finish-args-broken-kde-tray-permission is incorrect

[TingPing]

The finish-args-broken-kde-tray-permission forbids anything with org.kde.StatusNotifierItem at the beginning, however this isn't correct.

As you can see in knotification: https://github.com/KDE/knotifications/blob/7fb8c5b3130646845efb0483fc1cf3c7769c5830/src/kstatusnotifieritemdbus_p.cpp#L134

This is a unchanging format. In flatpak it will always be the same value for the same pid for the same item number.

Now this is very broken inside of flatpak but it is the correct permission to say --own-name=org.kde.StatusNotifierItem-2-1 because you know your values will always be the same. Fixing it means patching KDE libraries but that's a discussion for other people.

[ilya-fedin]

If you're worrying about the org.kde.* permission maybe you better to support #114 then? So no one will be able to use this dangerous permission.

[foresto]

114 does not resolve the application-breaking rule being discussed here.

[ilya-fedin]

Well, it's where you have to choose between security and functionality. Just like with Drag'n'Drop.

[foresto]

We don't have to choose. Simply removing this rule would allow the security fix without breaking existing functionality.

[ilya-fedin]

It will still be broken, you can't have multiple Electron applications with tray icon...

[foresto]

"without breaking EXISTING functionality."

[foresto]

you can't have multiple Electron applications with tray icon...

That's a separate issue, not solved by the rule discussed here.

[Erick555]

There is no explanation for its presence in 0dc7f80,

Apparently they knew Qt is fixed and Electron wasn't affected back then. So this wasn't a problem for anyone.

Nobody knew Qt is fixed and surely Electron apps did use tray half year ago. Virtually everyone switched to org.kde.* which was semi-official solution. It would take at least several months before all apps start using fixed electron version after something is done there.

[barthalion]

Thanks @bbhtt, I will go ahead and drop that error.