arguments that are not needed in the flatpak manifest ?

[ghost]

While going through the flatpak manifest today, I have found that it has --device=all argument, which is odd since VSC wouldn't need to use any hardware devices, it is just a code editor. Same with the socket --socket=pulseaudio, it just edits code, I am not aware of any usescases that should need audio.

I have also found that --socket=x11 --socket=wayland both are declared at the same time, while is causes no functional issues, but as VSC currently has no native support for wayland (although a PR has been submitted) and exclusively runs via Xwayland, there is no need to enable the Wayland socket to my understanding.

I have modified the aforementioned arguments accordingly and have ran VSC for sometime today, without any noticeable detrimental changes in behaviour, It would be great if the mods could take a look at these and tighten the access of the flatpak for these permissions/sockets for increased privacy/security.

[ghost]

On that note, I have also taken a look at one of my previously abandoned PRs https://github.com/flathub/com.vscodium.codium/pull/281 and now believe that it wasn't a fix/workaround that only affected me and does enhance the user experience.

By default, the flatpak access to the user's entire machine via the --filesystem=host permission. Thus, many people might feel inclined to give it access to a narrow range of files/folders where they store all their software projects, thus disabling access to the entire host and only allowing access to those particular files/directories.

This, however, causes VSC to throw a very cryptic error message everytime the user tries to commit/push files via git, which is caused by lack of access to the .gitconfig file.

The importance of the .gitconfig file is on par with the other files/directories the flatpak manifest of VSC explicitly gives access to, like --filesystem=xdg-run/gnupg:ro and --filesystem=xdg-config/kdeglobals:ro, which might be considered crucial for VSC to function properly, and this is why I think, considering it's importance, the .gitconfig file's access should be explicitly provided in the flatpak manifest, instead of it being included in a manual, readme or wiki.

[noonsleeper]

Hi @larina3315

--device=all argument, which is odd since VSC wouldn't need to use any hardware devices

Actually VSCodium access to GPU acceleration, and for some of us we need access to USB to develop not only for programming microcontrollers but to control access like gpg-cards and yubikey, like this

Same with the socket --socket=pulseaudio, it just edits code, I am not aware of any usescases that should need audio.

I assume that you don't debug video games or the apps that you program don't use any multimedia, or the extensions that you use doesn't notify you with sounds, but are plenty of people that access to these features.

I have also found that --socket=x11 --socket=wayland both are declared at the same time, while is causes no functional issues, but as VSC currently has no native support for wayland (although a PR has been submitted) and exclusively runs via Xwayland, there is no need to enable the Wayland socket to my understanding.

VSCodium & VSCode has wayland support but is not the best, the change to disable wayland by default on Codium-insiders but not here but in the near future this will be disabled by default to VSCodium as well, also I will to make some changes on https://github.com/flathub-infra/ide-flatpak-wrapper to take better control over this problem.

By default, the flatpak access to the user's entire machine via the --filesystem=host permission.

This was already answered on at least 2 or 3 previous issues like this, this won't be changed in the near future.

like --filesystem=xdg-run/gnupg:ro and --filesystem=xdg-config/kdeglobals:ro, which might be considered crucial for VSC to function properly, and this is why I think, considering it's importance, the .gitconfig

--filesystem=xdg-run/gnupg:ro is not needed anymore with --socket=gpg-agent on the wild, but I don't know if Ubuntu people update to flatpak package to a version that support this, also I don't use KDE then I need the time to set a VM with kde to test about --filesystem=xdg-config/kdeglobals:ro, maybe do you know about these 2?

[ghost]

Hi @larina3315

--device=all argument, which is odd since VSC wouldn't need to use any hardware devices

Actually VSCodium access to GPU acceleration, and for some of us we need access to USB to develop not only for programming microcontrollers but to control access like gpg-cards and yubikey, like this

Same with the socket --socket=pulseaudio, it just edits code, I am not aware of any usescases that should need audio.

I assume that you don't debug video games or the apps that you program don't use any multimedia, or the extensions that you use doesn't notify you with sounds, but are plenty of people that access to these features.

I have also found that --socket=x11 --socket=wayland both are declared at the same time, while is causes no functional issues, but as VSC currently has no native support for wayland (although a PR has been submitted) and exclusively runs via Xwayland, there is no need to enable the Wayland socket to my understanding.

VSCodium & VSCode has wayland support but is not the best, the change to disable wayland by default on Codium-insiders but not here but in the near future this will be disabled by default to VSCodium as well, also I will to make some changes on https://github.com/flathub-infra/ide-flatpak-wrapper to take better control over this problem.

By default, the flatpak access to the user's entire machine via the --filesystem=host permission.

This was already answered on at least 2 or 3 previous issues like this, this won't be changed in the near future.

like --filesystem=xdg-run/gnupg:ro and --filesystem=xdg-config/kdeglobals:ro, which might be considered crucial for VSC to function properly, and this is why I think, considering it's importance, the .gitconfig

--filesystem=xdg-run/gnupg:ro is not needed anymore with --socket=gpg-agent on the wild, but I don't know if Ubuntu people update to flatpak package to a version that support this, also I don't use KDE then I need the time to set a VM with kde to test about --filesystem=xdg-config/kdeglobals:ro, maybe do you know about these 2?

Understandable, I will close the PR as the arguments have turned out to be needed.