Feedback wanted on new flatpak purchases support

Alexander Larsson alexl at redhat.com
Tue Dec 3 10:11:44 UTC 2019 

On Mon, Dec 2, 2019 at 6:07 PM Dan Nicholson <nicholson at endlessm.com> wrote:
>
> On Thu, Nov 28, 2019 at 8:49 AM Alexander Larsson <alexl at redhat.com> wrote:

> > At the most basic level, the way protected content work is that the
> > repo http server refuses serving certain refs unless the client
> > presents a token that the server can validate[1]. Exactly which refs
> > are protected is up to each repo maintainer, but protected and
> > non-protected refs can be mixed in a repo. In order for flatpak to
> > know when a ref needs a token there is a new "token-type" property in
> > the commit, and whenever this is set to a non-zero value flatpak will
> > try to use a token when downloading it.
>
> I nagged about this before, but is "token-type" documented anywhere?
> You gave me some answers before at
> https://github.com/flatpak/flat-manager/pull/29#issuecomment-552645947,
> but I'm wondering if that solidified.

The only hard coded behaviour is that if the type is != 0 then flatpak
will ask the authenticator for a token when pulling that ref. This
doesn't even mean that the end result will use a bearer token, because
the authenticator is free to return an empty token. This can be used
by an authenticator as a way to interpose itself, and is useful for
example to handle "donation nagging" in a purely client-side way (i.e.
remember locally if we nagged before and if so just immediately return
an empty token.

This undefinedness is by design, and it is then up to each repository
to decide how it wants to use token-types.

For flat-manager, there is a configuration option where you can
basically enumerate the token types that require a token. The idea
here is that to support the client-side donation flow above you could
e.g. chose token-type 1 to mean client-side donation-flow, and 2 to
mean must-purchase, and you would then configure it to only require
tokens for token-type 2.

> One thing I'd like to do is move away from our hosted Google doc to
> something that's owned by flatpak. I was thinking about putting it in
> https://github.com/flatpak/flatpak-docs/. Does that seem worthwhile?

Another alternative is to use the flatpak wiki:
 https://github.com/flatpak/flatpak/wiki

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                Red Hat, Inc
       alexl at redhat.com         alexander.larsson at gmail.com

More information about the Flatpak mailing list