q4wine icon indicating copy to clipboard operation
q4wine copied to clipboard

Flatpak bundle

Open Eonfge opened this issue 5 years ago • 67 comments

This is a large issue, so lets break it down in some parts

What is Flatpak

Flatpak is a framework for distributing desktop applications on Linux. It has been created by developers who have a long history of working on the Linux desktop, and is run as an independent open source project.

Introduction to Flatpak

Why Flatpak

This new packaging format tackles a few issues that are unique to Q4wine and Wine in general

  • Users will always be able to use the latest version, no ppa or aur required
  • It works the same on all distributions
  • The package can be bundled with all required components in one go
  • The package is not dependent on the architecture of the host machine

In other words, when Q4wine runs in Flatpak, you can ensure that users have access to:

  • The latest wine
  • The latest winetricks
  • Multilib (32bit)

With Flatpak, your app will be ready for when multilib architectures really do become deprecated. Flatpak will run in it's own container where it is possible to have 32bit libraries, even if the main system doesn't have them.

What is required to do so

Roughly speaking, the following must happen

  • Choose a shared library to work from, likely org.kde.Platform because of KDE
  • Compile Wine for this package, preferably multiple versions (stable, unstable)
  • Compile Winetricks for this package (or is it just a massive script?)
  • Compile Q4wine for this package
  • Tie things together so that your tool properly works with all other components
  • Publish the combined app using Flathub (or other)

Things to keep into account

  • Flatpak is sandboxed, you cannot use external wine installations
  • Flatpak is scoped, you must define permissionsets that you might need to run

Closing words

This will be quite an undertaking, and. I've dabbled with Flatpak, but I'm certainly not skilled enough to help in a project of this size. Still, it will be the way forward.

More

Github wiki Flatpak docs

Eonfge avatar Jul 03 '19 20:07 Eonfge

Sounds nice. I'll take a look.

brezerk avatar Jul 04 '19 17:07 brezerk

Has anyone built q4wine on flatpak? I want to test it.

gustavolinux avatar Jul 04 '19 23:07 gustavolinux

not yet. I am still looking into the flatpak documentation >_<

brezerk avatar Jul 13 '19 12:07 brezerk

well

I managed to build q4wine with flatpack.

You may wish to try it by your own:

flatpak-builder build-dir pkg/ua.org.brezblock.Q4Wine.json --force-clean and then flatpak-builder --run build-dir pkg/ua.org.brezblock.Q4Wine.json q4wine

Couple issues found so far:

  • File selction dialogs are not working at all (it doins nothig). Not sure if it is Qt or Flatpack bug;
  • Wine processes are not displayed in Process tab. Probably b/c there is no access to host's /proc filesystem;
  • Online help buttons are not working; Not sure if it is Qt or Flatpack bug;
  • icoutils and fuseiso binaries are not available

brezerk avatar Aug 19 '19 22:08 brezerk

Here is the test manifest https://github.com/brezerk/q4wine/blob/master/pkg/ua.org.brezblock.Q4Wine.json

brezerk avatar Aug 19 '19 22:08 brezerk

I'll give it a shot within a day or two. Have some other agenda points as well, but I'm really exited about it.

Have you already tried a first build using the Flathub builder bot?

Eonfge avatar Aug 20 '19 06:08 Eonfge

Did a quick test but I noticed that at the moment, no Wine is bundled with the Flatpak image. This is an obvious next step, because the model of Flatpak doesn't allow you to include libraries that come from outside of the sandbox domain.

This can be seen when you select a wine installation in your file selectors, it returns:

/run/user/1000/doc/4589be02/wine

This is because of portals. It's a file redirecting system which prevents apps from escaping their sandbox. For ore info, see Sandboxing: http://docs.flatpak.org/en/latest/sandbox-permissions.html#portals

Information on compiling Wine for Flatpak can be found here:

  • https://github.com/winepak/winepak-sdk-images/blob/master/org.winepak.Sdk.yml
  • https://github.com/winepak/winepak-sdk-images/blob/master/wine/3.9-staging/org.winepak.Platform.Wine.yml

On a positive note, the Help button did work for me. Not sure what might have caused that.

