On Tue, 07 Dec 2021 at 23:08:41 +0100, Bastian Blank wrote: > On Tue, Dec 07, 2021 at 10:45:27PM +0100, Vincent Bernat wrote: > > Flatpak compiles it > > from source (while UngoogledChromium let contributors compile it and > > publish the binary because GitHub CI does not allow such resource-heavy > > build). > > You mean th builds of the Flatpk stuff are not properly controlled? But > instead uncontrolled done by contributors?
I think there is some confusion here. Flatpak is a piece of software (like apt/dpkg), not an organization or provider of compiled software (like Debian). Anyone can host a Flatpak repository, and you can deliver almost anything in Flatpak format (safe or not, Free or not, compiled from source or not), just like you can put almost anything in a .deb package. Flathub is a major build and distribution service for Flatpak apps, in the same way that Debian and Launchpad are major providers of .deb packages. Perhaps a closer parallel is that if Flatpak is like the Android app framework, then Flathub is like the Google Play store: you can use Flatpak without using Flathub at all, but most Flatpak users are using Flathub for at least some of their apps. If you think you have installed an app "from Flatpak" without any further details, it is probably from Flathub. Flathub generally requires builds to be done on Flathub's infrastructure, from source code if possible, in the same way Debian generally requires builds to be done on buildds, from source if possible. (Like Debian, it makes an exception for binary-only non-free software where no public source code is available.) At least one package on Flathub is built on third-party infrastructure and directly contributed as binaries even though it is open-source. The only example I'm aware of is Firefox, which is built by Mozilla's CI and provided to Flathub as binaries. I believe what Vincent meant is that the generic non-Flatpak binaries provided by the "Ungoogled Chromium" project are compiled on unknown machines and require trusting their submitters, whereas the Flatpak binaries provided by Flathub are compiled from the same source code provided by the "Ungoogled Chromium" project, but compiled on Flathub infrastructure. Here's an example of a build log from Flathub building Ungoogled Chromium, which does look like it came from source code (at least superficially, I haven't examined it in detail): https://flathub.org/builds/#/builders/12/builds/8123 It is possible that the "Ungoogled Chromium" Flatpak build on Flathub takes some parts as prebuilt binaries while compiling other parts from first principles. Someone would have to inspect the build in detail to find out, the same way it isn't trivial to tell from looking at a Debian package whether it is fully built-from-source or not. However, when a Flatpak app is compiled using flatpak-builder (which is what Flathub uses), the build is done in a sandbox that does not allow network access; so we can be sure that if the "Ungoogled Chromium" build contains prebuilt binaries, those prebuilt binaries must have been part of one of the "source" components listed in the JSON or YAML manifest that drives the build. This is similar to building a Debian package with `pbuilder build --network no` [1], and then being able to inspect the orig.tar.* and debian.tar.* to look for any prebuilt binaries that might have been used. smcv [1] but not sbuild (#802850): our policy forbids network access during build but our official infrastructure currently does not technically prevent it
