Re: ungoogled-chromium?
On Tue, 07 Dec 2021 at 23:08:41 +0100, Bastian Blank wrote:
> On Tue, Dec 07, 2021 at 10:45:27PM +0100, Vincent Bernat wrote:
> > Flatpak compiles it
> > from source (while UngoogledChromium let contributors compile it and
> > publish the binary because GitHub CI does not allow such resource-heavy
> > build).
>
> You mean th builds of the Flatpk stuff are not properly controlled? But
> instead uncontrolled done by contributors?
I think there is some confusion here.
Flatpak is a piece of software (like apt/dpkg), not an organization or
provider of compiled software (like Debian). Anyone can host a Flatpak
repository, and you can deliver almost anything in Flatpak format (safe
or not, Free or not, compiled from source or not), just like you can
put almost anything in a .deb package.
Flathub is a major build and distribution service for Flatpak apps,
in the same way that Debian and Launchpad are major providers of .deb
packages. Perhaps a closer parallel is that if Flatpak is like the
Android app framework, then Flathub is like the Google Play store:
you can use Flatpak without using Flathub at all, but most Flatpak
users are using Flathub for at least some of their apps. If you think
you have installed an app "from Flatpak" without any further details,
it is probably from Flathub.
Flathub generally requires builds to be done on Flathub's
infrastructure, from source code if possible, in the same way Debian
generally requires builds to be done on buildds, from source if possible.
(Like Debian, it makes an exception for binary-only non-free software
where no public source code is available.)
At least one package on Flathub is built on third-party infrastructure
and directly contributed as binaries even though it is open-source.
The only example I'm aware of is Firefox, which is built by
Mozilla's CI and provided to Flathub as binaries.
I believe what Vincent meant is that the generic non-Flatpak binaries
provided by the "Ungoogled Chromium" project are compiled on unknown
machines and require trusting their submitters, whereas the Flatpak
binaries provided by Flathub are compiled from the same source
code provided by the "Ungoogled Chromium" project, but compiled on
Flathub infrastructure. Here's an example of a build log from Flathub
building Ungoogled Chromium, which does look like it came from source
code (at least superficially, I haven't examined it in detail):
https://flathub.org/builds/#/builders/12/builds/8123
It is possible that the "Ungoogled Chromium" Flatpak build on Flathub
takes some parts as prebuilt binaries while compiling other parts from
first principles. Someone would have to inspect the build in detail to
find out, the same way it isn't trivial to tell from looking at a Debian
package whether it is fully built-from-source or not.
However, when a Flatpak app is compiled using flatpak-builder (which is
what Flathub uses), the build is done in a sandbox that does not allow
network access; so we can be sure that if the "Ungoogled Chromium" build
contains prebuilt binaries, those prebuilt binaries must have been part
of one of the "source" components listed in the JSON or YAML manifest
that drives the build. This is similar to building a Debian package
with `pbuilder build --network no` [1], and then being able to inspect the
orig.tar.* and debian.tar.* to look for any prebuilt binaries that might
have been used.
smcv
[1] but not sbuild (#802850): our policy forbids network access during
build but our official infrastructure currently does not technically
prevent it
Reply to: