FlatPak as a Software Source / flathub as a source of software

Patrick · November 20, 2021, 11:01am

Now documented:
Flatpak Sandbox Security

nurmagoz · December 9, 2021, 9:37am

https://ludocode.com/blog/flatpak-is-not-the-future

“install KCalc from Flathub. You’re looking at a nearly 900 MB download to get your first runtime. For a calculator. Note that the app package itself is only 4.4 MB. The rest is all redundant libraries that are already on my system.”

not just the package size issue, the issue of package upgrade which will almost always will download about 500+ MB

HulaHoop · December 14, 2021, 8:46pm

You have it wrong, Flatpak shares runtimes between apps meaning it de-duplicates libraries and saves space in the process compared to Ubuntu snap. Sure it may initially grab a large number of libs to bootstrap the environment, but afterwards it doesn;t increase much with every new app downloaded.

https://blogs.gnome.org/wjjt/2021/11/24/on-flatpak-disk-usage-and-deduplication/

nurmagoz · January 3, 2022, 10:26am

But these libraries gonna be upgraded and also these upgrades gonna be 500 to 1 GB+ space (i have already posted the complains about that in reddit link)

And according to the link you have posted he said:

If Kcalc is the only Flatpak you have installed, sure, not great, but that’s an artificial degenerate case. If you have most of your apps installed with Flatpak, the numbers are very different.

mean either go full dependent on flatpak or not.

practical test: (qubes-debian new standalone or template need to have their storage increased as default cannot handle these sizes)

user@host:~$ flatpak --user install flathub
Looking for matches…
Found similar ref(s) for ‘flathub’ in remote ‘flathub’ (user).
Use this remote? [Y/n]: y
Found ref ‘app/org.flathub.flatpak-external-data-checker/x86_64/stable’ in remote ‘flathub’ (user).
Use this ref? [Y/n]: y
Required runtime for org.flathub.flatpak-external-data-checker/x86_64/stable (runtime/org.freedesktop.Sdk/x86_64/21.08) found in remote flathub
Do you want to install it? [Y/n]: y
        ID                                                    Branch      Op      Remote       Download
 1. [ ] org.flathub.flatpak_external_data_checker.Locale      stable      i       flathub         4.6 kB / 1.7 MB
 2. [ ] org.freedesktop.Platform.GL.default                   21.08       i       flathub       130.9 MB / 131.2 MB
 3. [ ] org.freedesktop.Platform.openh264                     2.0         i       flathub         1.5 MB / 1.5 MB
 4. [ ] org.freedesktop.Sdk.Locale                            21.08       i       flathub        17.7 kB / 330.6 MB
 5. [✗] org.freedesktop.Sdk                                   21.08       i       flathub       340.1 MB / 471.7 MB
 6. [ ] org.flathub.flatpak-external-data-checker             stable      i       flathub      < 11.2 MB

~ 1GB

user@host:~$ flatpak --user install chromium
Looking for matches…
Found similar ref(s) for ‘chromium’ in remote ‘flathub’ (user).
Use this remote? [Y/n]: y
Similar refs found for ‘chromium’ in remote ‘flathub’ (user):

   1) app/net.sourceforge.chromium-bsu/x86_64/stable
   2) runtime/com.github.Eloston.UngoogledChromium.Codecs/x86_64/stable
   3) runtime/org.chromium.Chromium.Codecs/x86_64/stable
   4) app/org.chromium.Chromium/x86_64/stable
   5) app/com.github.Eloston.UngoogledChromium/x86_64/stable

Which do you want to use (0 to abort)? [0-5]: 4
Required runtime for org.chromium.Chromium/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/21.08) found in remote flathub
Do you want to install it? [Y/n]: y

org.chromium.Chromium permissions:
    ipc                       network                     cups                            pulseaudio
    wayland                   x11                         devices                         file access [1]
    dbus access [2]           bus ownership [3]           system dbus access [4]

    [1] /run/.heim_org.h5l.kcm-socket, home
    [2] com.canonical.AppMenu.Registrar, org.freedesktop.FileManager1, org.freedesktop.Notifications,
        org.freedesktop.secrets, org.gnome.SessionManager, org.kde.kwalletd5
    [3] org.mpris.MediaPlayer2.chromium.*
    [4] org.freedesktop.Avahi, org.freedesktop.UPower


        ID                                        Branch          Op          Remote           Download
 1.     org.chromium.Chromium.Codecs              stable          i           flathub            < 1.1 MB
 2.     org.chromium.Chromium.Locale              stable          i           flathub          < 112.8 kB (partial)
 3.     org.freedesktop.Platform.Locale           21.08           i           flathub          < 325.7 MB (partial)
 4.     org.freedesktop.Platform                  21.08           i           flathub          < 199.6 MB
 5.     org.chromium.Chromium                     stable          i           flathub          < 117.9 MB

