Conversation

Jarkko Sakkinen

Edited 18 days ago
#Flatpak would be much better if #Flatseal functionality would be somehow embedded nicely straight into #GNOME settings. Lack of such functionality out-of-the-box is the main glitch of the Linux app ecosystem for me.

I would take the reference from privacy and security settings of macOS. Flatseal is pretty much the same deal, isn't it?
3
0
4

@jarkko

In KDE Plasma it's in System Settings indeed but only the Flatseal's functionality. I'd like Warehouse's there too, in particular "snapshots".

0
0
0

@jarkko agree, KDE and Pantheon already got native some Flatseal functionality

0
0
0

@jarkko We very intentionally don't do this.

Flatseal configures apps' static permissions. These are perms that are not supposed to change, and on other OSs they are just completely invisible and immutable to a user. GNOME exposes settings for dynamic permissions. These are permissions apps ask for rather than claiming. Apps are designed to handle not having a dynamic permission granted

Changing static permissions will cause many issues, including app crashes and data loss. Not for most users!

1
0
0
@AdrianVovk So... But... You can even enable some system-level services from GNOME settings. And you really have no use for Flatpak for any productive work if you don't have this functionality.
1
0
0
@AdrianVovk It's a too broad question to answer :-)
1
0
0

Jarkko Sakkinen

Edited 17 days ago
@AdrianVovk

I can elaborate my earlier answer just a bit.

1. SSH service can be enabled from GNOME settings.
2. Network settings can be changed from GNOME settings.

Security-wise both are potentially much more destructive actions than let's say allowing app to access home directory files.

I'm not sure what you are referring to on asking permissions but I have never encountered a Flatpak app that would do that. E.g. in order to use a Matrix client I sometimes need to save or upload files. Without using Flatseal it simply is not possible.

In my iPhone the app both asks permissions OR I can enabled/disable them explicitly from settings. I don't really think this is too much robustness to ask but obviously it is in the end the choice of those who develop GNOME.

Just my silly opinion I guess...
1
0
0

@jarkko What distro (and its version) are you using?

Flatpak absolutely has the capability for apps to ask for access to files, hardware, etc. This is what it was designed for. These are called dynamic permissions, and many apps use them. I don't know how you've never encountered it.

Some apps don't know how to use dynamic permissions yet, and so they have to ask for exclusions to Flatpak's sandboxing. These are static permissions. Their defining feature is that apps don't function (1/?)

3
0
0

@jarkko apps don't function without them. So, something like Flatseal is basically a settings menu where users get to break their apps by revoking permissions that the app needs to work at all.

I'm not sure how system services are relevant here. It's not about security (though it is a little; Flatseal and home directory access is a lot more dangerous than an SSH on/off switch). It's about not bricking apps.

On iOS you're interacting with dynamic perms. Static perms are completely hidden (2/2)

0
0
1
@AdrianVovk I use Fedora universally in all my machines, i.e. somewhat conservative choice :-)

The Matrix client in question is the official Element client.
2
0
0
@AdrianVovk OK so cool I'll use Flatseal as a workaround up until that. Not the end of the world. Thanks for explaining this. With normal RPM's I do encounter PolicyKit queries from time to time so I'd figure this is what should happen also with Flatpak apps?
1
0
0
@AdrianVovk [I'd prefer to use Fractal but it does not have threads yet. Otherwise Fractal is all rounds superior user experience, and Element is somewhat... well not that great ;-)]
0
0
1

@jarkko Interesting. Fedora should have xdg-desktop-portal and xdg-desktop-portal-gnome installed and functional.

The official Element app seems to be bad at using dynamic permissions. Both attaching and uploading files doesn't use the dynamic permissions. Apparently it's a new bug in Electron, and this used to work: https://github.com/electron/electron/issues/43819

I'm guessing you don't use many other Flatpaks then? I'm surprised you've never run into the dynamic permission prompts. It's just like on iOS

1
0
1

@jarkko similar popups, yeah. Not the same, and it doesn't ask for a password. But similar

It's basically like iOS's or Android's permission prompts. An app can ask for permission to do something, a yes/no dialog pops up, and the permission is either granted or not.

Flatpak does try to make dynamic permissions invisible whenever it can, though.

If you want to play with / test all the different available dynamic permissions, there's an app for that: https://flathub.org/apps/com.belmoussaoui.ashpd.demo

0
0
1
@AdrianVovk Thanks for the insight! I learned a lot from this. Even if something is not exactly the way I would think it should be, I'm not a person that easily makes switches or "hates GNOME" :-) I use Linux to use productive work to get my bills paid not for installing distributions/desktops... 99,9% of GNOME works perfectly for my use really...
1
0
1
@AdrianVovk Not related to this but also resize of the window in Element is broken :-) I workaround that by always maximizing it... Nothing seems to get fixed, these have been long running issues.
0
0
1