Vivaldi official flatpak networking

If you know more about it than I do, which is a very low bar, I would appreciate if you can post about that on the forum thread. It looked like the Vivaldi team just isn't very familiar with Flatpak or how to judge whether Zypak can be trusted to be secure and keep working. I posted this in the Fedora server, feel free to pass it on if you know anyone: " I found this today, about why Vivaldi does not have an official Flatpak yet: https://forum.vivaldi.net/post/669805 I did two things about it: https://github.com/refi64/zypak/issues/38#issue-1977606507 https://forum.vivaldi.net/post/708172 Could we get as many upvotes / contributions to these as possible? If anyone knows how to address this sandboxing/security blocker, or can just show community support, it would be appreciated. I personally use Vivaldi, I have seen many people who want it as a Flatpak, and I think it would be good to have at least one truly official Chromium-based browser Flatpak. "
42 Replies
ChaiQi
ChaiQiOP14mo ago
Since I'm taking a crack at this blocker for Vivaldi as a Flatpak - Cassidy Blaede seems like the right person to get in contact with (https://discord.com/channels/1072614816579063828/1074422586894712912/1167655517443862569). @j0rge would you be willing to help reach out, or perhaps just lend a comment with a familiar name if I do so myself?
akdev
akdev14mo ago
Tbh it seems the concerns expressed by the Vivaldi team cannot be addressed without funding - basically they don’t like that Zypak/flatpak sandboxing hasn’t been audited and that zypak is maintained by one guy. It seems to change that we would need: 1. Conduct a security audit of zypak/flatpak sandboxing vs normal chrome sandboxing to proof its effectiveness 2. More maintainers
Neither of these is cheap/free
ChaiQi
ChaiQiOP14mo ago
That checks out. I am hoping that I can get in contact with people who already work with these things so that perhaps they can bridge that gap without the resources necessary for any one party to brute force it
ChaiQi
ChaiQiOP14mo ago
Good find
akdev
akdev14mo ago
Bringing attention to this issue would probably be the right way of fixing the problem - if chromium took the patches to use flatpak sandbox then all the downstream would take it as approval that it’s ok
this is not related to the sandbox, but to distribution mechanisms for Linux
This comment is wrong so the ticket isn’t even in the right place most likely
ChaiQi
ChaiQiOP14mo ago
Gotcha. I'll see what I can do 🙂 I am not expecting this to be an immediate or trivial fix, but I specialize in bridging teams and community interaction, and it is a thing which matters to me, so I want to try to build some momentum and discourse where there has been none
Gerblesh
Gerblesh14mo ago
from the mastodon posts, it looks like zypak just bridges the default chromium suid sandbox (uses bwrap) to use the flatpak sub-sandbox (which also uses bwrap) so it's functionally mostly the same
ChaiQi
ChaiQiOP14mo ago
Yeah, that's the impression I got as well
Gerblesh
Gerblesh14mo ago
the annoying part is we shouldn't really need to have these types of hacks, and chromium should just support flatpak natively. Zypak also has some performance issues iirc, as in things are a bit slower and use more memory because of zypak, but I haven't really noticed much of that in real usage
ChaiQi
ChaiQiOP14mo ago
I figure if that's the de facto standard, then it's the baseline for future improvements rather than really a deficit
akdev
akdev14mo ago
I'm not familiar with Flatpak's subsandboxes but there is a good reason we maintain our Linux sandboxing code directly in Chromium, and we likely will not officially support a second sandboxing system for Linux
Gerblesh
Gerblesh14mo ago
looks like they already technically do, with android what is this from?
ChaiQi
ChaiQiOP14mo ago
The second Chromium forum link
Gerblesh
Gerblesh14mo ago
I see yeah it seems kinda silly how they don't want to use flatpak subsandboxes, and would rather keep all sandboxing inside chromium, and at the same time, they are using android's subsandboxes
ChaiQi
ChaiQiOP14mo ago
I'm not familiar with [bwrap] but there is a good reason we maintain [bwrap] here, and we likely will not officially support a second [third] sandboxing system [bwrap] for Linux
😅 😂
akdev
akdev14mo ago
They can trust the android sandbox because they have audited that
Gerblesh
Gerblesh14mo ago
that's fair
ChaiQi
ChaiQiOP14mo ago
Yeah
Gerblesh
Gerblesh14mo ago
Gerblesh
Gerblesh14mo ago
here are the patches for flatpak sandbox support, implemented in chromium flatpak
ChaiQi
ChaiQiOP14mo ago
By refi, updated three days ago aha, they ARE active So - refi is the chromium flatpak maintainer, and skelly is the chrome & brave flatpak maintainer?