Proceed with these changes to the user installation? [Y/n]:

704 MB

user@host:~$ flatpak --user install kcalc
Looking for matches…
Found similar ref(s) for ‘kcalc’ in remote ‘flathub’ (user).
Use this remote? [Y/n]: y
Found ref ‘app/org.kde.kcalc/x86_64/stable’ in remote ‘flathub’ (user).
Use this ref? [Y/n]: y
Required runtime for org.kde.kcalc/x86_64/stable (runtime/org.kde.Platform/x86_64/5.15-21.08) found in remote flathub
Do you want to install it? [Y/n]: y

org.kde.kcalc permissions:
    ipc      wayland      x11      dri     file access [1]     dbus access [2]

    [1] xdg-config/kdeglobals:ro
    [2] com.canonical.AppMenu.Registrar


        ID                                Branch               Op          Remote           Download
 1. [✓] org.kde.KStyle.Adwaita            5.15-21.08           i           flathub            6.7 MB / 6.7 MB
 2. [✓] org.kde.Platform.Locale           5.15-21.08           i           flathub           17.8 kB / 344.2 MB
 3. [✓] org.kde.Platform                  5.15-21.08           i           flathub          169.5 MB / 304.4 MB
 4. [✓] org.kde.kcalc.Locale              stable               i           flathub            5.6 kB / 427.1 kB
 5. [✓] org.kde.kcalc                     stable               i           flathub            4.2 MB / 4.4 MB

Installation complete.

650MB

Each of these numbers are similar to downloading fully debian CD version.

comparing this to native installation from debian repo:

