Open srenatus opened 6 years ago
gperciva
commented
6 years ago The real question is whether tarsnap can be (safely) packaged with flatpack. At first glance, this looks possible -- it seems that flatpack doesn't suffer the flaws that snapcraft does (https://github.com/Tarsnap/tarsnap/pull/284). But it's always possible that we'll discover a snag later.
I'll take another look in January.
LinAGKar
commented
2 years ago Sorry if it sound naggy, but which January?
gperciva
commented
2 years ago Right, this slipped off my radar.
I took a quick glance at flatpack.
it's faced some criticism [1] (with a rebuttal [2]), with mixed reactions from hacker news [3][4].
That said, most of the issues in the hacker news discussions aren't relevant to tarsnap.
A few points in the rebuttal seemed questionable, such as
Given that all Flatpak packages are available and able to be edited by anyone, [2]
which would not be ideal for a secure backup tool like tarsnap. (Disclaimer: I haven't quite grasped what the author meant by that; the sentence contains a link to a github repository, so perhaps they meant that anybody could submit a PR. Maybe it's possible to "lock" a repository so that only we could approve PRs to org.Tarsnap.tarsnap? I'll need to look into this more.)
we're not going to distribute our own libraries (see https://github.com/Tarsnap/tarsnap/pull/284), so everything would have to be in the runtime.
I see that the freedesktop runtime includes libssl (note to self: I need to check how quickly they update the runtime after an openssl bug is discovered, such as CVE-2021-3711). I saw in their gitlab repository that a few months ago, libssl was moved from "base" to "components" (note to self: check what that means).
[1] https://www.flatkill.org/2020/ [2] https://theevilskeleton.gitlab.io/2021/02/11/response-to-flatkill-org.html [3] https://news.ycombinator.com/item?id=24661126 [4] https://news.ycombinator.com/item?id=26528404
Basically, it comes down to:
I'll continue looking into these questions on another day.
LinAGKar
commented
2 years ago (Disclaimer: I haven't quite grasped what the author meant by that; the sentence contains a link to a github repository, so perhaps they meant that anybody could submit a PR. Maybe it's possible to "lock" a repository so that only we could approve PRs to org.Tarsnap.tarsnap
Not sure what they mean either. Based on https://github.com/flathub/flathub/wiki/App-Submission#how-to-submit-an-app it seems like only whoever submitted the app will have write access to it (and presumably the flathub admins), but anyone can make PR. And anyone can submit an app, but it requires approval from the flathub admins.
can we ensure that if somebody installs a Tarsnap flatpak, they're getting the right thing? (i.e. no hostile third-party code)
Flathub would be ideal, since people will likely have that already, but there is also the option of hosting your own flatpak repo (unlike with snappy).
Hello 😃
With more and more distributions picking up Flatpak, I was wondering if this wouldn't be cool for tarsnap-gui, too. (I certainly am missing backup utility options on Flathub, and I'd love to have tarsnap-gui available.)
What do you think? (Anybody working on this already?)
Thanks Stephan