Vivaldi official flatpak networking
If you know more about it than I do, which is a very low bar, I would appreciate if you can post about that on the forum thread. It looked like the Vivaldi team just isn't very familiar with Flatpak or how to judge whether Zypak can be trusted to be secure and keep working. I posted this in the Fedora server, feel free to pass it on if you know anyone:
"
I found this today, about why Vivaldi does not have an official Flatpak yet:
https://forum.vivaldi.net/post/669805
I did two things about it:
https://github.com/refi64/zypak/issues/38#issue-1977606507
https://forum.vivaldi.net/post/708172
Could we get as many upvotes / contributions to these as possible? If anyone knows how to address this sandboxing/security blocker, or can just show community support, it would be appreciated. I personally use Vivaldi, I have seen many people who want it as a Flatpak, and I think it would be good to have at least one truly official Chromium-based browser Flatpak.
"
42 Replies
Since I'm taking a crack at this blocker for Vivaldi as a Flatpak - Cassidy Blaede seems like the right person to get in contact with (https://discord.com/channels/1072614816579063828/1074422586894712912/1167655517443862569). @j0rge would you be willing to help reach out, or perhaps just lend a comment with a familiar name if I do so myself?
Tbh it seems the concerns expressed by the Vivaldi team cannot be addressed without funding - basically they don’t like that Zypak/flatpak sandboxing hasn’t been audited and that zypak is maintained by one guy.
It seems to change that we would need:
1. Conduct a security audit of zypak/flatpak sandboxing vs normal chrome sandboxing to proof its effectiveness
2. More maintainers
Neither of these is cheap/free
Neither of these is cheap/free
That checks out. I am hoping that I can get in contact with people who already work with these things so that perhaps they can bridge that gap without the resources necessary for any one party to brute force it
Good find
Bringing attention to this issue would probably be the right way of fixing the problem - if chromium took the patches to use flatpak sandbox then all the downstream would take it as approval that it’s ok
this is not related to the sandbox, but to distribution mechanisms for LinuxThis comment is wrong so the ticket isn’t even in the right place most likely
Gotcha. I'll see what I can do 🙂
I am not expecting this to be an immediate or trivial fix, but I specialize in bridging teams and community interaction, and it is a thing which matters to me, so I want to try to build some momentum and discourse where there has been none
from the mastodon posts, it looks like zypak just bridges the default chromium suid sandbox (uses bwrap) to use the flatpak sub-sandbox (which also uses bwrap) so it's functionally mostly the same
Yeah, that's the impression I got as well
the annoying part is we shouldn't really need to have these types of hacks, and chromium should just support flatpak natively. Zypak also has some performance issues iirc, as in things are a bit slower and use more memory because of zypak, but I haven't really noticed much of that in real usage
I figure if that's the de facto standard, then it's the baseline for future improvements rather than really a deficit
I'm not familiar with Flatpak's subsandboxes but there is a good reason we maintain our Linux sandboxing code directly in Chromium, and we likely will not officially support a second sandboxing system for Linux
looks like they already technically do, with android
what is this from?
The second Chromium forum link
I see
yeah it seems kinda silly how they don't want to use flatpak subsandboxes, and would rather keep all sandboxing inside chromium, and at the same time, they are using android's subsandboxes
I'm not familiar with [bwrap] but there is a good reason we maintain [bwrap] here, and we likely will not officially support😅 😂a second[third]sandboxing system[bwrap] for Linux
They can trust the android sandbox because they have audited that
that's fair
Yeah
GitHub
org.chromium.Chromium/patches/chromium at master · flathub/org.chro...
Contribute to flathub/org.chromium.Chromium development by creating an account on GitHub.
here are the patches for flatpak sandbox support, implemented in chromium flatpak
By refi, updated three days ago
aha, they ARE active
So - refi is the chromium flatpak maintainer, and skelly is the chrome & brave flatpak maintainer?
Idk
Only this patch is really needed https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch
Seems very non-trivial uh
I think refi maintains them as well
I'm seeing a lot of lines where the change is
a -> b 🤔GitHub
Contributors to flathub/com.google.Chrome
Contribute to flathub/com.google.Chrome development by creating an account on GitHub.
