On Tue, 2017-07-18 at 15:25 +0200, Dominik 'Rathann' Mierzejewski
On Tuesday, 18 July 2017 at 13:39, Mathieu Bridon wrote:
> On Tue, 2017-07-18 at 13:23 +0200, Dominik 'Rathann' Mierzejewski
> > By the way, I can't figure out how to look inside a Flatpak and
> > review its contents. Could someone provide some pointers?
> On the repo all you have is an object store (much like Git's
> .git/objects/ folder), but if you install the app you will also get
> $ ls
> bin lib manifest.json share
> (that's because I installed the app with --user, if you install it
> system-wide then it's under /var/lib/flatpak/app/...)
> The manifest.json file is a recipe for how the app was built (like
> spec file), which helps reproducing builds.
> The contents of that files/ directory are what gets mounted as
> /app/ in
> the sandbox.
In other words, it's not possible to inspect a binary flatpak without
installing it. With RPMs, I can check what files will land on my
system and where, and also see what the scriptlets do. I can also
extract and inspect individual files. Am I missing something and
worrying unnecessarily that I can't do the same with flatpaks?
Well, the nice thing is that:
- There are no scriplets with Flaptaks - no arbitrary code execution
at install time.
- There is no ability for Flatpaks to drop arbitrary files at
arbitrary locations on your system.
The idea is that you don't *have* to inspect a flatpak before
installation to make sure that it's not dangerous.
That being said, we definitely should have well documented, easy to use
tooling, for downloading, copying, and manipulating Flatpaks without
installing them. You can get it done, but you need to know quite a bit
The 'skopeo' tool from Project Atomic may be the right place for that
type of manipulation - it already has a lot of the right pieces.