Feedback wanted on new flatpak purchases support

Dan Nicholson nicholson at endlessm.com
Mon Dec 2 17:07:22 UTC 2019 

On Thu, Nov 28, 2019 at 8:49 AM Alexander Larsson <alexl at redhat.com> wrote:
>
> Today I released flatpak 1.5.1 which has some initial work around
> purchases and other form of protected content in flatpak. It is still
> early work and not considered stable yet, but I want to try to have
> some support for this in the Flatpak 1.6 release at the end of the
> year. Thus I'm sending this mail out to the list and to some people
> who I'd like to get feedback from.

Very cool. Thanks for pushing this along. I'm going to try to stand up
something on our Endless infrastructure today to see how it might play
with our repos.

> At the most basic level, the way protected content work is that the
> repo http server refuses serving certain refs unless the client
> presents a token that the server can validate[1]. Exactly which refs
> are protected is up to each repo maintainer, but protected and
> non-protected refs can be mixed in a repo. In order for flatpak to
> know when a ref needs a token there is a new "token-type" property in
> the commit, and whenever this is set to a non-zero value flatpak will
> try to use a token when downloading it.

I nagged about this before, but is "token-type" documented anywhere?
You gave me some answers before at
https://github.com/flatpak/flat-manager/pull/29#issuecomment-552645947,
but I'm wondering if that solidified.

> Does this all make sense? Does it seem comprehensive enough for what
> you want to do with flatpak? Does the API work for your frontends?
>
> I'd like to mention that this is a pretty minimal initial
> implementation. There was an early design document[2] that has a lot
> more features. In particular it describes APIs to let the client know
> ahead of time what will happen if you try to install something
> (i.e. that some app is a "purchase" or "donate" rather than "install"
> operation, as well as possibly details like prices, etc).

At a glance I think it makes sense. I'll have to go back through our
design doc and see if there's anything we were envisioning that might
be missing. I know one thing that was important to Endless was to
somehow make this work with P2P.

One thing I'd like to do is move away from our hosted Google doc to
something that's owned by flatpak. I was thinking about putting it in
https://github.com/flatpak/flatpak-docs/. Does that seem worthwhile?

--
Dan

More information about the Flatpak mailing list