That’s just the format of the universal diff
Ahh
For full flatpak support looks like it needs every patch
Yeah this is just the sandbox part
I have reached out to refi64 on Mastodon and TheEvilSkeleton on Matrix. I will see if/when they respond, and work on compiling a document on what has been done, what happened to past issues / forum posts, and what needs done to make a Vivaldi Flatpak happen.
I am hoping I can go through the 'proper' channels in the forums to get in touch with the Vivaldi team, but I may have another contact I can leverage. I contacted them several months back to see if I could apply for a job with them, but they're not hiring in the US - one of them wrote a very friendly personal response, so as a last resort I may email them again and say 'Hello again, I maybe found a way to contribute anyway, could you help get some eyes on this?'
Either way, that'll be if and when I have the other experts on board to explain / patch in the sandbox modifications
Update:
I chatted with TheEvilSkeleton a bit on Matrix, and confirmed that they're on board if there's something they can contribute, but they clarified that most of their Chromium knowledge is second-hand from refi64.
There was a Mastodon thread on this back in September https://social.vivaldi.net/@jon/111054317115404701 where Cassidy Blaede contacted Jon von Tetzchner at Vivaldi, and refi64 chimed in. Tetzchner said he'd forward it to the right people at Vivaldi.
I got in touch with refi64 (Ryan Gonzalez) directly and traded a few messages. They hadn't heard about this since September, so at the moment we don't know who at Vivaldi knows about those messages or whether they have made any progress. As per the first forum thread I found which started this, the blocker for Ruari (who appears to be the main Linux and Snapshot release person at Vivaldi) seems to be whether Chromium can run in a Flatpak without compromising the internal inter-process sandboxing and security. I confirmed with refi64 that their patches generally shouldn't compromise that, although there may be low-risk edge cases, and that they can probably explain that to someone. They stated that the Chromium flatpak patches are a lot cleaner and simpler than Zypak, and directed me to three files prefixed with
flatpak- in this repo which contain those patches: https://github.com/flathub/org.chromium.Chromium/tree/master/patches/chromium. For reference, these are: 1287 lines of code, 81 loc, and 299 loc, totaling 1667 lines of code. I believe this is likely to be viable for the Vivaldi team to review, especially with some outside assistance. If I can get a thread going with the right people, refi64 is on board to provide assistance and expertise in that thread.
Next steps: compile more information, contact Ruari, Jon von Tetzchner, and/or Cassidy Blaede about (hopefully) eventually creating a thread for this somewhere, and evaluate feasibility.👀
Update: I have reached a community ambassador on the Vivaldi forums, who has internally contacted Ruari
Joey Sneddon
OMG! Ubuntu
Vivaldi Web Browser is Coming to Flathub - OMG! Ubuntu
Fans of the Vivaldi web browser may be excited to hear it's coming to Flathub officially. A crop of recent code commits indicate the Chromium-based,
https://github.com/flathub/com.vivaldi.Vivaldi
https://buildbot.flathub.org/#/apps/com.vivaldi.Vivaldi
GitHub
GitHub - flathub/com.vivaldi.Vivaldi
Contribute to flathub/com.vivaldi.Vivaldi development by creating an account on GitHub.
Flathub builds
Flathub buildbot instance
I just updated refi64 on the above, in case their expertise is needed to iron out any last hurdles, and because it seems like something they would like to hear about since they maintain basically every Chromium-based flatpak presence on Linux
You could try to use the momentum you are gaining to contact folks from chromium
Yup, that's on my bucket list for if/when/after the Vivaldi flatpak is official - they've upstreamed patches to Chromium before, and even without active pressure, the existence of an official, verified flatpak for a Chromium-based browser by a successful company should place a lot more passive pressure/incentive on the Chromium team to prioritize flatpak support
I'm trying to finagle the order of contacts to patiently build momentum by having the right people on board to name drop / pull in with each new person I reach out to
woah!
this has developed quite a bit, nice job, the future of chromium flatpaks is exciting!
you're doing amazing work networking all of this