System runtimes considered unused even though they are used by user apps

[bochecha]

Linux distribution and version

Fedora 30

Flatpak version

flatpak-1.2.4-2.fc30.x86_64

Description of the problem

When --system runtimes are only used by --user apps, then Flatpak considers the runtimes unused.

Steps to reproduce

Install an application, it gets installed as --system by default:

$ flatpak install flathub org.gnome.Documents

At this point, realize you would have preferred to install it as --user, so uninstall and reinstall:

$ flatpak uninstall org.gnome.Documents
$ flatpak install --user flathub org.gnome.Documents

The app works just fine: Flatpak uses the system runtime even though the app is installed for the user.

However:

$ flatpak uninstall --unused


        ID                                Arch           Branch
 1.     org.gnome.Platform                x86_64         3.32
 2.     org.gnome.Platform.Locale         x86_64         3.32

Proceed with these changes to the Default system installation? [Y/n]: 

Proceeding would break the installed app, as it would find itself without a supporting runtime.

If Flatpak can run a --user app in a --system runtime, then it shouldn't consider the runtime unused.

[alexlarsson]

There is no real way we can check this. Any random user could use a runtime in a per-user install. We can't scan all homedirectories, not to mention the security issues involved in that.

[alexlarsson]

I mean, we could check it against your per-user apps, but it will not help a multi-user setup, or the case when root runs the uninstall.

[bochecha]

I mean, we could check it against your per-user apps, but it will not help a multi-user setup, or the case when root runs the uninstall.

Indeed. That would probably solve the most common scenario (single-user machine) though?

The whole thing seems a bit far-fetched to be honest, I'm not sure how many people would actually do something like that. However it actually happened to someone who was very confused by this and it took a while to figure out what was going on over IRC.

[matthiasclasen]

I mean, we could check it against your per-user apps, but it will not help a multi-user setup, or the case when root runs the uninstall.

I think thats the best-effort thing we should do.

We should perhaps also recognize the situation (uninstalling system-wide runtimes) and print a warning like:

"These runtimes may be used by user-installed applications, are you sure you want to remove them?"

[alexlarsson]

Also, the check would have to handle the case where the user install also has the runtime installed, because then its safe to uninstall the system one.

[AdrianVovk]

Instead of the system install scanning all the user installs, we'd instead have each user install to tell the system install that it's using the runtime (like pinning the runtime, w/ a reference count)

So whenever any user install uses a system runtime, it increases a reference count on the runtime in the system-wide installation. Then uninstall --unused doesn't touch things w/ a refcount > 0. However, there could be an uninstall --unused --ignore-refcount option to allow the sysadmin to force the transaction (for instance, if a certain user hasn't logged in & updated their apps in many months)

[chrisawi]

It appears that Flatpak does check the invoking user's user installation since https://github.com/flatpak/flatpak/pull/3871. I'm not sure if we should leave this open for the multi-user case.