outrage" to be generated here.
> “We worked closely with Valve and the Xbox Cloud Gaming team to bring support for Xbox Cloud Gaming (Beta) with Xbox Game Pass Ultimate through Microsoft Edge Beta for the Steam Deck,” says Missy Quarry, a community manager for Microsoft Edge.
Then there is a tweet which links to this reddit post. That reddit post has you install the Microsoft Edge flatpak. If you search using DDG or Google for "edge runs on steam deck", you will see that there are multiple news articles reporting on how Microsoft has worked with Valve to get Edge running on the Steam Deck. All of these use the flatpak mentioned in the post. I can absolutely see why the author of the flatpak would want at least some attribution instead of Microsoft announcing that they alone have gotten Edge running on the deck.
Also, it is worth it to read the Wikipedia page on flatpak if you don't understand what flatpak is. It is a really important technology if you want to understand why the author is mad.
None of those sources back up your claim. They all say that Microsoft has worked with Valve to get Xbox Cloud Gaming working on the Steam Deck and that this work utilises Edge. They also imply that Edge Beta includes explicit support for the Steam Deck controls, but I was not able to verify that. If so, then that would presumably be what Valve and the MS Edge team were collaborating on.
One thing in noticed is that they say to install “Microsoft Edge Beta”, but the author seems to maintain “Microsoft Edge” on Flathub. Maybe I’m not following how releases work on Flathub, but is it possible that Microsoft actually does have a Beta version that they are publishing for the Deck?
The Edge Flatpak discussed in this post is on the Flathub Beta channel, and I have confirmation that the only Flatpak repos on the Deck are Flathub stable and beta. I.e. there is no other Edge Flatpak.
Even if there were, it would have to rely on either the Flatpak Chromium's downstream patches or Zypak anyway (unless they used --no-sandbox, which would be awful).
Flatpack has little to do with Microsoft or Steam. Flatpak is a way to distribute applications in such a way that they don't depend on the base system but rather a runtime that gets downloaded. You can think of it as a package manager. Edge is a web browser developed by Microsoft.
Perhaps the article has been updated or perhaps I am missing something, but nothing in the linked article at https://support.microsoft.com/en-us/topic/xbox-cloud-gaming-... made me think specifically that Microsoft are in charge of the Flatpak packaging. Nor that they weren’t.
But I also don’t see why this article would or should specifically mention who had happened to package the app.
If anything, I would say that it would be more reasonable to instead ask Valve to highlight who is packaging stuff. Valve is responsible for the representation of things on SteamOS, not Microsoft.
Asking for credit for packaging in a random support article seems.. strange?
I disagree with this post. I wouldn’t be surprised if the author of the help article was under the impression that the package was Microsoft’s. Just look at the metadata, which is used in the UI:
You can’t go round claiming to be Microsoft and then add a disclaimer in the notes field that you’re not actually Microsoft, which they do, after four paragraphs of other text:
> NOTE: This wrapper is not verified by, affiliated with, or supported by Microsoft.
I don’t think this is an adequate way to surface such an important piece of information, one which arguably contradicts the package metadata. Flathub needs to figure this out.
It may be designed that way but in practice it’s misleading, especially the way it appears in the UI. It looks like a designation of origin of the package. These are trademarks and can’t just be thrown around casually.
Why is there not at least a packager or maintainer field?
This does not help much without doing further digging. I checked the "Steam" package and for me in Flathub I see a link to "See Details" for the publisher. Clicking on that takes me to the contributors page of their Flathub GitHub repo. Am I supposed to know if these are employees of the company or not?
I am on mobile, so maybe there's more info on desktop? I see nothing indicating if this is official or not, other than a note at the bottom of the flathub description telling me it is not official, which seems strange for that to be the only place indicating that.
> Needless to say, this most likely an oversight so I have not concluded that this was intentional, yet
I don't see a point of disagreement. Developer != flatpak maintainer. Putting themselves there would rightly have them called out for misappropriation.
If Microsoft officially starts publishing their apps to Flathub then we could have a watershed moment for Flatpak adoption. One central app store for Linux. Pushing Microsoft to take over maintaining the Flatpak for Edge is only a good thing? HN should be supporting the Edge authors.
Flatpak is really special technology. Joy to package, excellent end user experience, and completely open.
Depends on how you define worked well. iOS and Android are immensely successful on providing value to users on the UX front (think of how many smartphone users would have a hard time downloading and installing eg. 7-zip).
The point of picking a Linux distribution is buying into a package management scheme. If you want to pick the “flatpak” distro fine, but I’m sticking with apt or nix
that's "one point" of picking a distribution. Another is cadence, and trust in the people who make it. There are also the organization considerations. Debian has both the Debian Constitution and the Debian Social Contract. Those aren't things every distro has.
(These aren't the only other points, just ones off the top of my head)
Flatpak is the only packaging system that takes even a tiny step towards trying to give you some kind of security.
When installing software using any other packaging system you have no isolation what so ever. The software is able to help to do anything on the system as root (because the installer script runs as root). Not even Nix, which is supposed to give you some kind of reproducibility helps.
