Closed Bug 1901743 Opened 7 months ago Closed 15 days ago

Firefox flatpak provenance

Categories

(Firefox Build System :: Third Party Packaging, defect, P4)

Firefox 126
defect

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: fredybiehl, Unassigned)

Details

Steps to reproduce:

trying to verify weather flatpak on flathub really comes from mozilla, beyond the "verified" statement on flathub.

Actual results:

Except for "verified" seal on flathub, it is not clear how to evidence that flatpak is being built, released and maintained by mozilla.

Expected results:

As a user installing Firefox using flatpak, it would be nice to have evidences that such package really comes from mozilla.
A statement in mozilla's website that flatpak is developed and supported by mozilla (and not some random wrapper) would also help.
Also posted in community support: https://support.mozilla.org/en-US/questions/1449542

The Bugbug bot thinks this bug should belong to the 'Firefox Build System::Third Party Packaging' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Third Party Packaging
Product: Firefox → Firefox Build System

The severity field is not set for this bug.
:gerard-majax, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(lissyx+mozillians)
Severity: -- → S4
Flags: needinfo?(lissyx+mozillians) → needinfo?(jlorenzo)
Priority: -- → P4

Except for "verified" seal on flathub, it is not clear how to evidence that flatpak is being built, released and maintained by mozilla.

Looks like this is more of a question to report to Flathub itself, the badge mentions manual verification, but there is not much more details? Isn't that doc enough already ? https://docs.flathub.org/docs/for-users/verification/

With the process being documented at https://docs.flathub.org/docs/for-app-authors/verification

Flags: needinfo?(fredybiehl)

(In reply to :gerard-majax from comment #4)

Except for "verified" seal on flathub, it is not clear how to evidence that flatpak is being built, released and maintained by mozilla.

Looks like this is more of a question to report to Flathub itself, the badge mentions manual verification, but there is not much more details? Isn't that doc enough already ? https://docs.flathub.org/docs/for-users/verification/

With the process being documented at https://docs.flathub.org/docs/for-app-authors/verification

Hi Gerard, thank you for looking into this.

Thought it is nice that specific ecosystem (flathub) has verification process established and documented, it does not evidence the relationship.

So, yes, perhaps that is something to improve on flathub side, but its not the essencial concern: From mozilla's side, besides a blog post mentioned in original report, there is no hard evidence that flathub's mozilla (sealed) is the one to go, produced and maintained by mozilla.

Essentially would be great if this was clearly stated in mozilla's website as a maintained and supported means of obtaining/installing FF.

Flags: needinfo?(fredybiehl)

(In reply to fredybiehl from comment #5)

(In reply to :gerard-majax from comment #4)

Except for "verified" seal on flathub, it is not clear how to evidence that flatpak is being built, released and maintained by mozilla.

Looks like this is more of a question to report to Flathub itself, the badge mentions manual verification, but there is not much more details? Isn't that doc enough already ? https://docs.flathub.org/docs/for-users/verification/

With the process being documented at https://docs.flathub.org/docs/for-app-authors/verification

Hi Gerard, thank you for looking into this.

Thought it is nice that specific ecosystem (flathub) has verification process established and documented, it does not evidence the relationship.

So, yes, perhaps that is something to improve on flathub side, but its not the essencial concern: From mozilla's side, besides a blog post mentioned in original report, there is no hard evidence that flathub's mozilla (sealed) is the one to go, produced and maintained by mozilla.

well, there's the "verified" seal, that's not nothing ...

Essentially would be great if this was clearly stated in mozilla's website as a maintained and supported means of obtaining/installing FF.

It's already mentionned on SUMO alongsides all the others ones.

well, there's the "verified" seal, that's not nothing ...

Not from mozilla's side, sorry

Essentially would be great if this was clearly stated in mozilla's website as a maintained and supported means of obtaining/installing FF.

It's already mentionned on SUMO alongsides all the others ones.

Can you link reference to SUMMO? not sure what that is
Thanks

(In reply to :gerard-majax from comment #3)

Correct me if I'm wrong Johan, but this is done by that task right? https://searchfox.org/mozilla-central/rev/2f48061aef8c8976b73749ee845e7b85751f5f2f/taskcluster/kinds/release-flatpak-push/kind.yml

That's correct! This task pushes our Flatpak packages to Flathub. The creation of the Flatpak is handled in https://searchfox.org/mozilla-central/rev/2f48061aef8c8976b73749ee845e7b85751f5f2f/taskcluster/kinds/release-flatpak-repackage/kind.yml

Flags: needinfo?(jlorenzo)

(In reply to fredybiehl from comment #7)

well, there's the "verified" seal, that's not nothing ...

Not from mozilla's side, sorry

no, that's why I'm looking into that, but you need to admit it's not "nothing". If you dont trust Flathub's verification, whether the Flatpak is being really pushed by us or not does not matter IMHO. I also shared earlier the CI task that does the push to flathub, but it's not really my area so i cannot vouch for it ...