user@host:~$ sudo apt install chromium kcalc 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  chromium-common chromium-sandbox cups-pk-helper fonts-liberation gir1.2-atk-1.0 gir1.2-freedesktop
  gir1.2-gdkpixbuf-2.0 gir1.2-gtk-3.0 gir1.2-harfbuzz-0.0 gir1.2-notify-0.7 gir1.2-packagekitglib-1.0
  gir1.2-pango-1.0 gir1.2-polkit-1.0 gir1.2-secret-1 kwayland-data kwayland-integration liba52-0.7.4 libaa1
  libaacs0 libappstream4 libaribb24-0 libass9 libatomic1 libavc1394-0 libavformat58 libbdplus0 libbluray2 libcaca0
  libcddb2 libchromaprint1 libcurl3-gnutls libdbusmenu-qt5-2 libdc1394-25 libdca0 libdouble-conversion3 libdvbpsi10
  libdvdnav4 libdvdread8 libdw1 libebml5 libevdev2 libfaad2 libfam0 libgles2 libgme0 libgpm2 libgstreamer1.0-0
  libimobiledevice6 libinput-bin libinput10 libixml10 libjansson4 libjsoncpp24 libkate1 libkf5archive5
  libkf5attica5 libkf5auth-data libkf5authcore5 libkf5codecs-data libkf5codecs5 libkf5config-bin libkf5config-data
  libkf5configcore5 libkf5configgui5 libkf5configwidgets-data libkf5configwidgets5 libkf5coreaddons-data
  libkf5coreaddons5 libkf5crash5 libkf5dbusaddons-bin libkf5dbusaddons-data libkf5dbusaddons5 libkf5globalaccel-bin
  libkf5globalaccel-data libkf5globalaccel5 libkf5globalaccelprivate5 libkf5guiaddons5 libkf5i18n-data libkf5i18n5
  libkf5iconthemes-bin libkf5iconthemes-data libkf5iconthemes5 libkf5idletime5 libkf5itemviews-data
  libkf5itemviews5 libkf5notifications-data libkf5notifications5 libkf5waylandclient5 libkf5widgetsaddons-data
  libkf5widgetsaddons5 libkf5windowsystem-data libkf5windowsystem5 libkf5xmlgui-bin libkf5xmlgui-data libkf5xmlgui5
  libldb2 liblirc-client0 liblmdb0 liblua5.2-0 libmad0 libmatroska7 libmd4c0 libminizip1 libmpcdec6 libmpeg2-4
  libmpg123-0 libmtdev1 libmtp-common libmtp-runtime libmtp9 libmysofa1 libnfs13 libnghttp2-14 libnorm1 libnspr4
  libnss3 libopenmpt-modplug1 libopenmpt0 libpackagekit-glib2-18 libpangoxft-1.0-0 libpcre2-16-0 libpgm-5.3-0
  libphonon4qt5-4 libphonon4qt5-data libplacebo72 libplist3 libpolkit-qt5-1-1 libpostproc55 libprotobuf-lite23
  libproxy-tools libpulse-mainloop-glib0 libpython3.9 libqt5core5a libqt5dbus5 libqt5gui5 libqt5network5
  libqt5printsupport5 libqt5qml5 libqt5qmlmodels5 libqt5quick5 libqt5svg5 libqt5texttospeech5 libqt5waylandclient5
  libqt5waylandcompositor5 libqt5widgets5 libqt5x11extras5 libqt5xml5 librabbitmq4 libraw1394-11 libre2-9
  libresid-builder0c2a librtmp1 libsdl-image1.2 libsdl1.2debian libsecret-1-0 libsecret-common libshout3
  libsidplay2 libsmbclient libsndio7.0 libsodium23 libspatialaudio0 libspeechd2 libsrt1.4-gnutls libssh-gcrypt-4
  libssh2-1 libswscale5 libtag1v5 libtag1v5-vanilla libtalloc2 libtevent0 libu2f-udev libudfread0 libupnp13
  libupower-glib3 libusb-1.0-0 libusbmuxd6 libva-wayland2 libvlc-bin libvlc5 libvlccore9 libvorbisfile3
  libwacom-bin libwacom-common libwacom2 libwbclient0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1
  libxcb-render-util0 libxcb-res0 libxcb-shape0 libxcb-xinerama0 libxcb-xinput0 libxcb-xkb1 libxcb-xv0
  libxkbcommon-x11-0 libxslt1.1 libxss1 libxv1 libxxf86dga1 libzmq5 notification-daemon packagekit packagekit-tools
  phonon4qt5 phonon4qt5-backend-vlc python3-cairo python3-certifi python3-chardet python3-cups python3-cupshelpers
  python3-idna python3-ldb python3-requests python3-smbc python3-talloc python3-urllib3 qt5-gtk-platformtheme
  qtspeech5-speechd-plugin qttranslations5-l10n qtwayland5 samba-libs system-config-printer
  system-config-printer-common system-config-printer-udev upower usbmuxd vlc-data vlc-plugin-base
  vlc-plugin-video-output x11-utils
Suggested packages:
  chromium-l10n chromium-shell chromium-driver libbluray-bdj libdvdcss2 fam gpm gstreamer1.0-tools libusbmuxd-tools
  lirc qt5-image-formats-plugins qt5-qmltooling-plugins libraw1394-doc sndiod appstream
