Re: F27 System Wide Change: Graphical Applications as Flatpaks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2017-07-18 at 15:25 +0200, Dominik 'Rathann' Mierzejewski
wrote:
> On Tuesday, 18 July 2017 at 13:39, Mathieu Bridon wrote:
> > On Tue, 2017-07-18 at 13:23 +0200, Dominik 'Rathann' Mierzejewski
> > wrote:
> > > By the way, I can't figure out how to look inside a Flatpak and
> > > review its contents. Could someone provide some pointers?
> > 
> > On the repo all you have is an object store (much like Git's
> > .git/objects/ folder), but if you install the app you will also get
> > a
> > checkout:
> > 
> >   $ ls
> > ~/.local/share/flatpak/app/org.gnome.Calendar/current/active/files/
> >   bin  lib  manifest.json  share
> > 
> > (that's because I installed the app with --user, if you install it
> > system-wide then it's under /var/lib/flatpak/app/...)
> > 
> > The manifest.json file is a recipe for how the app was built (like
> > a
> > spec file), which helps reproducing builds.
> > 
> > The contents of that files/ directory are what gets mounted as
> > /app/ in
> > the sandbox.
> 
> In other words, it's not possible to inspect a binary flatpak without
> installing it. With RPMs, I can check what files will land on my
> system and where, and also see what the scriptlets do. I can also
> extract and inspect individual files. Am I missing something and
> worrying unnecessarily that I can't do the same with flatpaks?

Well, the nice thing is that:
 - There are no scriplets with Flaptaks - no arbitrary code execution
at install time.
 - There is no ability for Flatpaks to drop arbitrary files at
arbitrary locations on your system.

The idea is that you don't *have* to inspect a flatpak before
installation to make sure that it's not dangerous.

That being said, we definitely should have well documented, easy to use
tooling, for downloading, copying, and manipulating Flatpaks without
installing them. You can get it done, but you need to know quite a bit
about ostree.

The 'skopeo' tool from Project Atomic may be the right place for that
type of manipulation - it already has a lot of the right pieces.

Owen
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux