Flatpak distribution?

[srenatus]

Hello 😃

With more and more distributions picking up Flatpak, I was wondering if this wouldn't be cool for tarsnap-gui, too. (I certainly am missing backup utility options on Flathub, and I'd love to have tarsnap-gui available.)

What do you think? (Anybody working on this already?)

Thanks
Stephan

[gperciva]

The real question is whether tarsnap can be (safely) packaged with flatpack. At first glance, this looks possible -- it seems that flatpack doesn't suffer the flaws that snapcraft does (Tarsnap/tarsnap#284). But it's always possible that we'll discover a snag later.

I'll take another look in January.

[LinAGKar]

Sorry if it sound naggy, but which January?

[gperciva]

Right, this slipped off my radar.

I took a quick glance at flatpack.

• it's faced some criticism [1] (with a rebuttal [2]), with mixed reactions from hacker news [3][4].

  That said, most of the issues in the hacker news discussions aren't relevant to tarsnap.

• A few points in the rebuttal seemed questionable, such as

  Given that all Flatpak packages are available and able to be edited by anyone, [2]

  which would not be ideal for a secure backup tool like tarsnap. (Disclaimer: I haven't quite grasped what the author meant by that; the sentence contains a link to a github repository, so perhaps they meant that anybody could submit a PR. Maybe it's possible to "lock" a repository so that only we could approve PRs to org.Tarsnap.tarsnap? I'll need to look into this more.)

• we're not going to distribute our own libraries (see Add the packaging metadata to build the tarsnap snap tarsnap#284), so everything would have to be in the runtime.

  I see that the freedesktop runtime includes libssl (note to self: I need to check how quickly they update the runtime after an openssl bug is discovered, such as CVE-2021-3711). I saw in their gitlab repository that a few months ago, libssl was moved from "base" to "components" (note to self: check what that means).

[1] https://www.flatkill.org/2020/
[2] https://theevilskeleton.gitlab.io/2021/02/11/response-to-flatkill-org.html
[3] https://news.ycombinator.com/item?id=24661126
[4] https://news.ycombinator.com/item?id=26528404

Basically, it comes down to:

• can we ensure that if somebody installs a Tarsnap flatpak, they're getting the right thing? (i.e. no hostile third-party code)
• does the the runtime have all of the libraries we need?
• does the flatpak infrastructure (including community) patch security flaws in those libraries quickly?

I'll continue looking into these questions on another day.

[LinAGKar]

(Disclaimer: I haven't quite grasped what the author meant by that; the sentence contains a link to a github repository, so perhaps they meant that anybody could submit a PR. Maybe it's possible to "lock" a repository so that only we could approve PRs to org.Tarsnap.tarsnap

Not sure what they mean either. Based on https://github.com/flathub/flathub/wiki/App-Submission#how-to-submit-an-app it seems like only whoever submitted the app will have write access to it (and presumably the flathub admins), but anyone can make PR. And anyone can submit an app, but it requires approval from the flathub admins.

can we ensure that if somebody installs a Tarsnap flatpak, they're getting the right thing? (i.e. no hostile third-party code)

Flathub would be ideal, since people will likely have that already, but there is also the option of hosting your own flatpak repo (unlike with snappy).