You are in a thread where a user is having a problem because of the push for flatpaks, and because of some distros like Fedora crippling their packages and providing objectively worse alternatives on purpose (because they don’t want to risk RH IBM getting sued). If the user was using some sane community distro like Arch, the user would have never come to realize that such unnecessary issues even exist.
As for flatpak hate specifically, see my ramblings here.
Users are better off using a “freeworld” ffmpeg package, or not using Fedora at all. The cisco decoder is shit.
your life will be better if you stop using both flatpaks and openh264.
This is such a excellent unexpected original comeback, I will give you a chance to do another one.
Which is something you presumably want to do because you don’t want to use flatpak/ostree.
The first step of course, is to install ostree. 🤨
Then, via this very official method:
ostree init --repo=repo --mode=bare-user
ostree static-delta apply-offline --repo=repo some.flatpak
ostree checkout --repo=repo -U $(basename $(echo repo/objects/*/*.commit | cut -d/ -f3- --output-delimiter= ) .commit) outdir
This official solution looks very reliable.
Searching vulnerability databases will obviously prove futile. Like the below sample entries (search limited to CVSS>=9.0 and Age<90d)
[CVE-2025-7458] Critical - SQLite - Integer Overflow
↳ Priority: MEDIUM | No exploits | Vuln Age: 15d (RECENT)
↳ CVSS: 9.1 | EPSS: 0.0003 | KEV: ✘
↳ Exposure: 12 | Vendors: sqlite | Products: sqlite
↳ Patch: ✔ | POCs: ✘ | Nuclei Template: ✘ | HackerOne: ✘
─────────────────────────────────────────────────────────────────────────
[CVE-2025-6965] Critical - SQLite - Buffer Overflow
↳ Priority: HIGH | EXPLOITS AVAILABLE | Vuln Age: 29d (RECENT)
↳ CVSS: 9.8 | EPSS: 0.0005 | KEV: ✘
↳ Exposure: 13 | Vendors: sqlite | Products: sqlite
↳ Patch: ✔ | POCs: 1 | Nuclei Template: ✘ | HackerOne: ✘
─────────────────────────────────────────────────────────────────────────
[CVE-2025-49796] Critical - libxml2 - Denial of Service
↳ Priority: MEDIUM | No exploits | Vuln Age: 57d
↳ CVSS: 9.1 | EPSS: 0.0013 | KEV: ✘
↳ Patch: ✘ | POCs: ✘ | Nuclei Template: ✘ | HackerOne: ✘
─────────────────────────────────────────────────────────────────────────
[CVE-2025-49794] Critical - libxml2 - Use After Free
↳ Priority: MEDIUM | No exploits | Vuln Age: 57d
↳ CVSS: 9.1 | EPSS: 0.0013 | KEV: ✘
↳ Patch: ✘ | POCs: ✘ | Nuclei Template: ✘ | HackerOne: ✘
─────────────────────────────────────────────────────────────────────────
[CVE-2025-4517] Critical - Python tarfile - Path Traversal
↳ Priority: MEDIUM | No exploits | Vuln Age: 71d
↳ CVSS: 9.4 | EPSS: 0.0015 | KEV: ✘
↳ Patch: ✘ | POCs: ✘ | Nuclei Template: ✘ | HackerOne: ✘
─────────────────────────────────────────────────────────────────────────
libxml2 and sqlite are in the dependency tree of ostree itself of course. But really, nothing to see here.
Just the common “hate” talking points.
Because it’s more inconvenience than help for users who are average or above, and have no interest in using that technology.
If app developers start distributing binaries as flatpaks exclusively (examples of this already exist), then just extracting those binary packages alone is a chore (involving obscure(ish) steps starting with creating an empty ostree). It’s the kind of knowledge that is so useless you immediately erase it from your memory, which is what I did.
Also, one look at the dependency tree of flatpak, or even just ostree, and you quickly realize how much of a joke the “security” claims are with all that attack surface (think the xz in systemd drama and multiply it by a 100).
Can Flatpak itself be sunset with some bullying?
The first thing forcing an option does, is depriving that option the ability to know what it could achieve on pure merit.
And user-space implementations of WireGuard are used a lot anyway, especially on mobile. Every VPN provider app ships with one, at least as a backup (It’s
wireguard-gousually sinceboringtunis not well maintained).