  phonon4qt5-backend-gstreamer python3-cryptography python3-openssl python3-socks python-requests-doc
  gnome-software mesa-utils
The following NEW packages will be installed:
  chromium chromium-common chromium-sandbox cups-pk-helper fonts-liberation gir1.2-atk-1.0 gir1.2-freedesktop
  gir1.2-gdkpixbuf-2.0 gir1.2-gtk-3.0 gir1.2-harfbuzz-0.0 gir1.2-notify-0.7 gir1.2-packagekitglib-1.0
  gir1.2-pango-1.0 gir1.2-polkit-1.0 gir1.2-secret-1 kcalc kwayland-data kwayland-integration liba52-0.7.4 libaa1
  libaacs0 libappstream4 libaribb24-0 libass9 libatomic1 libavc1394-0 libavformat58 libbdplus0 libbluray2 libcaca0
  libcddb2 libchromaprint1 libcurl3-gnutls libdbusmenu-qt5-2 libdc1394-25 libdca0 libdouble-conversion3 libdvbpsi10
  libdvdnav4 libdvdread8 libdw1 libebml5 libevdev2 libfaad2 libfam0 libgles2 libgme0 libgpm2 libgstreamer1.0-0
  libimobiledevice6 libinput-bin libinput10 libixml10 libjansson4 libjsoncpp24 libkate1 libkf5archive5
  libkf5attica5 libkf5auth-data libkf5authcore5 libkf5codecs-data libkf5codecs5 libkf5config-bin libkf5config-data
  libkf5configcore5 libkf5configgui5 libkf5configwidgets-data libkf5configwidgets5 libkf5coreaddons-data
  libkf5coreaddons5 libkf5crash5 libkf5dbusaddons-bin libkf5dbusaddons-data libkf5dbusaddons5 libkf5globalaccel-bin
  libkf5globalaccel-data libkf5globalaccel5 libkf5globalaccelprivate5 libkf5guiaddons5 libkf5i18n-data libkf5i18n5
  libkf5iconthemes-bin libkf5iconthemes-data libkf5iconthemes5 libkf5idletime5 libkf5itemviews-data
  libkf5itemviews5 libkf5notifications-data libkf5notifications5 libkf5waylandclient5 libkf5widgetsaddons-data
  libkf5widgetsaddons5 libkf5windowsystem-data libkf5windowsystem5 libkf5xmlgui-bin libkf5xmlgui-data libkf5xmlgui5
  libldb2 liblirc-client0 liblmdb0 liblua5.2-0 libmad0 libmatroska7 libmd4c0 libminizip1 libmpcdec6 libmpeg2-4
  libmpg123-0 libmtdev1 libmtp-common libmtp-runtime libmtp9 libmysofa1 libnfs13 libnghttp2-14 libnorm1 libnspr4
  libnss3 libopenmpt-modplug1 libopenmpt0 libpackagekit-glib2-18 libpangoxft-1.0-0 libpcre2-16-0 libpgm-5.3-0
  libphonon4qt5-4 libphonon4qt5-data libplacebo72 libplist3 libpolkit-qt5-1-1 libpostproc55 libprotobuf-lite23
  libproxy-tools libpulse-mainloop-glib0 libpython3.9 libqt5core5a libqt5dbus5 libqt5gui5 libqt5network5
  libqt5printsupport5 libqt5qml5 libqt5qmlmodels5 libqt5quick5 libqt5svg5 libqt5texttospeech5 libqt5waylandclient5
  libqt5waylandcompositor5 libqt5widgets5 libqt5x11extras5 libqt5xml5 librabbitmq4 libraw1394-11 libre2-9
  libresid-builder0c2a librtmp1 libsdl-image1.2 libsdl1.2debian libsecret-1-0 libsecret-common libshout3
  libsidplay2 libsmbclient libsndio7.0 libsodium23 libspatialaudio0 libspeechd2 libsrt1.4-gnutls libssh-gcrypt-4
  libssh2-1 libswscale5 libtag1v5 libtag1v5-vanilla libtalloc2 libtevent0 libu2f-udev libudfread0 libupnp13
  libupower-glib3 libusb-1.0-0 libusbmuxd6 libva-wayland2 libvlc-bin libvlc5 libvlccore9 libvorbisfile3
  libwacom-bin libwacom-common libwacom2 libwbclient0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1
  libxcb-render-util0 libxcb-res0 libxcb-shape0 libxcb-xinerama0 libxcb-xinput0 libxcb-xkb1 libxcb-xv0
  libxkbcommon-x11-0 libxslt1.1 libxss1 libxv1 libxxf86dga1 libzmq5 notification-daemon packagekit packagekit-tools
  phonon4qt5 phonon4qt5-backend-vlc python3-cairo python3-certifi python3-chardet python3-cups python3-cupshelpers
  python3-idna python3-ldb python3-requests python3-smbc python3-talloc python3-urllib3 qt5-gtk-platformtheme
  qtspeech5-speechd-plugin qttranslations5-l10n qtwayland5 samba-libs system-config-printer
  system-config-printer-common system-config-printer-udev upower usbmuxd vlc-data vlc-plugin-base
  vlc-plugin-video-output x11-utils
0 upgraded, 234 newly installed, 0 to remove and 0 not upgraded.
Need to get 117 MB of archives.
After this operation, 430 MB of additional disk space will be used.
Do you want to continue? [Y/n]

