[ANNOUNCE] xdg-app - desktop app sandboxing system

Thomas Kluyver thomas at kluyver.me.uk
Wed Jun 24 10:47:02 PDT 2015

Hi Jasper,

On Wed, Jun 24, 2015, at 10:23 AM, Jasper St. Pierre wrote:
> Both of these are really cool and convenient for system updates.
> xdg-app is simply using OSTree for its first bit, the repo bit.
> xdg-app has its own deploy stage.

So it sounds like an application publisher would use OSTree to host
releases, and the user uses a custom xdg-app mechanism to fetch and
install it. This would be independent of current distro package formats.
Is that right?

> > - Would an application developer host their own packages, or is it still
> > a centralised model like distro packaging? If it's centralised but
> > cross-distribution, who would run the repository?
> You could run it either way. The vision here is definitely that the
> app developers publish their own official builds. But Fedora might
> want a central repo for all the packages in its distro.
> So, I don't know, it remains to be seen. We're simply building the
> tools here. Distro politics come after. :)

Right, but how you design the tools depends on how you expect them to be
used. I'm happy to hear that the vision is for app developers to publish
their own builds: I don't think centralised gate-keeping scales well
enough, unless you have the kind of resources Google or Apple have to
run it.

> When the app is deployed, its manifest of permissions is checked to
> determine what should be mounted in the sandbox. This manifest can be
> edited by a user at any time. Note, however, that if the app isn't
> coded for these failure cases (it was simply using a standard Linux
> API), it might crash outright.

I'm still a bit unclear on what the trust model is - would the user be
clearly shown the permissions manifest in an understandable format
before they use the application, so they could see if it was trying to
do anything sneaky? Or is the idea that you trust the app author, and
permissions are a way to limit the impact on the system if there's a
security bug in that app?

Again, it's the vision I'm interested in - I understand that it's early
days for the project and this kind of user-visible stuff might be some
way off. But it's good to know what it's driving towards.


More information about the xdg mailing list