Eonfge avatar Aug 20 '19 15:08 Eonfge

Are File selection dialogs working for you too?

brezerk avatar Aug 20 '19 16:08 brezerk

Yes, the default selector works when I browse for a Wine version Screenshot from 2019-08-20 18-40-43

Bit of a big image, but in the top left you see the logging of Q4wine, on the left you see the Q4wine startup screen and on the bottom right you see the file browser. In the background... the code of Nautilus and the installation folder of Q4wine that I pulled locally.

Eonfge avatar Aug 20 '19 16:08 Eonfge

mkay

it looks like my Flatpack Gentoo setup is a bit broken.

xdg-kde-portal is not working properly or something

brezerk avatar Aug 20 '19 17:08 brezerk

Information on compiling Wine for Flatpak can be found here:

unsee :)

so it looks like Flatpack can't include another image/layer (like Docker for example)?

weird

brezerk avatar Aug 20 '19 17:08 brezerk

@brezerk I've given it a bit more thought while I was at the gym, and there are a few options:

  1. Compile Wine from scratch and include it in the main archive. This seems to be the most preferred way by Flatpak because that makes updating and integrity validation a lot easier.

  2. Compile Wine from scratch and include it as a module. This would help in the long run, as every Wine version can be his own module, giving users a lot of flexibility. As of this moment, not many applications use modules, but Files for example has a few: screenshot

  3. Don't compile Wine, but load it like an external data source. This is what Steam does for example: Proton is loaded afterwards, and it runs within the same container.

The third option would be arguably the easiest. It's what PlayOnLinux also does for example. A hybrid of one and two would be most advanced: You compile the Stable and Testing version into the main flatpak, while users can download every old version as a module.

I've recently finished my very own first flatpak app, so perhaps I can help you with packaging Wine. I'll let you know later if I have enough time and skill to contribute.

Eonfge avatar Aug 20 '19 21:08 Eonfge

Hi. This is indeed what we need for safe usage of WineHQ on Linux to avoid it's evils like viruses & spywares ......

Please when building flatpak package for FlatHub to put the following in mind: the real credential of WineHQ as flatpak is sandbox feature to make full security from viruses & spywares that can run by WineHQ ...... This is of same significant of providing a universal Linux package, or may be more important.

Build WineHQ as flatpak on FlatHub is not impossible & it is already done as PR for Lutris, see: https://github.com/flathub/flathub/pull/1060 it is still not merged yet, but it is a matter of time only ....

To me, I prefer suggestion number one by @Eonfge : "Compile Wine from scratch and include it in the main archive. This seems to be the most preferred way by Flatpak because that makes updating and integrity validation a lot easier"

If you provide flatpak package then we can use WineHQ in safe way as following:

  1. create new user account: sudo useradd -m -d /windows/data -s /bin/bash wineuser sudo passwd wineuser rebbot
  2. disable wineuser from ability to use sudo & su: a- sudo already disabled by default on Fedora for any newly created user account which by default out of wheel group b- disable any newly added user account from utilizing su by: sudo vi /etc/pam.d/su then uncomment the following line: #auth required pam_wheel.so use_uid then save & exit by :wq reboot
  3. make "wineuser" not able to use polkit. On Cinnamon DE by: sudo setfacl -m u:wineuser:--- /usr/libexec/polkit-gnome-authentication-agent-1
  4. login to "wineuser" account, then install q4wine application from FlatHub as a user using "--user" flag: flatpak install --user flathub

Look how it will be secure ! Look how it will be safe for Linux users ! You will really make a great work if you provide flatpak package on FlatHub.

Nokia808 avatar Aug 23 '19 14:08 Nokia808

Please when building flatpak package for FlatHub to put the following in mind: the real credential of WineHQ as flatpak is sandbox feature to make full security from viruses & spywares that can run by WineHQ ...... This is of same significant of providing a universal Linux package, or may be more important.

Compatibility and security are my main ideas behind Flatpak.

  • Compatibility because every user can always have the latest version, without serious concerns about cross-distro library differences.
  • Security because of easy sandboxing and limited device and drive access

For Wine, the main risk is likely cryptolockers. Most evil code that targets Windows will not work on Linux, but Cryptolockers are a known risk. Whatever we end up doing with Q4wine, it will be a lot easier to control access. I guess that by default, q4wine will only have read-right access to ~/.wine/ so that should solve 90% of all security risks. For usability, we might consider read access to the rest of ~/ but that's not something I'm to worried about right now.

Build WineHQ as flatpak on FlatHub is not impossible & it is already done as PR for Lutris, see: flathub/flathub#1060 it is still not merged yet, but it is a matter of time only ....