combined 430MB

and with --no-install-recommends:

user@host:~$ sudo apt install --no-install-recommends chromium kcalc
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  chromium-common liba52-0.7.4 libaa1 libaribb24-0 libass9 libatomic1 libavc1394-0 libavformat58 libbluray2
  libcaca0 libcddb2 libchromaprint1 libdbusmenu-qt5-2 libdc1394-25 libdca0 libdouble-conversion3 libdvbpsi10
  libdvdnav4 libdvdread8 libebml5 libevdev2 libfaad2 libfam0 libgles2 libgme0 libgpm2 libinput-bin libinput10
  libixml10 libjsoncpp24 libkate1 libkf5archive5 libkf5attica5 libkf5auth-data libkf5authcore5 libkf5codecs-data
  libkf5codecs5 libkf5config-data libkf5configcore5 libkf5configgui5 libkf5configwidgets-data libkf5configwidgets5
  libkf5coreaddons-data libkf5coreaddons5 libkf5crash5 libkf5dbusaddons-data libkf5dbusaddons5
  libkf5globalaccel-bin libkf5globalaccel-data libkf5globalaccel5 libkf5globalaccelprivate5 libkf5guiaddons5
  libkf5i18n-data libkf5i18n5 libkf5iconthemes-data libkf5iconthemes5 libkf5itemviews-data libkf5itemviews5
  libkf5notifications-data libkf5notifications5 libkf5widgetsaddons-data libkf5widgetsaddons5
  libkf5windowsystem-data libkf5windowsystem5 libkf5xmlgui-data libkf5xmlgui5 liblirc-client0 liblua5.2-0 libmad0
  libmatroska7 libmd4c0 libminizip1 libmpcdec6 libmpeg2-4 libmpg123-0 libmtdev1 libmtp-common libmtp9 libmysofa1
  libnfs13 libnorm1 libnspr4 libnss3 libopenmpt-modplug1 libopenmpt0 libpcre2-16-0 libpgm-5.3-0 libphonon4qt5-4
  libphonon4qt5-data libplacebo72 libpolkit-qt5-1-1 libpostproc55 libprotobuf-lite23 libpulse-mainloop-glib0
  libqt5core5a libqt5dbus5 libqt5gui5 libqt5network5 libqt5printsupport5 libqt5qml5 libqt5svg5 libqt5texttospeech5
  libqt5waylandclient5 libqt5widgets5 libqt5x11extras5 libqt5xml5 librabbitmq4 libraw1394-11 libre2-9
  libresid-builder0c2a libsdl-image1.2 libsdl1.2debian libsecret-1-0 libsecret-common libshout3 libsidplay2
  libsndio7.0 libsodium23 libspatialaudio0 libsrt1.4-gnutls libssh-gcrypt-4 libssh2-1 libswscale5 libtag1v5
  libtag1v5-vanilla libudfread0 libupnp13 libusb-1.0-0 libva-wayland2 libvlc5 libvlccore9 libvorbisfile3
  libwacom-common libwacom2 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-render-util0 libxcb-res0
  libxcb-shape0 libxcb-xinerama0 libxcb-xinput0 libxcb-xkb1 libxcb-xv0 libxkbcommon-x11-0 libxslt1.1 libxv1
  libxxf86dga1 libzmq5 phonon4qt5 phonon4qt5-backend-vlc vlc-data vlc-plugin-base vlc-plugin-video-output x11-utils
Suggested packages:
  chromium-l10n chromium-shell chromium-driver libbluray-bdj libdvdcss2 fam gpm lirc qt5-image-formats-plugins
  qtwayland5 qt5-qmltooling-plugins libraw1394-doc sndiod phonon4qt5-backend-gstreamer mesa-utils
Recommended packages:
  chromium-sandbox upower libu2f-udev fonts-liberation notification-daemon system-config-printer libaacs0
  libkf5config-bin libkf5dbusaddons-bin libkf5iconthemes-bin kwayland-integration qtwayland5 libkf5xmlgui-bin
  libmtp-runtime qttranslations5-l10n qt5-gtk-platformtheme qtspeech5-speechd-plugin | qtspeech5-flite-plugin
  libvlc-bin libproxy-tools libwacom-bin
The following NEW packages will be installed:
  chromium chromium-common kcalc liba52-0.7.4 libaa1 libaribb24-0 libass9 libatomic1 libavc1394-0 libavformat58
  libbluray2 libcaca0 libcddb2 libchromaprint1 libdbusmenu-qt5-2 libdc1394-25 libdca0 libdouble-conversion3
  libdvbpsi10 libdvdnav4 libdvdread8 libebml5 libevdev2 libfaad2 libfam0 libgles2 libgme0 libgpm2 libinput-bin
  libinput10 libixml10 libjsoncpp24 libkate1 libkf5archive5 libkf5attica5 libkf5auth-data libkf5authcore5
  libkf5codecs-data libkf5codecs5 libkf5config-data libkf5configcore5 libkf5configgui5 libkf5configwidgets-data
  libkf5configwidgets5 libkf5coreaddons-data libkf5coreaddons5 libkf5crash5 libkf5dbusaddons-data libkf5dbusaddons5
  libkf5globalaccel-bin libkf5globalaccel-data libkf5globalaccel5 libkf5globalaccelprivate5 libkf5guiaddons5
  libkf5i18n-data libkf5i18n5 libkf5iconthemes-data libkf5iconthemes5 libkf5itemviews-data libkf5itemviews5
  libkf5notifications-data libkf5notifications5 libkf5widgetsaddons-data libkf5widgetsaddons5
  libkf5windowsystem-data libkf5windowsystem5 libkf5xmlgui-data libkf5xmlgui5 liblirc-client0 liblua5.2-0 libmad0
  libmatroska7 libmd4c0 libminizip1 libmpcdec6 libmpeg2-4 libmpg123-0 libmtdev1 libmtp-common libmtp9 libmysofa1
  libnfs13 libnorm1 libnspr4 libnss3 libopenmpt-modplug1 libopenmpt0 libpcre2-16-0 libpgm-5.3-0 libphonon4qt5-4
  libphonon4qt5-data libplacebo72 libpolkit-qt5-1-1 libpostproc55 libprotobuf-lite23 libpulse-mainloop-glib0
  libqt5core5a libqt5dbus5 libqt5gui5 libqt5network5 libqt5printsupport5 libqt5qml5 libqt5svg5 libqt5texttospeech5
  libqt5waylandclient5 libqt5widgets5 libqt5x11extras5 libqt5xml5 librabbitmq4 libraw1394-11 libre2-9
  libresid-builder0c2a libsdl-image1.2 libsdl1.2debian libsecret-1-0 libsecret-common libshout3 libsidplay2
  libsndio7.0 libsodium23 libspatialaudio0 libsrt1.4-gnutls libssh-gcrypt-4 libssh2-1 libswscale5 libtag1v5
  libtag1v5-vanilla libudfread0 libupnp13 libusb-1.0-0 libva-wayland2 libvlc5 libvlccore9 libvorbisfile3
  libwacom-common libwacom2 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-render-util0 libxcb-res0
  libxcb-shape0 libxcb-xinerama0 libxcb-xinput0 libxcb-xkb1 libxcb-xv0 libxkbcommon-x11-0 libxslt1.1 libxv1
  libxxf86dga1 libzmq5 phonon4qt5 phonon4qt5-backend-vlc vlc-data vlc-plugin-base vlc-plugin-video-output x11-utils
0 upgraded, 157 newly installed, 0 to remove and 0 not upgraded.
Need to get 95.2 MB of archives.
After this operation, 341 MB of additional disk space will be used.
Do you want to continue? [Y/n]