Essentially would be great if this was clearly stated in mozilla's website as a maintained and supported means of obtaining/installing FF.

It's already mentionned on SUMO alongsides all the others ones.

Can you link reference to SUMMO? not sure what that is
Thanks

The link you asked about at first in https://support.mozilla.org/en-US/questions/1449542: https://support.mozilla.org/en-US/kb/install-firefox-linux

(In reply to :gerard-majax from comment #9)

(In reply to fredybiehl from comment #7)

well, there's the "verified" seal, that's not nothing ...

Not from mozilla's side, sorry

no, that's why I'm looking into that, but you need to admit it's not "nothing". If you dont trust Flathub's verification, whether the Flatpak is being really pushed by us or not does not matter IMHO. I also shared earlier the CI task that does the push to flathub, but it's not really my area so i cannot vouch for it ...

And, yes, trust in flathub ecosystem / process is a big deal in itself. not the point here...

The link you asked about at first in https://support.mozilla.org/en-US/questions/1449542: https://support.mozilla.org/en-US/kb/install-firefox-linux

Ok, this is helpful. Now I see that this page is also linked in the main download page of https://www.mozilla.org/en-US/firefox/all/#product-desktop-release when selecting linux.

Though it specifically refers to deb packages only: "Using Debian, Ubuntu or any Debian-based distribution? You can set up our APT repository instead."

On the flatpak section there could be statement of assurance that this is maintained by mozilla and perhaps links to verification of that process.
Of course, just suggestions...

Thanks again for picking this up.

Hello fredybiehl!

Thank you for reporting this issue and for your involvement around Flatpak.

Though it specifically refers to deb packages only

That's correct and that's by design for now. While Mozilla supports package formats like Flatpak and Snap, we are aware of the limitations they currently have for complex apps like web browsers[1]. We keep improving Firefox to be more compatible with the sandbox given by these packages. Although, we know some users on Flatpak and Snap are not able to get the full experience that Firefox can provide. That's why we currently prefer putting forward packages like Mozilla's .deb.

On the flatpak section there could be statement of assurance that this is maintained by mozilla and perhaps links to verification of that process.

Would you mind expanding on this? I'm sorry, I'm confused about your request. The page on Flathub[2] reads Firefox by Mozilla. Therefore it is a statement from the Flathub admins that this app is maintained by Mozilla.

If you're interested in seeing more how the package is made and published to Flathub, you can look there[3]. At the moment, you'll be able to see this packaging task[4] and this publication one[5]. From there, you can inspect the logs and check that what you get from Flathub comes from Mozilla. The release pipeline of Firefox is open so you can look up anything you want 🙂

I hope this helps clarifying your concerns 🙂

[1] https://blog.mozilla.org/en/products/4-reasons-to-try-mozillas-new-firefox-linux-package-for-ubuntu-and-debian-derivatives/
[2] https://flathub.org/apps/org.mozilla.firefox
[3] https://treeherder.mozilla.org/jobs?repo=mozilla-release&searchStr=flatpak
[4] https://treeherder.mozilla.org/jobs?repo=mozilla-release&searchStr=flatpak&revision=c7bfb1e800e25153412ab2b70836fcbb090ba99e&selectedTaskRun=Wk9xM9N0T0ueaFa9pYHWWg.0
[5] https://treeherder.mozilla.org/jobs?repo=mozilla-release&searchStr=flatpak&revision=c7bfb1e800e25153412ab2b70836fcbb090ba99e&selectedTaskRun=Glw4BjB8SyeODrGIA-_vVg.0

Thank you for the references, I will explore.

(In reply to Johan Lorenzo [:jlorenzo] from comment #11)

On the flatpak section there could be statement of assurance that this is maintained by mozilla and perhaps links to verification of that process.

Would you mind expanding on this? I'm sorry, I'm confused about your request. The page on Flathub[2] reads Firefox by Mozilla. Therefore it is a statement from the Flathub admins that this app is maintained by Mozilla.

On this, I was mostly searching existing evidence in the other way around: instead of flathub alone sealing that it is coming from mozilla, Mozilla distribution page officially stating that flatpak package found on flathub is built / published by mozilla (and - even better - linking evidence for such relationship).

Even though the option for installing it from flathub is stated in this support Post, it is never clearly stated that it is produced / maintained by mozilla (same for snap btw).

Thanks again

Where do you think the information should be posted? Download page or SUMO ? (it's not the same flow to fix)

Flags: needinfo?(fredybiehl)

A needinfo is requested from the reporter, however, the reporter is inactive on Bugzilla. Given that the bug is still UNCONFIRMED, closing the bug as incomplete.

For more information, please visit BugBot documentation.

Status: UNCONFIRMED → RESOLVED
Closed: 15 days ago
Flags: needinfo?(fredybiehl)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.