This is some very valuable knowledge. Thanks for sharing. Q4wine could use large parts of the Lutris code because q4wine shares many ideas. I was already linking at the winepak project, but Lutris will have more in common.

Eonfge avatar Aug 23 '19 15:08 Eonfge

@Eonfge I'm happy that my comment helped you in the way to create flatpak package !

By the way, from my knowledge I know (please correct to me if wrong) that install flatpak with "--user" flag will make package NOT able to touch any thing outside home directory of that user, isn't it ?

Nokia808 avatar Aug 23 '19 18:08 Nokia808

Hi again. I know now the exact answer for my question in my previous comment, which was "whether flatpak package that installed with "--user" flag can touch any thing outside the home directory of the user account from which it was installed by "--user" flag or not"

The answers here in these 2 links:

  1. last comment by TingPing: https://github.com/flathub/flathub/issues/1121#issuecomment-526272703
  2. discussion on Fedora community forum: https://forums.fedoraforum.org/showthread.php?322265-By-default-does-non-wheel-account-on-Fedora-able-to-touch-ouside-it-s-home-directory

So, it seem that when you finish flatpak package & make it available in FlatHub, then installation it with "--user" flag in a special restricted account (no sudo, no su, no polkit) as I described will be ideal.

However, I suggesting on you to apply your suggestion to make q4wine by default, will only have read-right access to ~/.wine/ so that should solve 90% of all security risks. For usability, we might consider read access to the rest of ~/ & make it optional for user to change it so that it will have read-right access to ~/ as a whole, if user wish for that, a case which not so dangerous if she/he installed flatpak package with "--user" flag from within user account not in wheel group & without su, sudo, nor polkit powers ......

We are waiting for your flatpak package .....

Nokia808 avatar Aug 30 '19 19:08 Nokia808

@Nokia808 that's not how it works. "--user" flag controls only the path, where flatpak is installed (your home directory instead of /var/lib/flatpak), but has nothing to do with runtime permissions and isolation. If you run q4wine from user "foobar", then it doesn't matter, if q4wine was installed with "--user" flag or not, it will anyway run as user "foobar". Also there are flatpak permissions like "access to host filesystem", so that you (or maintainer) can limit program's access to home directory of user "foobar" even if it's running as user "foobar".

The whole point of flatpak is to stop messing around with "unprivilleged users" and run software with any desired level of isolation from host system and user data. And even if maintainer of flatpak has set the permission to access home directory, you can revoke it with "flatpak override" command any time.

iavael avatar Sep 01 '19 10:09 iavael

@iavael Dear I'm already recognized what you mean & it is concluded from following replay: https://github.com/flathub/flathub/issues/1121#issuecomment-526272703 last comment by TingPing said: "It runs as your user, so it can do only what your user can do."

I concentrated now on the fact that "--user" flag make flatpak available for ONLY user from within which it was installed with "--user" flag ......

Suppose that I have 5 accounts on my PC:

  • Mike (in wheel group)
  • John (not in wheel)
  • Sera
  • Roben
  • Stanly (not in wheel & without su, nor sudo, nor polkit powers)

now if I installed Q4Wine from within "Stanly" using "--user" flag, then Q4Wine will be available ONLY for "Stanly" & can not be used by Roben or even Mike. I mean by this the following: if I run Windows .exe file from within "Stanly" then it will be run (by flatpak Q4Wine), but if I try to run (by double click of) .exe file from within "Roben" or "Mike" then .exe file will not run because Q4Wine is not available for any user other than "Stanly" ............. And since "Stanly" has su or sudo or polkit powers then it will be safe even if .exe file was a virus or other thread .........

Yes I was wrong when I was thought that just by install flatpak by --user then it will not be able to touch any thing outside it's user home directory. The correct is: https://forums.fedoraforum.org/showthread.php?322265-By-default-does-non-wheel-account-on-Fedora-able-to-touch-ouside-it-s-home-directory "By default a user can read+write to it's home path plus a few other places (for example /tmp). It will have read access to most places (for example, the user will probably want to run applications from /usr which in turn will need to use the libraries in /lib). The user would have neither read nor write to some places such as other users homes or security logs etc." So, just if we block non-wheel user from use su & sudo & polkit , we will be safe ......