combined 341MB…

HulaHoop · January 4, 2022, 3:51pm

Don’t these updates replace the current code instead of taking up additional space? Have you tried testing it to see if more space is needed after the initial disk expansion is done?

Patrick · January 8, 2022, 10:36am

github.com/flatpak/flatpak

flatpak breaks application's Whonix detection

opened 12:02PM - 02 Jan 22 UTC

adrelanos

enhancement

### Checklist - [X] I agree to follow the [Code of Conduct](https://github.com/…flatpak/flatpak/blob/master/CODE_OF_CONDUCT.md) that this project adheres to. - [X] I have searched the [issue tracker](https://www.github.com/flatpak/flatpak/issues) for a feature request that matches the one I want to file, without success. ### Suggestion Some applications check for existence of file `/usr/share/anon-ws-base-files/workstation` and then depending on that slightly modify their behavior. OnionShare is an example: https://github.com/onionshare/onionshare/blob/develop/cli/onionshare_cli/web/web.py#L360_L364 ``` # In Whonix, listen on 0.0.0.0 instead of 127.0.0.1 (#220) if os.path.exists("/usr/share/anon-ws-base-files/workstation"): host = "0.0.0.0" else: host = "127.0.0.1" ``` That is currently broken for OnionShare running inside flatpak. While file `/usr/share/anon-ws-base-files/workstation` exists outside of flatpak, it does not exist inside of flatpak application data folder. How could this be resolved?

nurmagoz · January 17, 2022, 4:42pm

Thats true, actually im addressing 2 issues:

First installation of anything = size issue for the storage (we can say as well bandwidth issue)
Upgrading anything = bandwidth issue (since its over Tor, Upgrading 500MB or so is not easy task)

So what you have said is true that upgrades wont consume further storage but it will need efficient bandwidth speed to have that upgrade (or installing new fresh software).

Patrick · March 31, 2023, 8:45pm

Should we enable the flathub.org repository by default? In other words…

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

Any reason to not apply this command by default in Kicksecure / Whonix?

HulaHoop · April 9, 2023, 12:19am

I’d say any secure software acquisition mechanism that is more
practical to use than backports is a plus to include. With that said, I
think it is important to document the security limitations of its
sandboxing including our discussion links with upstream (circling back
to my original post here) so users understand the full picture and make
informed decisions accordingly.

Patrick · April 16, 2023, 12:39pm

on flathub security:

Patrick · April 16, 2023, 12:40pm

new wiki chapter written just now:
Install Additional Software Safely chapter Flathub Package Sources Security in Kicksecure wiki

Patrick · April 16, 2023, 12:48pm

nurmagoz · June 25, 2023, 1:39pm

Adding flathub by default is like installing flatpak by default both are harmless if we are talking about the security considerations of doing it.

So from my side i dont see a problem, rather is a step for the future as long as flatpak is considered to be in whonix by default anyway.

HulaHoop · July 10, 2023, 2:24am

As long as the software retrieval and verification systems are secure and competently implemented it should be a welcome addition, potentially providing an easy way to install updated versions of popular apps that are not available on stable cycle distros.

Offtopic: Besides the flatpak sandboxing issues, an interesting development is the integration of Wayland per app access support for flatpak app sandboxes.

Patrick · July 31, 2023, 11:07am

flathub is still messy. Applications can appear as official, while they are not. Here’s an example where this is happening with Mullvad Browser.

