This is an area where Ubuntu's snap ecosystem does better. Instead of essentially trying to create a meta-distribution, snaps provide a way to run software built for Ubuntu LTS on other distros, at least in theory. They are compiled against Ubuntu LTS runtimes and are built primarily from packages in the Ubuntu LTS repositories. Further, when any Ubuntu based dependencies of snap packages get security updates in the Ubuntu repositories, the owners of said packages are prompted to rebuild their snaps.
In contrast, it's not clear who is assuming responsibility for maintaining flatpak runtimes like org.gnome.Platform, or what is their support lifecycle. It would be better to promote runtimes based on a well-known distribution's packages, since they would get security updates in accordance with that distribution's security policy. For instance, something like https://developers.redhat.com/blog/2020/08/12/introducing-th... looks more promising from a security point of view.
Isnt Snap actually worse by not having a runtime? While its indeed hardwired on the Ubuntu packages and infrastructure, the author still has to actively do something. When the app uses one of the major Flatpak runtimes, the vulnerability will be fixed for all apps using the runtime once the runtime is fixed - no action from app maintainer necessary.
Snaps are built on a "base snap" which in turn is derived from Ubuntu LTS. Further, they can bundle debs from the Ubuntu repositories using the "build-packages" and "stage-packages" manifest keywrods. One bonus of this design is that the people writing the manifest don't have to worry about how the deb dependencies themselves are built. They only need to worry about building any third-party dependencies.
Now, flathub does maintain a collection of "modules" -- basically prewritten manifests for building various common dependencies from source. But that collection is still quite small, and writing a working flatpak manifest can involve duplicating a lot of the hard work of Debian and Ubuntu package maintainers.
Recently, Fedora started something promising from a maintainer's point of view by:
* creating a flatpak runtime based on fedora releases, and
This is an area where Ubuntu's snap ecosystem does better. Instead of essentially trying to create a meta-distribution, snaps provide a way to run software built for Ubuntu LTS on other distros, at least in theory. They are compiled against Ubuntu LTS runtimes and are built primarily from packages in the Ubuntu LTS repositories. Further, when any Ubuntu based dependencies of snap packages get security updates in the Ubuntu repositories, the owners of said packages are prompted to rebuild their snaps.
In contrast, it's not clear who is assuming responsibility for maintaining flatpak runtimes like org.gnome.Platform, or what is their support lifecycle. It would be better to promote runtimes based on a well-known distribution's packages, since they would get security updates in accordance with that distribution's security policy. For instance, something like https://developers.redhat.com/blog/2020/08/12/introducing-th... looks more promising from a security point of view.