If there's one thing you can always count on in the Linux world it's that packaging can be a nightmare. The OBS Studio team are not happy with the Fedora folks due to Flatpak problems and threatened legal action.
OBS continued using the EOL runtime because of Qt regressions introduced in the updated KDE runtime. The OBS team decided the security risk of sticking to the EOL runtime was small, so they didn’t update.
But that still does mean that users were no longer receiving security updates. Ideally, OBS should have moved to the standard Freedesktop runtime and vendored in the older Qt dependency. That way, the they would still be receiving security updates for everything in the Freedesktop runtime. Then once the regressions were fixed, they could move to the updated KDE runtime and remove the vendored Qt dependency.
Overall, the risk OBS had was small. But it demonstrates a larger issue with Flathub, which is that they don’t take security as seriously as Fedora. There are hundreds of flatpaks in Flathub that haven’t been updated in years, using EOL runtimes and vendored dependencies that get no updates.
Is there any merit to the claim OBS is using an end-of-life (EOL) runtime and that this is a very bad thing for security?
OBS continued using the EOL runtime because of Qt regressions introduced in the updated KDE runtime. The OBS team decided the security risk of sticking to the EOL runtime was small, so they didn’t update.
But that still does mean that users were no longer receiving security updates. Ideally, OBS should have moved to the standard Freedesktop runtime and vendored in the older Qt dependency. That way, the they would still be receiving security updates for everything in the Freedesktop runtime. Then once the regressions were fixed, they could move to the updated KDE runtime and remove the vendored Qt dependency.
Overall, the risk OBS had was small. But it demonstrates a larger issue with Flathub, which is that they don’t take security as seriously as Fedora. There are hundreds of flatpaks in Flathub that haven’t been updated in years, using EOL runtimes and vendored dependencies that get no updates.
It’s important to acknowledge that nothing is completely secure.
I didn’t know this was an issue for OBS because I’m not experiencing any problems nor am I seeing anyone else.
I think you might find this comment by one of the OBS upstream devs interesting:
https://pagure.io/fedora-workstation/issue/463#comment-955899
Ugh, I’m glad people are willing to fight back against these kinds of assertions.
Regardless of who is right, facilitating and encouraging this kind of discourse is how we end up with better software for everyone.
thanks!