On Tuesday, 18 July 2017 at 17:15, Owen Taylor wrote:
On Tue, 2017-07-18 at 15:25 +0200, Dominik 'Rathann'
Mierzejewski
wrote:
> On Tuesday, 18 July 2017 at 13:39, Mathieu Bridon wrote:
> > On Tue, 2017-07-18 at 13:23 +0200, Dominik 'Rathann' Mierzejewski
> > wrote:
> > > By the way, I can't figure out how to look inside a Flatpak and
> > > review its contents. Could someone provide some pointers?
> >
> > On the repo all you have is an object store (much like Git's
> > .git/objects/ folder), but if you install the app you will also get
> > a
> > checkout:
> >
> > $ ls
> > ~/.local/share/flatpak/app/org.gnome.Calendar/current/active/files/
> > bin lib manifest.json share
> >
> > (that's because I installed the app with --user, if you install it
> > system-wide then it's under /var/lib/flatpak/app/...)
> >
> > The manifest.json file is a recipe for how the app was built (like
> > a
> > spec file), which helps reproducing builds.
> >
> > The contents of that files/ directory are what gets mounted as
> > /app/ in
> > the sandbox.
>
> In other words, it's not possible to inspect a binary flatpak without
> installing it. With RPMs, I can check what files will land on my
> system and where, and also see what the scriptlets do. I can also
> extract and inspect individual files. Am I missing something and
> worrying unnecessarily that I can't do the same with flatpaks?
Well, the nice thing is that:
- There are no scriplets with Flaptaks - no arbitrary code execution
at install time.
- There is no ability for Flatpaks to drop arbitrary files at
arbitrary locations on your system.
That is good to know, assuming there are no bugs that can be exploited
by evil flatpak creator to do just that. ;) At least with RPM, we *know*
it's possible by design.
The files themselves are still arbitrary, even if the locations aren't.
How do I know where their files will land?
The idea is that you don't *have* to inspect a flatpak before
installation to make sure that it's not dangerous.
I don't *have* to inspect an RPM (coming from Fedora), either, but I sure
like having that ability.
That being said, we definitely should have well documented, easy to
use
tooling, for downloading, copying, and manipulating Flatpaks without
installing them. You can get it done, but you need to know quite a bit
about ostree.
The 'skopeo' tool from Project Atomic may be the right place for that
type of manipulation - it already has a lot of the right pieces.
Another thing: RPM has the ability to run queries (-qp) against remote
package files exactly the same as for local ones. I don't see an option
to do the same with flatpak without adding a remote repo and installing
it first:
$ flatpak info
"https://git.gnome.org/browse/gnome-apps-nightly/plain/gnome-weather.flatpakref?h=stable"
error: Invalid id https:: Name can't contain :
$ flatpak --user remote-add gnome
https://sdk.gnome.org/gnome.flatpakrepo
$ flatpak --user remote-add gnome-apps
https://sdk.gnome.org/gnome-apps.flatpakrepo
$ flatpak info org.gnome.Weather
error: org.gnome.Weather master not installed
$ flatpak remotes
Name Options
gnome user
gnome-apps user
$ flatpak remote-ls gnome-apps
error: Remote "gnome-apps" not found
Now that's confusing. It shows me configured remotes, but then says
they're not found. Shall I file a bug?
Even after installation, I don't get a file manifest:
$ flatpak -o -s -m -e -v info org.gnome.Weather
XA: No installations directory in /etc/flatpak/installations.d. Skipping
gnome-apps 10.5 MB
[Application]
name=org.gnome.Weather
runtime=org.gnome.Platform/x86_64/3.24
sdk=org.gnome.Sdk/x86_64/3.24
command=/app/share/org.gnome.Weather/org.gnome.Weather.Application
[Context]
shared=network;ipc;
sockets=x11;wayland;
filesystems=xdg-run/dconf;~/.config/dconf:ro;
[Session Bus Policy]
ca.desrt.dconf=talk
[System Bus Policy]
org.freedesktop.GeoClue2=talk
[Environment]
DCONF_USER_CONFIG_DIR=.config/dconf
[Extension org.gnome.Weather.Locale]
directory=share/runtime/locale
autodelete=true
[Extension org.gnome.Weather.Debug]
directory=lib/debug
autodelete=true
no-autodownload=true
Extension: runtime/org.gnome.Weather.Locale/x86_64/stable
ID: org.gnome.Weather.Locale
Origin: gnome-apps
Commit: 4e39959a470f1e8a77f22bd57e91fc268a09f3fc7b894c3c50dfa8f28c618585
Installed size: <512 bytes
Subpaths: /en
Another thing that surprised me: libgnomedesktop doesn't seem to be part
of org.gnome.Platform runtime and is bundled with the application
instead:
$ ls -l
.local/share/flatpak/app/org.gnome.Weather/x86_64/stable/cd5dad9f9fa301cfc8ee6cdd42985294461a2b50f79ff5ea0f142ae88f571196/files/lib/libgnome-desktop-3.so.12.2.0
-rwxr-xr-x. 2 rathann rathann 232984 Jan 1 1970
.local/share/flatpak/app/org.gnome.Weather/x86_64/stable/cd5dad9f9fa301cfc8ee6cdd42985294461a2b50f79ff5ea0f142ae88f571196/files/lib/libgnome-desktop-3.so.12.2.0
$ ls -l
.local/share/flatpak/runtime/org.gnome.Platform/x86_64/3.24/917abdce38d8852606b5ad7311052cdbd083b223f8c39d8567880b23af3c3e52/files/lib/libgnome*
ls: cannot access
'.local/share/flatpak/runtime/org.gnome.Platform/x86_64/3.24/917abdce38d8852606b5ad7311052cdbd083b223f8c39d8567880b23af3c3e52/files/lib/libgnome*':
No such file or directory
(What's wrong with the file timestamp, by the way?)
And... another:
$ flatpak list
Ref Options
org.gnome.Weather/x86_64/stable user,current
org.gnome.Platform/x86_64/3.24 user,runtime
$ flatpak uninstall org.gnome.Platform/x86_64/3.24
error: org.gnome.Platform 3.24 not installed
(Again, huh?)
$ flatpak --user uninstall org.gnome.Platform/x86_64/3.24
Uninstalling org.gnome.Platform/x86_64/3.24
Uninstalling org.gnome.Platform.Locale/x86_64/3.24
WTF? Dependencies, anyone?
And yes, I'll go and file bugs, but these are basic things and I can't
imagine why they weren't noticed and fixed before. Flatpak has been
available in Fedora for over a year now. If it wants to be a serious
contender as an application distribution mechanism, it has to do much
better than that.
Regards,
Dominik
--
Fedora
http://fedoraproject.org/wiki/User:Rathann
RPMFusion
http://rpmfusion.org
"Faith manages."
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"