Firefox flatpak provenance
Categories
(Firefox Build System :: Third Party Packaging, defect, P4)
Tracking
(Not tracked)
People
(Reporter: fredybiehl, Unassigned)
Details
Steps to reproduce:
trying to verify weather flatpak on flathub really comes from mozilla, beyond the "verified" statement on flathub.
Actual results:
Except for "verified" seal on flathub, it is not clear how to evidence that flatpak is being built, released and maintained by mozilla.
Expected results:
As a user installing Firefox using flatpak, it would be nice to have evidences that such package really comes from mozilla.
A statement in mozilla's website that flatpak is developed and supported by mozilla (and not some random wrapper) would also help.
Also posted in community support: https://support.mozilla.org/en-US/questions/1449542
Comment 1•7 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox Build System::Third Party Packaging' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•7 months ago
|
||
The severity field is not set for this bug.
:gerard-majax, could you have a look please?
For more information, please visit BugBot documentation.
Comment 3•7 months ago
|
||
Correct me if I'm wrong Johan, but this is done by that task right? https://searchfox.org/mozilla-central/rev/2f48061aef8c8976b73749ee845e7b85751f5f2f/taskcluster/kinds/release-flatpak-push/kind.yml
Comment 4•7 months ago
|
||
Except for "verified" seal on flathub, it is not clear how to evidence that flatpak is being built, released and maintained by mozilla.
Looks like this is more of a question to report to Flathub itself, the badge mentions manual verification, but there is not much more details? Isn't that doc enough already ? https://docs.flathub.org/docs/for-users/verification/
With the process being documented at https://docs.flathub.org/docs/for-app-authors/verification
Reporter | ||
Comment 5•7 months ago
|
||
(In reply to :gerard-majax from comment #4)
Except for "verified" seal on flathub, it is not clear how to evidence that flatpak is being built, released and maintained by mozilla.
Looks like this is more of a question to report to Flathub itself, the badge mentions manual verification, but there is not much more details? Isn't that doc enough already ? https://docs.flathub.org/docs/for-users/verification/
With the process being documented at https://docs.flathub.org/docs/for-app-authors/verification
Hi Gerard, thank you for looking into this.
Thought it is nice that specific ecosystem (flathub) has verification process established and documented, it does not evidence the relationship.
So, yes, perhaps that is something to improve on flathub side, but its not the essencial concern: From mozilla's side, besides a blog post mentioned in original report, there is no hard evidence that flathub's mozilla (sealed) is the one to go, produced and maintained by mozilla.
Essentially would be great if this was clearly stated in mozilla's website as a maintained and supported means of obtaining/installing FF.
Comment 6•7 months ago
|
||
(In reply to fredybiehl from comment #5)
(In reply to :gerard-majax from comment #4)
Except for "verified" seal on flathub, it is not clear how to evidence that flatpak is being built, released and maintained by mozilla.
Looks like this is more of a question to report to Flathub itself, the badge mentions manual verification, but there is not much more details? Isn't that doc enough already ? https://docs.flathub.org/docs/for-users/verification/
With the process being documented at https://docs.flathub.org/docs/for-app-authors/verification
Hi Gerard, thank you for looking into this.
Thought it is nice that specific ecosystem (flathub) has verification process established and documented, it does not evidence the relationship.
So, yes, perhaps that is something to improve on flathub side, but its not the essencial concern: From mozilla's side, besides a blog post mentioned in original report, there is no hard evidence that flathub's mozilla (sealed) is the one to go, produced and maintained by mozilla.
well, there's the "verified" seal, that's not nothing ...
Essentially would be great if this was clearly stated in mozilla's website as a maintained and supported means of obtaining/installing FF.
It's already mentionned on SUMO alongsides all the others ones.
Reporter | ||
Comment 7•7 months ago
|
||
well, there's the "verified" seal, that's not nothing ...
Not from mozilla's side, sorry
Essentially would be great if this was clearly stated in mozilla's website as a maintained and supported means of obtaining/installing FF.
It's already mentionned on SUMO alongsides all the others ones.
Can you link reference to SUMMO? not sure what that is
Thanks
Comment 8•7 months ago
|
||
(In reply to :gerard-majax from comment #3)
Correct me if I'm wrong Johan, but this is done by that task right? https://searchfox.org/mozilla-central/rev/2f48061aef8c8976b73749ee845e7b85751f5f2f/taskcluster/kinds/release-flatpak-push/kind.yml
That's correct! This task pushes our Flatpak packages to Flathub. The creation of the Flatpak is handled in https://searchfox.org/mozilla-central/rev/2f48061aef8c8976b73749ee845e7b85751f5f2f/taskcluster/kinds/release-flatpak-repackage/kind.yml
Updated•7 months ago
|
Comment 9•7 months ago
|
||
(In reply to fredybiehl from comment #7)
well, there's the "verified" seal, that's not nothing ...