Nokia808 avatar Sep 01 '19 20:09 Nokia808

@Nokia808 your assumptions are correct, but only in case if you don't run software in flatpak. Yes, if software runs as your user, it can do only what your user can do, but that's only the max possible level of privileges, that take place when you use absolutely no isolation, that flatpak provides you.

By default a user can read+write to it's home path

In case of flatpak-ed app, it doesn't by default. Sure, maintaner of package can set filesystem:home permission (as it's done in q4wine flatpak), but you can override it any time.

If you want limit access of q4wine to your personal home directory — set the "--nofilesystem=home --nofilesystem=host" override (if maintaner lifted that default flatpak restriction) and call it a day. Just read http://docs.flatpak.org/en/latest/sandbox-permissions.html and flatpak-override(1) already and stop reinventing the wheel.

iavael avatar Sep 02 '19 09:09 iavael

sigh is there any documentation available on how to use this Sdk extensions? https://github.com/flatpak/flatpak/wiki/Extensions is not really helpfull.

brezerk avatar Sep 09 '19 19:09 brezerk

mkay. so according to what I see, there is no Compat.i386 extensions avaliable nor for org.freedesktop.Sdk, nor for org.kde.Sdk

brezerk avatar Sep 09 '19 20:09 brezerk

ok. it apparently exists for free desktop:

[ himera ] brezerk@pts/1:110  ~/develop/flatpack $
 09/10/19 00:03:15 EEST > flatpak info --show-extensions org.freedesktop.Platform.Compat.i386
         Ід.: org.freedesktop.Platform.Compat.i386
     Джерело: runtime/org.freedesktop.Platform.Compat.i386/x86_64/18.08
        Арх.: x86_64
       Гілка: 18.08
  Походження: flathub
      Збірка: org.flathub.Stable
Встановлення: system
 Встановлено: 479.6 MB

      Внесок: f44d82a1465c6c399361659bde1aa0095f043d68200a0eddc54112e3dba907b1
Батьківський: d8e071811ed9c5114dfe6de06a738e149c7a4df0a29f0e72a95ffb44838f7b28
        Тема: Export org.freedesktop.Platform.Compat.i386
        Дата: 2019-09-05 15:02:38 +0000

As for KDE Sdk: https://bugs.kde.org/show_bug.cgi?id=411771

brezerk avatar Sep 09 '19 21:09 brezerk

hold on... it looks like you can use inherit-extensions instead

brezerk avatar Sep 09 '19 21:09 brezerk

mkay. there is some progress on this: https://github.com/brezerk/q4wine/commit/304f56dfb8f4409a8457b4a5cf487e2fb42663aa feel free to play around

brezerk avatar Sep 10 '19 00:09 brezerk

I recommend to take a look at manifests of following apps which handle multlib environments in flatpak: https://github.com/flathub/org.phoenicis.playonlinux https://github.com/flathub/net.lutris.Lutris https://github.com/flathub/com.valvesoftware.Steam

Erick555 avatar Sep 19 '19 18:09 Erick555

Hey there. I've made a manifest for building Q4Wine flatpak in the past. It's able to produce a fully-working build, but is slightly outdated now. You can reuse it (partially or in whole) if you want.

gasinvein avatar Sep 23 '19 18:09 gasinvein

@gasinvein wow, nice job. thank you!

brezerk avatar Sep 25 '19 16:09 brezerk

@brezerk @Eonfge @iavael Hi all ! I would like to bring your attention to the fact that, finally, PR of Wine as a runner for Lutris had been merged ! A repository had been created - see: https://github.com/flathub/net.lutris.Lutris.Runner.Wine

I wish this will help you in adding q4wine to FlatHub as a flatpak package.

Nokia808 avatar Nov 18 '19 16:11 Nokia808

@brezerk @Eonfge @iavael Hi. Any new progression in this topic or it seem that we are far away from see Q4Wine as flatpak available in FlatHub ?

Nokia808 avatar Apr 12 '20 12:04 Nokia808

@Nokia808 Building Q4Wine as a flatpak is easy, but handling Wine isn't. It poses several questions:

  • Should we bundle Wine with Q4Wine?
    • If so, which branch?
  • Should we support building Wine branches as extensions for the Q4Wine app?
    • If so, how many branches should we support - only stable/development/staging, or arbitrary builds (e.g. TKG/Proton)?

gasinvein avatar Apr 22 '20 13:04 gasinvein