bubblejail icon indicating copy to clipboard operation
bubblejail copied to clipboard
verified publisher icon igo95862

Appimage build

Open 12D687 opened this issue 8 months ago • 11 comments

Description

Add support (.yml config, etc.) for building bubblejail Appimage package

12D687 avatar Apr 04 '25 09:04 12D687

Hello @12D687

What do you mean Appimage package? Bubblejail packaged as Appimage that can run root installed applications or Appimages with bubblejail sandboxing built-in?

igo95862 avatar Apr 04 '25 10:04 igo95862

The first one "Bubblejail packaged as Appimage that can run root installed applications"

12D687 avatar Apr 04 '25 11:04 12D687

It maybe possible but needs investigating. The obvious issue is it would have to somehow hide its Appimage mounted file system from the child processes launched. However, the bubblejail also has the sandbox PID 1 which would have to use Appimage file system.

I had some rough ideas to upload the bubblejail to PyPI so that it can be be installed with pipx. The brwap would have to be installed by the user from the system repositories but it should be available almost everywhere.

igo95862 avatar Apr 04 '25 11:04 igo95862

There is project called pkg2appimage which utilizes .yml files to automatize appimage build (https://github.com/AppImageCommunity/pkg2appimage/blob/master/YML.md) I don't know for sure if it works with bubblejail.

12D687 avatar Apr 05 '25 09:04 12D687

Building AppImage is the simple part.

The hard part is integration. Because both AppImage and bubblejail deal with mounting they could interfere with each other.

igo95862 avatar Apr 05 '25 10:04 igo95862

Hi, unless bubblejail needs a SUID bubblewrap for something, it should be fairly easy to ship it in an appimage with bubblewrap included as well.

See aisap for example where this is done

Samueru-sama avatar Apr 10 '25 15:04 Samueru-sama

@igo95862 You should update the PyPI package, it has been lagging behind for years.

12D687 avatar May 06 '25 10:05 12D687

@igo95862 You should update the PyPI package, it has been lagging behind for years.

It is only there to hold place. There is a large warning on the PyPI page.

igo95862 avatar May 06 '25 12:05 igo95862

Yes, I understand but the PyPI package will solve the issue, if bubblejail cannot be build as an appimage

12D687 avatar May 07 '25 07:05 12D687

Yes, it is one of the ideas I had to make bubblejail installable with pipx: https://pipx.pypa.io/latest/

However, the big issue is that bubblejail relies on non Python dependencies including bwrap, libseccomp and desktop-file-utils. Maybe the install script should just abort the installation if it does not find those dependencies.

igo95862 avatar May 07 '25 11:05 igo95862

Maybe the install script should just abort the installation if it does not find those dependencies

Sounds like a reasonable failsafe. Or allow it to be installed and perform runtime checks for required dependencies? I'd vote for the latter.

Personally would love there to be an installable pypi package that pulls in the required python dependencies. sudo meson install makes me a bit queasy, as it's not clear exactly what and where will be installed, and whether uninstall really does remove everything (and safely at that). Kind of reminiscent of sudo checkinstall

laur89 avatar May 20 '25 12:05 laur89