new stable toolkit branch , which provides a system for building self-contained packages that are not tied to specific Linux distributions and run in a special container that isolates the application from the rest of the system. Support for running Flatpak packages is provided for Arch Linux, , Debian, Fedora, Gentoo, Mageia, Linux Mint and Ubuntu. Packages with Flatpak are included in the Fedora repository and maintained in the native GNOME Application Manager.
Key in the Flatpak 1.6 branch:
- Π the CreateUpdateMonitor method has been added to allow applications to monitor for updates and request that an update be installed.
To disable permissions for self-installing updates by an application, you can use the command "flatpak permission-set flatpak updates $APPID no" (if you specify "ask" instead of "no", then each time a dialog will be displayed to confirm the update);
- To simplify the creation of handlers, a library is proposed
libportal, which makes it possible to process events without directly using the Portal API and parsing signals coming via D-Bus.
Libportal provides simple asynchronous layers for most of the "β; - Added a new permission "--socket=cups" to grant direct access to the CUPS print server;
- Changed the protocol and API for handling authentication. Added authenticator for OCI (Open Container Initiative). Implemented support for automatic installation of authenticators from an external flatpak repository. A callback handler has been added to FlatpakTransaction to use login and password authentication similar to the HTTP basic authentication method;
- Added support for secure applications and systems that require authentication at boot;
- Bubblewrap used for isolation updated to release ;
- Added optional support for parental control through the application of the library , which allows you to restrict access to certain types of content;
- Extensions are now installed before the application, which allows you to get a working application immediately after its installation is completed;
- Manipulations with temporary files have been reworked, which improved work in conditions of a lack of free disk space;
- To execute the command "Β» sudo is no longer required;
- The ability to launch nested isolated environments (sub-sandbox) for child processes has been added to portals;
- Added new commands "flatpak permission-set" and "permission-remove" to control the setting of permissions;
- Added "flatpak install --or-update" option to update if the app is already installed;
- Added the "flatpak mask" command to fix the version and disable the installation of updates;
- For images in the OCI (Open Container Initiative) format, added support for label binding, generating a history of changes in the image, and enabling docker mime types in addition to OCI mime types;
- The default-languages ββkey has been added to the settings to define the list of languages ββused, in addition to the system list.
Recall that Flatpak makes it possible for application developers to simplify the distribution of their programs that are not included in the regular distribution repositories, due to one universal container without generating separate builds for each distribution. For security conscious users, Flatpak allows a questionable application to run in a container, giving access only to the network functions and user files associated with the application. For users who are interested in what's new, Flatpak allows you to install the latest test and stable releases of applications without the need to make changes to the system. For example, Flatpak packages are currently for LibreOffice, Firefox, GIMP, Inkscape, Kdenlive, Steam, 0 AD, Visual Studio Code, VLC, Slack, Skype, Telegram Desktop, Android Studio, etc.
To reduce the size of the package, it includes only application-specific dependencies, and the basic system and graphic libraries (Gtk +, Qt, GNOME and KDE libraries, etc.) are designed as pluggable typical runtime environments. The key difference between Flatpak and Snap is that Snap uses the components of the main system environment and isolation based on system call filtering, while Flatpak creates a container separate from the system and operates with large runtime sets, providing typical packages rather than packages as dependencies. system environments (for example, all libraries required for running GNOME or KDE programs).
In addition to the typical system environment (runtime), installed through a special , additional dependencies (bundle) required for the application to work are supplied. In sum, runtime and bundle form the stuffing of the container, while runtime is installed separately and tied to several containers at once, which makes it possible to avoid duplicating system files common to containers. One system can have several different runtimes installed (GNOME, KDE) or several versions of the same runtime (GNOME 3.26, GNOME 3.28). A container with an application as a dependency uses binding only to a specific runtime, without taking into account the individual packages that make up the runtime. All missing items are packaged directly with the application. When the container is formed, the contents of the runtime are mounted as the /usr partition, and the bundle is mounted in the /app directory.
The filling of runtime and application containers is formed using technology , in which the image is atomically updated from a Git-like repository, which allows you to apply version control methods to the components of the distribution (for example, you can quickly roll back the system to a previous state). RPM packages are translated into the OSTree repository using a special layer . Separate installation and updating of packages inside the working environment is not supported, the system is updated not at the level of individual components, but as a whole, atomically changing its state. Tools are provided to apply updates incrementally, eliminating the need to completely replace the image with each update.
The generated isolated environment is completely independent of the distribution used, and with proper package settings, does not have access to files and processes of the user or the main system, cannot directly access the equipment, except for output via DRI, and the network subsystem. Graphic output and input organization using the Wayland protocol or through X11 socket forwarding. Interaction with the external environment is built on the basis of the DBus messaging system and the special Portals API. For insulation interlayer and traditional Linux container virtualization technologies based on the use of cgroups, namespaces (namespaces), Seccomp and SELinux. PulseAudio is used to output sound.
Source: opennet.ru