Move xdg-native-messaging-proxy under Flatpak project

Thu Apr 10 12:05:16 UTC 2025

Hey all,

AFAICS Firefox just wants to have clarity around the situation and
doesn't care too much about the concrete outcome. I obviously also
believe that this is the right direction and so far haven't heard much
resistance to it. James had a number of concerns
(https://github.com/flatpak/xdg-desktop-portal/pull/1537#issuecomment-2753632295)
which I think I managed to address, but it would be good to hear back
from him.

On Wed, Apr 9, 2025 at 8:10 PM Georges Basile Stavracas Neto
<georges.stavracas at gmail.com> wrote:
>
> Thanks for the email
>
> Concretely, moving the project to under https://github.com/flatpak/ is not any sort
> of technical challenge - just needs someone with elevated permissions to do it.
>
> The interesting question is if there's enough consensus on the whole approach.
> Personally, I agree that something like xdg-native-messaging-proxy is better off
> living in a separate service, given we have extensive knowledge on the issues
> and design mishaps of the whole thing.
>
> What I'd like to know is if Firefox folks would be open to changing their patches
> slightly to it.
>
> Does anybody else have thoughts on this?
>
> With respect,
> Georges
>
> Em ter., 8 de abr. de 2025 às 12:48, Jan Grulich <jgrulich at redhat.com> escreveu:
>>
>> Hi,
>>
>>
>> It’s been three years since the first pull request was made to add a portal for WebExtensions to xdg-desktop-portal. This version of the portal has been added to Ubuntu packages, but it has never been part of any xdg-desktop-portal release. Recently, there were attempts to push this portal forward, so a new pull request was opened, keeping the same portal API, just the code was rebased and updated with some additional fixes, but ended up in the same situation → not being MERGED. This sparked some discussion about whether such a portal should be part of xdg-desktop-portal at all. Sebastian Wick had the idea to create a separate small service and called it xdg-native-messaging-proxy. This service takes the core of the original portal for WebExtensions, but exposes it on a bus address which only is accessible to sandboxed apps if they declare talk permission via their manifest and thus get marked as potentially unsafe. This addresses the concerns that the xdg-desktop-portal APIs are supposed to be secure for sandboxed applications.
>>
>>
>> It seems the consensus is to go with the separate xdg-native-messaging-proxy service, and the original portal will never officially be part of xdg-desktop-portal, so I would like to propose moving xdg-native-messaging-proxy under the flatpak project. The reason for this is that I would like to make this the "official" solution, and having it as someone else's project won't get applications to start adopting it. Also an official Flatpak project will likely get more contributors, reviews and bugs. We're also stuck with the adoption of the xdg-native-messaging-proxy on the Firefox side, where unfortunately the original portal support was merged in, although it was never anything official and is unlikely to be changed and reviewed until we get a clear upstream decision.
>>
>>
>> What are your thoughts on this proposal? What would be the necessary steps if we decide to move forward with integrating xdg-native-messaging into the Flatpak project?
>>
>>
>> Regards,
>>
>> Jan Grulich
>>
>>
>>
>>