On Tuesday, 18 July 2017 at 17:15, Owen Taylor wrote: > On Tue, 2017-07-18 at 15:25 +0200, Dominik 'Rathann' Mierzejewski > wrote: > > On Tuesday, 18 July 2017 at 13:39, Mathieu Bridon wrote: > > > On Tue, 2017-07-18 at 13:23 +0200, Dominik 'Rathann' Mierzejewski > > > wrote: > > > > By the way, I can't figure out how to look inside a Flatpak and > > > > review its contents. Could someone provide some pointers? > > > > > > On the repo all you have is an object store (much like Git's > > > .git/objects/ folder), but if you install the app you will also get > > > a > > > checkout: > > > > > > $ ls > > > ~/.local/share/flatpak/app/org.gnome.Calendar/current/active/files/ > > > bin lib manifest.json share > > > > > > (that's because I installed the app with --user, if you install it > > > system-wide then it's under /var/lib/flatpak/app/...) > > > > > > The manifest.json file is a recipe for how the app was built (like > > > a > > > spec file), which helps reproducing builds. > > > > > > The contents of that files/ directory are what gets mounted as > > > /app/ in > > > the sandbox. > > > > In other words, it's not possible to inspect a binary flatpak without > > installing it. With RPMs, I can check what files will land on my > > system and where, and also see what the scriptlets do. I can also > > extract and inspect individual files. Am I missing something and > > worrying unnecessarily that I can't do the same with flatpaks? > > Well, the nice thing is that: > - There are no scriplets with Flaptaks - no arbitrary code execution > at install time. > - There is no ability for Flatpaks to drop arbitrary files at > arbitrary locations on your system. That is good to know, assuming there are no bugs that can be exploited by evil flatpak creator to do just that. ;) At least with RPM, we *know* it's possible by design. The files themselves are still arbitrary, even if the locations aren't. How do I know where their files will land? > The idea is that you don't *have* to inspect a flatpak before > installation to make sure that it's not dangerous. I don't *have* to inspect an RPM (coming from Fedora), either, but I sure like having that ability. > That being said, we definitely should have well documented, easy to use > tooling, for downloading, copying, and manipulating Flatpaks without > installing them. You can get it done, but you need to know quite a bit > about ostree. > > The 'skopeo' tool from Project Atomic may be the right place for that > type of manipulation - it already has a lot of the right pieces. Another thing: RPM has the ability to run queries (-qp) against remote package files exactly the same as for local ones. I don't see an option to do the same with flatpak without adding a remote repo and installing it first: $ flatpak info "https://git.gnome.org/browse/gnome-apps-nightly/plain/gnome-weather.flatpakref?h=stable"; error: Invalid id https:: Name can't contain : $ flatpak --user remote-add gnome https://sdk.gnome.org/gnome.flatpakrepo $ flatpak --user remote-add gnome-apps https://sdk.gnome.org/gnome-apps.flatpakrepo $ flatpak info org.gnome.Weather error: org.gnome.Weather master not installed $ flatpak remotes Name Options gnome user gnome-apps user $ flatpak remote-ls gnome-apps error: Remote "gnome-apps" not found Now that's confusing. It shows me configured remotes, but then says they're not found. Shall I file a bug? Even after installation, I don't get a file manifest: $ flatpak -o -s -m -e -v info org.gnome.Weather XA: No installations directory in /etc/flatpak/installations.d. Skipping gnome-apps 10.5 MB [Application] name=org.gnome.Weather runtime=org.gnome.Platform/x86_64/3.24 sdk=org.gnome.Sdk/x86_64/3.24 command=/app/share/org.gnome.Weather/org.gnome.Weather.Application [Context] shared=network;ipc; sockets=x11;wayland; filesystems=xdg-run/dconf;~/.config/dconf:ro; [Session Bus Policy] ca.desrt.dconf=talk [System Bus Policy] org.freedesktop.GeoClue2=talk [Environment] DCONF_USER_CONFIG_DIR=.config/dconf [Extension org.gnome.Weather.Locale] directory=share/runtime/locale autodelete=true [Extension org.gnome.Weather.Debug] directory=lib/debug autodelete=true no-autodownload=true Extension: runtime/org.gnome.Weather.Locale/x86_64/stable ID: org.gnome.Weather.Locale Origin: gnome-apps Commit: 4e39959a470f1e8a77f22bd57e91fc268a09f3fc7b894c3c50dfa8f28c618585 Installed size: <512 bytes Subpaths: /en Another thing that surprised me: libgnomedesktop doesn't seem to be part of org.gnome.Platform runtime and is bundled with the application instead: $ ls -l .local/share/flatpak/app/org.gnome.Weather/x86_64/stable/cd5dad9f9fa301cfc8ee6cdd42985294461a2b50f79ff5ea0f142ae88f571196/files/lib/libgnome-desktop-3.so.12.2.0 -rwxr-xr-x. 2 rathann rathann 232984 Jan 1 1970 .local/share/flatpak/app/org.gnome.Weather/x86_64/stable/cd5dad9f9fa301cfc8ee6cdd42985294461a2b50f79ff5ea0f142ae88f571196/files/lib/libgnome-desktop-3.so.12.2.0 $ ls -l .local/share/flatpak/runtime/org.gnome.Platform/x86_64/3.24/917abdce38d8852606b5ad7311052cdbd083b223f8c39d8567880b23af3c3e52/files/lib/libgnome* ls: cannot access '.local/share/flatpak/runtime/org.gnome.Platform/x86_64/3.24/917abdce38d8852606b5ad7311052cdbd083b223f8c39d8567880b23af3c3e52/files/lib/libgnome*': No such file or directory (What's wrong with the file timestamp, by the way?) And... another: $ flatpak list Ref Options org.gnome.Weather/x86_64/stable user,current org.gnome.Platform/x86_64/3.24 user,runtime $ flatpak uninstall org.gnome.Platform/x86_64/3.24 error: org.gnome.Platform 3.24 not installed (Again, huh?) $ flatpak --user uninstall org.gnome.Platform/x86_64/3.24 Uninstalling org.gnome.Platform/x86_64/3.24 Uninstalling org.gnome.Platform.Locale/x86_64/3.24 WTF? Dependencies, anyone? And yes, I'll go and file bugs, but these are basic things and I can't imagine why they weren't noticed and fixed before. Flatpak has been available in Fedora for over a year now. If it wants to be a serious contender as an application distribution mechanism, it has to do much better than that. Regards, Dominik -- Fedora http://fedoraproject.org/wiki/User:Rathann RPMFusion http://rpmfusion.org "Faith manages." -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations" _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