I personally don't trust every single software developer with the integrity of my entire computing environment. I want the code I run to be isolated and only be able to access the things they are supposed to be able to access.
Now, there are valid concerns that Flatpak doesn't provide enough isolation, and that it's never really clear what rights a given package actually has, forcing you to use Flatseal to manually configure the rights for packages. However, no other packaging system does anything to address the terrible security situation on Linux, so there is really no other alternative.
Well, there is one alternative which I generally recommend people to use which is Qubes OS, but it takes quite a bit of discipline to use it correctly, so it's not practical for all users.
It’s more nuanced than that. Most of the major distributions provide the packages and hence the install scripts (the part which runs as root) and if you don’t trust them then you shouldn’t be running their Linux distribution.
Once most software is installed it will run unprivileged, and in most cases will be even further restricted by selinux, app armour, and/or systemd.
Unprivileged doesn't really mean anything. Since pretty much everything sensitive is running as a single user, having root doesn't really give much much that you couldn't already do as the user.
You're right that apparmour can help, but getting good profiles for the software you use is not easy, and I'd say less available than Flatpak.
> Flatpak is the only packaging system that takes even a tiny step towards trying to give you some kind of security.
Is it anything more than a false pretense at security? Having a "sandbox" which most apps don't use ( usually for good reason), and not giving the users an easy way to check if the app they're installing uses the sandbox.. what's the point of that sandbox then? It's just security theater.
That site always tends to come up when people want to complain about Flatpak, and it's been mentioned multiple times on this site. Check the previous posts to see well formed responses to the nonsensical claims made on that site.
I (nor anyone else that I've seen supporting Flatpak) has ever claimed it's a perfect solution. If you want something closer to being perfect, you need to use Qubes OS. However, no other solution even seem to try to provide a solution for isolation on Linux.
If I want to run a program without habing to trust it with access to my $HOME/.ssh directory, what is my alternative?
Given that there's no mutual exclusivity to running flatpaks and running distro based software I don't see why there's a need to stick to anything. You're not losing anything by also adopting flatpaks. Do you also not compile your own software as to not incur the wrath of the package maintainers?
It's Linux, you can install software however you want
I used flatpak extensively and every issue I had was the result of software being repackaged by a 3rd party and the contained software not properly interacting with the flatpak apis.
Stuff that was natively designed for flatpak was flawless while other stuff had some minor issues when it expects things like direct file system access or expects libraries to just exists on the fs rather than explicitly bundling them in or requesting them.
I don't think crediting packagers is a common thing it general. I can't think of a time an article / company credited packagers when telling you to apt get something.
I see no reason to help Microsoft with anything when it comes to Linux. Edge isn't even open source is it? I don't see how this helps anyone to provide a Flatpak of a proprietary binary that will go to great lengths to take hostile actions against the user.
This is pretty ridiculous and a manufactured scandal. I'm sure attempting to publicly shame a company into a job offer will turn out well.
I don't even see the problem, a help article says to install a browser? If I blog about how to install software, I have to give attribution to whomever packaged it?
56 comments
[ 4.5 ms ] story [ 114 ms ] threadWhat's wrong with Edge?
Even without such Microsoft-introduced crap, the better question is what's good about Edge? Why use it over any other Chromium-based browser or Firefox? At the moment there's exactly one good reason - if you have a Steam Deck and want cloud gaming, because it's the only browser that supports it.
It's also not really "pushed" onto Flatpak: significant parts of the ecosystem already use the scheme, so Flatpak following along allows an app to keep the same name across multiple different places (desktop file, D-Bus name, etc).
However, flatpak is only mentioned twice, both as "run this command" in step 4 - hardly a "We at microsoft wrote this and you should use it" type of "promotion".
As someone who uses very little Microsoft and doesn't use Steam, I don't even know what "Edge flatpak" is, nor even what the flatpak command does or is.
I don't think there's going to be much "outrage" to be generated here.
> “We worked closely with Valve and the Xbox Cloud Gaming team to bring support for Xbox Cloud Gaming (Beta) with Xbox Game Pass Ultimate through Microsoft Edge Beta for the Steam Deck,” says Missy Quarry, a community manager for Microsoft Edge.
Then there is a tweet which links to this reddit post. That reddit post has you install the Microsoft Edge flatpak. If you search using DDG or Google for "edge runs on steam deck", you will see that there are multiple news articles reporting on how Microsoft has worked with Valve to get Edge running on the Steam Deck. All of these use the flatpak mentioned in the post. I can absolutely see why the author of the flatpak would want at least some attribution instead of Microsoft announcing that they alone have gotten Edge running on the deck.
Also, it is worth it to read the Wikipedia page on flatpak if you don't understand what flatpak is. It is a really important technology if you want to understand why the author is mad.
[1] : https://www.reddit.com/r/MicrosoftEdge/comments/th77w9/micro...
[2] : https://www.reddit.com/r/MicrosoftEdge/comments/th77w9/micro...