Flatpak Support · Issue #6 · mullvad/mullvad-browser · GitHub

github.com/flathub/net.mullvad.MullvadBrowser

appears as official Mullvad Browser flatpak but is actually unofficial (impersonating)

opened 10:57AM - 31 Jul 23 UTC

adrelanos

There is no way on https://flathub.org/apps/net.mullvad.MullvadBrowser for a use…r to recognize that it's unofficial. Quote https://flathub.org/apps/net.mullvad.MullvadBrowser > Mullvad Browser > by Mullvad But is actually unofficial. Quote @ruihildt https://github.com/mullvad/mullvad-browser/issues/6 > FYI this is not an official release and we haven't verified it. We are currently considering how to best handle this. Basic ethics demands not to impersonate people, companies such as about the origin of software. Note: This is my personal opinion and I am not affiliated to Mullvad. > `https://flathub.org/apps/net.mullvad.MullvadBrowser` > `https://flathub.org/apps/` `net` `.` `mullvad` `.` `MullvadBrowser` Is the `net` part (as opposed to others using `org`) supposed to imply it's unofficial? If it was `org`, that would be mean it's official? Doesn't `mullvad` imply it's by the mullvad company? `https://flathub.org/apps/net.SomeIndividualOrCompanyName.MullvadBrowser` would be better. This matters as there might even be adware / malware being injected as this comment implies. Quote @tinypinkdragons https://github.com/mullvad/mullvad-browser/issues/6#issuecomment-1565223871: > As soon as I open the flatpak, my Pi-hole registers a connection attempt to 'aax-us-pdx.amazon-adsystem.com', which the Windows version doesn't do. After some investigation, I came here and saw it wasn't official. Now uninstalled. Any news on an official release, or will you not be publishing to Flathub?

flathub wanted to work on this.

They created beta.flathub.org but that now only redirects to flathub.org and the verification feature where the user gets more information on who is providing a flathub still isn’t on the flathub website. I didn’t read the full forum thread or researched what the status of that feature is if it has been deprecated, no longer planned.

Patrick · July 31, 2023, 12:01pm

Quote ruihildt (rui) · GitHub from above ticket:

…
Regarding the Flathub page itself, it is indeed questionable that they replicated the Twitter like “blue tick for verified”.
…
However, this is a Flathub general issue, not specific to this package.
…
We have plans to take over the package and make it official in the near future. In the meantime, I’m submitting a PR to add metadata and information in the Flathub page signifying it’s not an official package.
…

unofficial chrome

https://web.archive.org/web/20230716005406/https://flathub.org/apps/com.google.Chrome (web archived version)
No verified checkmark.

official Firefox

https://web.archive.org/web/20230721185041/https://flathub.org/apps/org.mozilla.firefox (web archived version)
Verified checkmark.

Better than nothing but still an awful way to tell users what is official and what is not. The unofficial chrome still appears official because its saying “Google Chrome by Google”.

Patrick · January 15, 2024, 7:05pm

now documented here:
Flathub Package Sources Security

Patrick · January 17, 2024, 1:17pm

github.com/flatpak/flatpak

[Feature request]: setting to block non-freedom Flatpaks by default; setting to block unverified Flatpaks by default; `--allow-nonfreedom`, `--allow-unverified`

opened 01:16PM - 17 Jan 24 UTC

adrelanos

enhancement

### Checklist - [X] I agree to follow the [Code of Conduct](https://github.com/…flatpak/flatpak/blob/main/CODE_OF_CONDUCT.md) that this project adheres to. - [X] I have searched the [issue tracker](https://www.github.com/flatpak/flatpak/issues) for a feature request that matches the one I want to file, without success. ### Suggestion **Issue:** For a Linux distribution (Kicksecure) (and Whonix), we are considering to enable Flathub by default. But there's 2 major concerns. * 1) It's too easy to accidentally install non-freedom (proprietary) software. * 2) It's too easy to install unverified software. (These without a verified badge on Flathub.) Software that is considered both under FLOSS licenses and verified is considered much more trustworthy. **Suggested Distribution Settings File:** The distribution could drop a configuration snippet in the yet to be invented `/usr/lib/flatpak/settings.d` folder. File `/usr/lib/flatpak/settings.d/30_kicksecure.conf`: ``` nonfreedom=false unverified=false ``` This is just a default setting suitable for some Linux distributions. The user should have the freedom to easily undo this. **Suggested User Override Settings File:** File `/etc/flatpak/settings.d/50_user.conf`: ``` nonfreedom=true unverified=true ``` **Suggested User Command Line Overrides:** For overrides on the command line case by case: * `--allow-nonfreedom` * `--allow-unverified` **Suggested `flatpak` command line output output:** * > Installation of non-freedom Flatpak denied. Use `--allow-nonfreedom` or change configuration to override. * > Installation of unverified Flatpak denied. Use `--allow-unverified` or change configuration to override.

