Daniel Walsh wrote:
I read this like containers are something new and interesting.
Nope, we are saying they are something new and uninteresting. ;-)
Upstream docker project started this effort a few years ago and the
world
has latched onto it. Fedora needs to adjust and become great at
containers.
Why? Just because "the world has latched onto it", for some definition of
"the world", even if it does not bring us any benefit (because we already
have distribution technologies that are far superior)?
Some of the interesting work we have been doing with atomic host,
and
atomic workstation is great.
You and I clearly do not have the same definition of "great".
We don't have to continue to do things the way we have for 20
years.
But we also don't have to stop doing things the way we have been doing with
no issues for 20 years. Especially when the overhyped replacement is
actually worse and does away with the most important feature of our existing
software delivery mechanism (shared dependencies with automatic dependency
resolution).
I believe Fedora needs to be at the forefront of figuring out these
container issues.
Then it should be at the forefront of figuring out how to build virtual
containers from packaged content in /usr (as has been discussed elsewhere in
this thread) rather than shipping container blobs duplicating the world.
Flatpacks integration into the desktop gives us the potential of a
great
leap forwards in security. Imagine if Fedora finally fixes the biggest
security issue of the desktop by running browsers in containers, in a
truly secure manner with it fully integrated, not hacked up like it is
in the SELinux Sandbox or by running docker images like Jess Frazelle was.
My browser (QupZilla) is already sandboxed, without SELinux, without Docker,
and without Flatpak. (It uses the Chromium seccomp sandbox.)
The stuff that flatpack is doing has been very good.
You and I clearly do not have the same definition of "very good".
Colin Walters work on ostree and rpm-ostree is looking into how we
can
do offline updates already and yet this discussion is ignoring it. This
stuff is great and it is currently controlled by Fedora we should be
taking advantage of it. I run the atomic workstation now and am running
flatpack, as well as development environments in containers. I feel
some pain, but we are learning how to deal with it.
If you are a masochist, that is your problem. You don't have to force this
on all Fedora users.
The ostree technology removes the possibility to make any changes to the
base packages from the user, which makes it an extremely inflexible delivery
method. I do not want to use ostree, not now, not ever.
We need to learn to live with combinations of rpm packages, ostree
distributions and containers running on Fedora.
We don't need to at all. RPM will continue working, if it does not get
deliberately sabotaged by the proponents of containers.
Kevin Kofler