Gerblesh
Gerblesh14mo ago
Idk
Gerblesh
Gerblesh14mo ago
I think refi maintains them as well
ChaiQi
ChaiQiOP14mo ago
I'm seeing a lot of lines where the change is a -> b 🤔
akdev
akdev14mo ago
GitHub
Contributors to flathub/com.google.Chrome
Contribute to flathub/com.google.Chrome development by creating an account on GitHub.
akdev
akdev14mo ago
That’s just the format of the universal diff
ChaiQi
ChaiQiOP14mo ago
Ahh
Gerblesh
Gerblesh14mo ago
For full flatpak support looks like it needs every patch
akdev
akdev14mo ago
Yeah this is just the sandbox part
ChaiQi
ChaiQiOP14mo ago
I have reached out to refi64 on Mastodon and TheEvilSkeleton on Matrix. I will see if/when they respond, and work on compiling a document on what has been done, what happened to past issues / forum posts, and what needs done to make a Vivaldi Flatpak happen. I am hoping I can go through the 'proper' channels in the forums to get in touch with the Vivaldi team, but I may have another contact I can leverage. I contacted them several months back to see if I could apply for a job with them, but they're not hiring in the US - one of them wrote a very friendly personal response, so as a last resort I may email them again and say 'Hello again, I maybe found a way to contribute anyway, could you help get some eyes on this?' Either way, that'll be if and when I have the other experts on board to explain / patch in the sandbox modifications Update: I chatted with TheEvilSkeleton a bit on Matrix, and confirmed that they're on board if there's something they can contribute, but they clarified that most of their Chromium knowledge is second-hand from refi64. There was a Mastodon thread on this back in September https://social.vivaldi.net/@jon/111054317115404701 where Cassidy Blaede contacted Jon von Tetzchner at Vivaldi, and refi64 chimed in. Tetzchner said he'd forward it to the right people at Vivaldi. I got in touch with refi64 (Ryan Gonzalez) directly and traded a few messages. They hadn't heard about this since September, so at the moment we don't know who at Vivaldi knows about those messages or whether they have made any progress. As per the first forum thread I found which started this, the blocker for Ruari (who appears to be the main Linux and Snapshot release person at Vivaldi) seems to be whether Chromium can run in a Flatpak without compromising the internal inter-process sandboxing and security. I confirmed with refi64 that their patches generally shouldn't compromise that, although there may be low-risk edge cases, and that they can probably explain that to someone. They stated that the Chromium flatpak patches are a lot cleaner and simpler than Zypak, and directed me to three files prefixed with flatpak- in this repo which contain those patches: https://github.com/flathub/org.chromium.Chromium/tree/master/patches/chromium. For reference, these are: 1287 lines of code, 81 loc, and 299 loc, totaling 1667 lines of code. I believe this is likely to be viable for the Vivaldi team to review, especially with some outside assistance. If I can get a thread going with the right people, refi64 is on board to provide assistance and expertise in that thread. Next steps: compile more information, contact Ruari, Jon von Tetzchner, and/or Cassidy Blaede about (hopefully) eventually creating a thread for this somewhere, and evaluate feasibility.
Daniel
Daniel14mo ago
👀
ChaiQi
ChaiQiOP14mo ago
Update: I have reached a community ambassador on the Vivaldi forums, who has internally contacted Ruari
j0rge
j0rge14mo ago
Joey Sneddon
OMG! Ubuntu
Vivaldi Web Browser is Coming to Flathub - OMG! Ubuntu
Fans of the Vivaldi web browser may be excited to hear it's coming to Flathub officially. A crop of recent code commits indicate the Chromium-based,
ChaiQi
ChaiQiOP14mo ago
GitHub
GitHub - flathub/com.vivaldi.Vivaldi
Contribute to flathub/com.vivaldi.Vivaldi development by creating an account on GitHub.
Flathub builds
Flathub buildbot instance
ChaiQi
ChaiQiOP14mo ago
I just updated refi64 on the above, in case their expertise is needed to iron out any last hurdles, and because it seems like something they would like to hear about since they maintain basically every Chromium-based flatpak presence on Linux
ChaiQi
ChaiQiOP14mo ago
Flathub - Apps for Linux
Vivaldi | Flathub
A powerful, personal, and private web browser
akdev
akdev14mo ago
You could try to use the momentum you are gaining to contact folks from chromium
ChaiQi
ChaiQiOP14mo ago
Yup, that's on my bucket list for if/when/after the Vivaldi flatpak is official - they've upstreamed patches to Chromium before, and even without active pressure, the existence of an official, verified flatpak for a Chromium-based browser by a successful company should place a lot more passive pressure/incentive on the Chromium team to prioritize flatpak support I'm trying to finagle the order of contacts to patiently build momentum by having the right people on board to name drop / pull in with each new person I reach out to
Gerblesh
Gerblesh14mo ago
woah! this has developed quite a bit, nice job, the future of chromium flatpaks is exciting! you're doing amazing work networking all of this
Want results from more Discord servers?
Add your server