Patrick · January 18, 2024, 11:11am

github.com/flatpak/flatpak

[Bug]: `flatpak remote-add` TOFU and TLS security issue / use stronger authentication than TLS

opened 11:11AM - 18 Jan 24 UTC

adrelanos

bug

### Checklist - [X] I agree to follow the [Code of Conduct](https://github.com/…flatpak/flatpak/blob/main/CODE_OF_CONDUCT.md) that this project adheres to. - [X] I have searched the [issue tracker](https://www.github.com/flatpak/flatpak/issues) for a bug that matches the one I want to file, without success. - [X] If this is an issue with a particular app, I have tried filing it in the appropriate issue tracker for the app (e.g. under https://github.com/flathub/) and determined that it is an issue with Flatpak itself. - [X] This issue is not a report of a security vulnerability (see [here](https://github.com/flatpak/flatpak/blob/main/SECURITY.md) if you need to report a security issue). ### Flatpak version any ### What Linux distribution are you using? Other (specify below) ### Linux distribution version any ### What architecture are you using? i386 ### How to reproduce flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo ### Expected Behavior Strong singing key verification. ### Actual Behavior Weak singing key verification only through TLS. ### Additional Information **Issue** The command `flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo` for adding the Flathub repository has a security concern. That command downloads a Flatpak repository file. That file contains an OpenPGP (`gpg`) signing key under the `GPGKey=` keyword, but this key is not authenticated beyond the security provided by TLS. The command relies on Trust on First Use (TOFU), which is a less secure approach compared to verification of signing keys. In essence, TOFU means trusting the initial connection and the credentials received without additional verification. When a repository is added using the `flatpak remote-add` command, the Flatpak repository definition file is downloaded over TLS (Transport Layer Security). While TLS provides basic security, [TLS CA system not very secure and has been hacked multiple times.](https://www.kicksecure.com/wiki/SSL). TLS alone does not provide strong verification of the authenticity of the software’s origin. It would be more secure to verify the key fingerprinting through the OpenPGP web of trust or other means of key fingerprinting verification. The reliance on TLS for verification lowers the overall security level. Ideally, software verification should be done through established and strong cryptographic signatures, ensuring that the software comes from a trusted source and has not been tampered with. To enhance security, users could manually add the Flathub repository configuration. This can be done by placing a configuration snippet directly in the `/etc/flatpak/remotes.d` directory. A file like `/etc/flatpak/remotes.d/flathub.flatpakrepo` can be created for this purpose. The content of this file, especially the `GPGKey=` keyword, should be sourced from a more secure, authenticated method than TLS. This ensures that the repository’s signing key is verified and trusted beyond the initial TLS connection. In other words, the `flatpak remote-add` command currently fails against a MitM capable of breaking TLS. This is sad because by comparison other package managers such as Debian's APT survives that (assuming there is no vulnerability in that gpg verification code). Once the user has installed the Linux distribution, the signing key is installed and used. The package manager can use TLS for an additional security layer but is also secure in case TLS is compromised. ---- **Solution 1:** Use properly formatted OpenPGP keys in `flathub.flatpakrepo`. Add support for properly formatted OpenPGP keys in `flathub.flatpakrepo` files. At the end: ``` -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFlD2sABEADsiUZUOYBg1UdDaWkEdJYkTSZD68214m8Q1fbrP5AptaUfCl8K -----END PGP PUBLIC KEY BLOCK----- ``` Because currently `GPGKey=` is hard to convert into a format that `gpg` understands. I tried to extract the key from `GPGKey=` , add BEGIN and END but that won't work. Error: `gpg: invalid radix64 character 2D skipped` Probably because the lines are too long. I tried formatting the lines. awk '/-----BEGIN PGP PUBLIC KEY BLOCK-----/,/-----END PGP PUBLIC KEY BLOCK-----/ { if (!/-----BEGIN PGP PUBLIC KEY BLOCK-----/ && !/-----END PGP PUBLIC KEY BLOCK-----/) {print | "fold -w 64"} else print }' flathub-key-long.asc > flathub-key.as Still same error. So that seems complicated and an uphill battle. Even if someone wanted do this is, that currently does not seem possible. I don't think after downloading `flathub.flatpakrepo` there is any way to verify the key fingerprint? ---- **Solution 2:** Provide a detached gpg signature. * repofile: `https://flathub.org/repo/flathub.flatpakrepo` * signature: `https://flathub.org/repo/flathub.flatpakrepo.asc` ---- **Solution 3:** Allow specification of the long gpg fingerprint on the command line. Something like this: flatpak remote-add --fingerprint 0000000000000000000000000000000000000000 --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo Then flatpak could use a setting in `/etc/flatpak` which makes `--fingerprint` mandatory. ---- **Solution 4:** Hardcode the gpg key fingerprint or TLS certificate fingerprint. At least for Flathub it would be good if the gpg fingerprint and/or TLS certificate fingerprint for `flathub.org` would be hardcoded so that certificate authorities cannot mess with it.

Patrick · January 18, 2024, 11:19am

This issue is now documented in the Kicksecure wiki:
Install Additional Software Safely chapter Enable Flathub Repository in Kicksecure wiki