On Tuesday, 18 July 2017 at 17:15, Owen Taylor wrote:
> On Tue, 2017-07-18 at 15:25 +0200, Dominik 'Rathann' Mierzejewski
> wrote:
> > On Tuesday, 18 July 2017 at 13:39, Mathieu Bridon wrote:
> > > On Tue, 2017-07-18 at 13:23 +0200, Dominik 'Rathann' Mierzejewski
> > > wrote:
> > > > By the way, I can't figure out how to look inside a Flatpak and
> > > > review its contents. Could someone provide some pointers?
> > > 
> > > On the repo all you have is an object store (much like Git's
> > > .git/objects/ folder), but if you install the app you will also get
> > > a
> > > checkout:
> > > 
> > >   $ ls
> > > ~/.local/share/flatpak/app/org.gnome.Calendar/current/active/files/
> > >   bin  lib  manifest.json  share
> > > 
> > > (that's because I installed the app with --user, if you install it
> > > system-wide then it's under /var/lib/flatpak/app/...)
> > > 
> > > The manifest.json file is a recipe for how the app was built (like
> > > a
> > > spec file), which helps reproducing builds.
> > > 
> > > The contents of that files/ directory are what gets mounted as
> > > /app/ in
> > > the sandbox.
> > 
> > In other words, it's not possible to inspect a binary flatpak without
> > installing it. With RPMs, I can check what files will land on my
> > system and where, and also see what the scriptlets do. I can also
> > extract and inspect individual files. Am I missing something and
> > worrying unnecessarily that I can't do the same with flatpaks?
> Well, the nice thing is that:
>  - There are no scriplets with Flaptaks - no arbitrary code execution
> at install time.
>  - There is no ability for Flatpaks to drop arbitrary files at
> arbitrary locations on your system.

That is good to know, assuming there are no bugs that can be exploited
by evil flatpak creator to do just that. ;) At least with RPM, we *know*
it's possible by design.

The files themselves are still arbitrary, even if the locations aren't.
How do I know where their files will land?

> The idea is that you don't *have* to inspect a flatpak before
> installation to make sure that it's not dangerous.

I don't *have* to inspect an RPM (coming from Fedora), either, but I sure
like having that ability.

> That being said, we definitely should have well documented, easy to use
> tooling, for downloading, copying, and manipulating Flatpaks without
> installing them. You can get it done, but you need to know quite a bit
> about ostree.
> The 'skopeo' tool from Project Atomic may be the right place for that
> type of manipulation - it already has a lot of the right pieces.

Another thing: RPM has the ability to run queries (-qp) against remote
package files exactly the same as for local ones. I don't see an option
to do the same with flatpak without adding a remote repo and installing
it first:

$ flatpak info 
error: Invalid id https:: Name can't contain :

$ flatpak --user remote-add gnome https://sdk.gnome.org/gnome.flatpakrepo
$ flatpak --user remote-add gnome-apps 
$ flatpak info org.gnome.Weather
error: org.gnome.Weather master not installed

$ flatpak remotes
Name       Options
gnome      user   
gnome-apps user   
$ flatpak remote-ls gnome-apps
error: Remote "gnome-apps" not found

Now that's confusing. It shows me configured remotes, but then says
they're not found. Shall I file a bug?

Even after installation, I don't get a file manifest:

$ flatpak -o -s -m -e -v info org.gnome.Weather
XA: No installations directory in /etc/flatpak/installations.d. Skipping
gnome-apps 10.5 MB


[Session Bus Policy]

[System Bus Policy]


[Extension org.gnome.Weather.Locale]

[Extension org.gnome.Weather.Debug]

Extension: runtime/org.gnome.Weather.Locale/x86_64/stable
ID: org.gnome.Weather.Locale
Origin: gnome-apps
Commit: 4e39959a470f1e8a77f22bd57e91fc268a09f3fc7b894c3c50dfa8f28c618585
Installed size: <512 bytes
Subpaths: /en

Another thing that surprised me: libgnomedesktop doesn't seem to be part
of org.gnome.Platform runtime and is bundled with the application
$ ls -l 
-rwxr-xr-x. 2 rathann rathann 232984 Jan  1  1970 
$ ls -l 
ls: cannot access 
 No such file or directory

(What's wrong with the file timestamp, by the way?)

And... another:
$ flatpak list
Ref                             Options
org.gnome.Weather/x86_64/stable user,current
org.gnome.Platform/x86_64/3.24  user,runtime
$ flatpak uninstall org.gnome.Platform/x86_64/3.24
error: org.gnome.Platform 3.24 not installed

(Again, huh?)

$ flatpak --user uninstall org.gnome.Platform/x86_64/3.24
Uninstalling org.gnome.Platform/x86_64/3.24
Uninstalling org.gnome.Platform.Locale/x86_64/3.24

WTF? Dependencies, anyone?

And yes, I'll go and file bugs, but these are basic things and I can't
imagine why they weren't noticed and fixed before. Flatpak has been
available in Fedora for over a year now. If it wants to be a serious
contender as an application distribution mechanism, it has to do much
better than that.

Fedora http://fedoraproject.org/wiki/User:Rathann
RPMFusion http://rpmfusion.org
"Faith manages."
        -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to