Even if there were, it would have to rely on either the Flatpak Chromium's downstream patches or Zypak anyway (unless they used --no-sandbox, which would be awful).
The Edge flatpak is essentially a package.
But I also don’t see why this article would or should specifically mention who had happened to package the app.
If anything, I would say that it would be more reasonable to instead ask Valve to highlight who is packaging stuff. Valve is responsible for the representation of things on SteamOS, not Microsoft.
Asking for credit for packaging in a random support article seems.. strange?
I mentioned this to the article author, and they edited the post to include the Reddit announcement.
<id>com.microsoft.Edge</id>
<name>Microsoft Edge</name>
<developer_name>Microsoft Corporation</developer_name>
You can’t go round claiming to be Microsoft and then add a disclaimer in the notes field that you’re not actually Microsoft, which they do, after four paragraphs of other text:
> NOTE: This wrapper is not verified by, affiliated with, or supported by Microsoft.
I don’t think this is an adequate way to surface such an important piece of information, one which arguably contradicts the package metadata. Flathub needs to figure this out.
The developer_name element is for the developer of the application that is being packaged. It is not the name of the maintainer of the flatpak.
>The <developer_name/> tag is designed to represent the developers or project responsible for development of the project described in the metadata.
https://www.freedesktop.org/software/appstream/docs/chap-Met...
Why is there not at least a packager or maintainer field?
On flathub the developer is the developer of the software being published and the publisher is the people who packaged it.
I am on mobile, so maybe there's more info on desktop? I see nothing indicating if this is official or not, other than a note at the bottom of the flathub description telling me it is not official, which seems strange for that to be the only place indicating that.
> Needless to say, this most likely an oversight so I have not concluded that this was intentional, yet
I don't see a point of disagreement. Developer != flatpak maintainer. Putting themselves there would rightly have them called out for misappropriation.
I've been adopting flatpaks a fair bit lately but something doesn't sit right that there's not an obvious way (At least in most front ends) to know:
1) Who the packager is.
2) Is the flatpak officially sanctioned by the developer of the software?
2.5) If not, how do I know that it was packaged correctly? Was the build from a clean source?
3) Is it really the latest version? (or is the potential non-official packager perhaps lagging behind the official release)
Perhaps you can dig further into GitHub and get the information, but it's not blatantly obvious at a glance.
Flatpak is really special technology. Joy to package, excellent end user experience, and completely open.
Because that model worked so well for iOS and Android?
I think it worked out pretty well tbh. Would be an odd choice not to copy the model.
(These aren't the only other points, just ones off the top of my head)
When installing software using any other packaging system you have no isolation what so ever. The software is able to help to do anything on the system as root (because the installer script runs as root). Not even Nix, which is supposed to give you some kind of reproducibility helps.
I personally don't trust every single software developer with the integrity of my entire computing environment. I want the code I run to be isolated and only be able to access the things they are supposed to be able to access.
Now, there are valid concerns that Flatpak doesn't provide enough isolation, and that it's never really clear what rights a given package actually has, forcing you to use Flatseal to manually configure the rights for packages. However, no other packaging system does anything to address the terrible security situation on Linux, so there is really no other alternative.
Well, there is one alternative which I generally recommend people to use which is Qubes OS, but it takes quite a bit of discipline to use it correctly, so it's not practical for all users.
Once most software is installed it will run unprivileged, and in most cases will be even further restricted by selinux, app armour, and/or systemd.
You're right that apparmour can help, but getting good profiles for the software you use is not easy, and I'd say less available than Flatpak.
Is it anything more than a false pretense at security? Having a "sandbox" which most apps don't use ( usually for good reason), and not giving the users an easy way to check if the app they're installing uses the sandbox.. what's the point of that sandbox then? It's just security theater.
https://flatkill.org/2020/
I (nor anyone else that I've seen supporting Flatpak) has ever claimed it's a perfect solution. If you want something closer to being perfect, you need to use Qubes OS. However, no other solution even seem to try to provide a solution for isolation on Linux.
If I want to run a program without habing to trust it with access to my $HOME/.ssh directory, what is my alternative?
Do I actually need to list all of them? There are a lot.
Given that there's no mutual exclusivity to running flatpaks and running distro based software I don't see why there's a need to stick to anything. You're not losing anything by also adopting flatpaks. Do you also not compile your own software as to not incur the wrath of the package maintainers?
It's Linux, you can install software however you want
Distros can and do have their own flatpak repositories, notably Fedora and elementaryOS.
There are also third party apt repositories, maintained by someone other than a distro.
In this respect, apt and flatpak work exactly the same way.
Are we even using the same software? That has not been my experience at all.
Stuff that was natively designed for flatpak was flawless while other stuff had some minor issues when it expects things like direct file system access or expects libraries to just exists on the fs rather than explicitly bundling them in or requesting them.
I don't even see the problem, a help article says to install a browser? If I blog about how to install software, I have to give attribution to whomever packaged it?
This is just absurd.
Either it's a cultural issue, or that the management are sorry they got caught. I'm thinking this is more of the second option.