Support for runtime repo references in flatpakrefs

Alexander Larsson alexl at redhat.com
Fri Dec 2 15:52:08 UTC 2016 

I just added support for the key RuntimeRepo in flatpak refs.
For an example, see: https://sdk.gnome.org/gedit.flatpakref

What this means is that a flatpakref file can contain a reference to a
flatpakrepo file, and when it is installed we download the referenced
file and look for it locally. If no remote with the same uri is
configured (in the system dir if you're doing a system install or in
the system *or* home dir if you're doing a user install) then we ask
the user if he wants to add this remote, and this way when the app is
later installed we automatically find the runtime it relies on.

I've avoided this for a while because this is security sensitive. If an
app can add a remote that is used for dependency resolution then that
can lead to runtimes from that remote being used by some other
application, which is not great.

However, in practice people *do* need to configure a runtime remote if
they actually want to run your app, so the alternative is to have a
bunch of commands listed on the webpage to install it, which has the
same kind of security issues. So, we might as well do it automatically.

The important thing here is that there is a level of trust in the
*names* we give for remotes, as these are what you specify as the
source when installing stuff, and which are shown when you are asked if
you want to install a runtime dependency. So, the "do you want to add
this" need to generate a new nice remote name (its based on the
flatpakrepo basename) and it need to display it, in addition to the
repo URI when asking if you want to add it.

We should probably add corresponding support to gnome-software.


-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl at redhat.com            alexander.larsson at gmail.com 
He's an ungodly Jewish photographer on the wrong side of the law. She's a 
supernatural African-American mechanic with a birthmark shaped like 
Liberty's torch. They fight crime!

More information about the xdg-app mailing list