Not from mozilla's side, sorry
no, that's why I'm looking into that, but you need to admit it's not "nothing". If you dont trust Flathub's verification, whether the Flatpak is being really pushed by us or not does not matter IMHO. I also shared earlier the CI task that does the push to flathub, but it's not really my area so i cannot vouch for it ...
Essentially would be great if this was clearly stated in mozilla's website as a maintained and supported means of obtaining/installing FF.
It's already mentionned on SUMO alongsides all the others ones.
Can you link reference to SUMMO? not sure what that is
Thanks
The link you asked about at first in https://support.mozilla.org/en-US/questions/1449542: https://support.mozilla.org/en-US/kb/install-firefox-linux
Reporter | ||
Comment 10•7 months ago
|
||
(In reply to :gerard-majax from comment #9)
(In reply to fredybiehl from comment #7)
well, there's the "verified" seal, that's not nothing ...
Not from mozilla's side, sorry
no, that's why I'm looking into that, but you need to admit it's not "nothing". If you dont trust Flathub's verification, whether the Flatpak is being really pushed by us or not does not matter IMHO. I also shared earlier the CI task that does the push to flathub, but it's not really my area so i cannot vouch for it ...
And, yes, trust in flathub ecosystem / process is a big deal in itself. not the point here...
The link you asked about at first in https://support.mozilla.org/en-US/questions/1449542: https://support.mozilla.org/en-US/kb/install-firefox-linux
Ok, this is helpful. Now I see that this page is also linked in the main download page of https://www.mozilla.org/en-US/firefox/all/#product-desktop-release when selecting linux.
Though it specifically refers to deb packages only: "Using Debian, Ubuntu or any Debian-based distribution? You can set up our APT repository instead."
On the flatpak section there could be statement of assurance that this is maintained by mozilla and perhaps links to verification of that process.
Of course, just suggestions...
Thanks again for picking this up.
Comment 11•7 months ago
|
||
Hello fredybiehl!
Thank you for reporting this issue and for your involvement around Flatpak.
Though it specifically refers to deb packages only
That's correct and that's by design for now. While Mozilla supports package formats like Flatpak and Snap, we are aware of the limitations they currently have for complex apps like web browsers[1]. We keep improving Firefox to be more compatible with the sandbox given by these packages. Although, we know some users on Flatpak and Snap are not able to get the full experience that Firefox can provide. That's why we currently prefer putting forward packages like Mozilla's .deb.
On the flatpak section there could be statement of assurance that this is maintained by mozilla and perhaps links to verification of that process.
Would you mind expanding on this? I'm sorry, I'm confused about your request. The page on Flathub[2] reads Firefox by Mozilla
. Therefore it is a statement from the Flathub admins that this app is maintained by Mozilla.
If you're interested in seeing more how the package is made and published to Flathub, you can look there[3]. At the moment, you'll be able to see this packaging task[4] and this publication one[5]. From there, you can inspect the logs and check that what you get from Flathub comes from Mozilla. The release pipeline of Firefox is open so you can look up anything you want 🙂
I hope this helps clarifying your concerns 🙂
[1] https://blog.mozilla.org/en/products/4-reasons-to-try-mozillas-new-firefox-linux-package-for-ubuntu-and-debian-derivatives/
[2] https://flathub.org/apps/org.mozilla.firefox
[3] https://treeherder.mozilla.org/jobs?repo=mozilla-release&searchStr=flatpak
[4] https://treeherder.mozilla.org/jobs?repo=mozilla-release&searchStr=flatpak&revision=c7bfb1e800e25153412ab2b70836fcbb090ba99e&selectedTaskRun=Wk9xM9N0T0ueaFa9pYHWWg.0
[5] https://treeherder.mozilla.org/jobs?repo=mozilla-release&searchStr=flatpak&revision=c7bfb1e800e25153412ab2b70836fcbb090ba99e&selectedTaskRun=Glw4BjB8SyeODrGIA-_vVg.0
Reporter | ||
Comment 12•7 months ago
|
||
Thank you for the references, I will explore.
(In reply to Johan Lorenzo [:jlorenzo] from comment #11)
On the flatpak section there could be statement of assurance that this is maintained by mozilla and perhaps links to verification of that process.
Would you mind expanding on this? I'm sorry, I'm confused about your request. The page on Flathub[2] reads
Firefox by Mozilla
. Therefore it is a statement from the Flathub admins that this app is maintained by Mozilla.
On this, I was mostly searching existing evidence in the other way around: instead of flathub alone sealing that it is coming from mozilla, Mozilla distribution page officially stating that flatpak package found on flathub is built / published by mozilla (and - even better - linking evidence for such relationship).
Even though the option for installing it from flathub is stated in this support Post, it is never clearly stated that it is produced / maintained by mozilla (same for snap btw).
Thanks again
Comment 13•7 months ago
|
||
Where do you think the information should be posted? Download page or SUMO ? (it's not the same flow to fix)
Comment 14•15 days ago
|
||
A needinfo is requested from the reporter, however, the reporter is inactive on Bugzilla. Given that the bug is still UNCONFIRMED
, closing the bug as incomplete.
For more information, please visit BugBot documentation.
Description
•