A Debian maintainer's guide to Flatpak

Simon McVittie, smcv@{collabora.com,debian.org}

DebConf 17, Montreal

Introduction to Flatpak

A sandboxed app framework for Linux (formerly xdg-app)

  • app
    • as in /usr/share/applications
    • … or as in “app store”
  • sandboxed
    • you trust them enough to use them
    • but not necessarily enough to give them access to ~/.gnupg
  • Linux
    • no attempt to be portable away from GNU/Linux
    • systemd helps but is not currently required
    • not specific to Debian, Fedora, Ubuntu …

Apps and runtimes

Fig.1. A stable flat-pack-based platform

Fig.1. A stable flat-pack-based platform

Linux desktops: a moving target

  • The LSB defines a standard baseline version
    • but it seems hardly any ISVs use it in practice
    • go to Didier Raboud's talk on Saturday!

Bad for ISVs, and bad for us

  • When ISVs do the right thing and help us add features/fix bugs, they still don't get to rely on that for several years
    • Disincentive to do the right thing
  • The ISV is responsible for keeping up with security updates
    • Spoilers: sometimes they don't

Backports are a pain, too

Flatpak runtimes

  • Reference runtimes: org.freedesktop.Platform, org.gnome.Platform

  • KDE and Fedora also produce runtimes

  • soon: Valve/Steam? Debian?

Flatpak runtimes

Flatpak SDKs

Flatpak runtime versioning

  • Examples
    • org.gnome.Platform//3.24
    • org.fedoraproject.Platform//26
    • net.debian.flatpak.Games.Platform//stretch

The long tail

  • The app can bundle extras
    • Uncommon libraries
    • Libraries where the latest version is needed

App appears in /app

  • /app is the same length as /usr
    • As a last resort, this is good for binary editing

How apps and runtimes work

  • No, wait, that was git

How apps and runtimes work

How apps and runtimes work

Sandboxing with bubblewrap

Fig.2. Protecting an important subject with bubble wrap

Fig.2. Protecting an important subject with bubble wrap

Why sandbox

  • … but not enough to let it control the rest of my system
  • … but they might have made an exploitable mistake
  • … but a bundled library might be vulnerable

Namespaces

Namespaces

  • Upstream Linux: on or off at compile time, no middle ground
    • Ubuntu: enabled
  • Debian: no unprivileged userns by default, adjust a sysctl at runtime to enable
  • RHEL 7: no unprivileged userns by default, adjust a parameter at boot time to enable

Bubblewrap (bwrap)

  • Enough for Flatpak (and Red Hat's Project Atomic, and hopefully more)
  • Not enough to be a huge attack surface
    • Doesn't execute user code without PR_SET_NO_NEW_PRIVS first
  • Design principle: Does not allow anything that would be unreasonable for the kernel to allow

Sandboxing

  • Example

    [Context]
    shared=network;ipc;
    sockets=x11;wayland;pulseaudio;
    devices=dri;

Thinking with portals

Fig.3. Portals have safety implications if used carelessly

Fig.3. Portals have safety implications if used carelessly

Thinking with portals

  • When done badly, you get browser SSL warnings
    • Do you want to allow ghkscjjtklgoghkjxhtht? [yes] [no]
  • When done well, it's fairly obvious what's going on
    • Let hangouts.google.com use your microphone? [yes] [no]

Document portal

Document portal

  • Library support: recent GLib transparently uses portals

How portals work

  • The filter always allows talking to org.freedesktop.portal.*
    • Reference (and only) implementation: xdg-desktop-portal
  • xdg-desktop-portal talks to a per-desktop implementation
    • GNOME, KDE, more?

Achieving world domination

Fig.4. IKEA would put the entire world in their warehouse if they could

Fig.4. IKEA would put the entire world in their warehouse if they could

Not everything is an “app”

… and that's OK

  • Distros provide the platform for the system
    • init
    • udev
    • NetworkManager
    • gdm (and authentication in general)
    • Flatpak
    • Portals
  • Distros provide the platform for each user
    • GNOME Shell can't be an app
    • Neither can gnome-settings-daemon

Not everything is an “app”

  • Servers and daemons in general
    • Flatpak is for desktop apps
    • Put your servers in VMs, or Docker, or similar

Curation and QA

Every package has a maintainer who is often an expert in the field of the package

— Raphaël Hertzog, State of the Debian-Ubuntu relationship

  • We fix their security flaws even if upstreams don't

Building runtimes

Distributions aren't perfect

  • What value do we add to gnome-mines?
    • Most uploads are just “New upstream release”
  • What value do we add to xonotic?
    • Trick question, it has been ITP since 2011

This doesn't need to be either/or

Some assembly required

Fig.5. A flat-pack stack ready for compilation

Fig.5. A flat-pack stack ready for compilation

Using Debian for runtimes

Using Debian for runtimes

Flatdeb:

  • Simple case: the app is already relocatable
  • Less simple case: the app needs build-time changes
    • or source changes

Alternatives