flatpak and flathub, proven and good way to get software? - e.g. elements chat (matrix network and platform)
Dear support, more questions by a noob with linux and desktop. The elements chat (formerly riot chat) for the matrix ecosystem and network, seems to be available via flatpak flathub according to <https://element.io/get-started#linux-details> And digging via zypper or looking for native (?) packages for opensuse didnt bring up much current or maintained stuff? Then I also discovered the GUI interface in KDE called KDE Discover <https://apps.kde.org/de/discover/> which also has an interface to flatpak or such. Now I wonder how I would use a permanent and most up-to-date element chat instance in the best way on a current opensuse leap. Thanks for sharing your experiences and knowledge about whats proven and what not and best pracices and all. ty.
* cagsm <cumandgets0mem00f@gmail.com> [06-13-22 10:43]:
Dear support,
more questions by a noob with linux and desktop. The elements chat (formerly riot chat) for the matrix ecosystem and network, seems to be available via flatpak flathub according to
<https://element.io/get-started#linux-details>
And digging via zypper or looking for native (?) packages for opensuse didnt bring up much current or maintained stuff?
Then I also discovered the GUI interface in KDE called KDE Discover <https://apps.kde.org/de/discover/>
which also has an interface to flatpak or such.
Now I wonder how I would use a permanent and most up-to-date element chat instance in the best way on a current opensuse leap.
Thanks for sharing your experiences and knowledge about whats proven and what not and best pracices and all. ty.
imnsho: *always* utilize packages built specifically for your installed system. *only* use "flatpack/or ..." when there is absolutely no other available solution. use https://software.opensuse.org/search there is an element-web package available, A glossy Matrix collaboration client - web files -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc
On Mon, Jun 13, 2022 at 8:41 PM Patrick Shanahan <paka@opensuse.org> wrote:
more questions by a noob with linux and desktop. The elements chat (formerly riot chat) for the matrix ecosystem and network, seems to be available via flatpak flathub according to imnsho: *always* utilize packages built specifically for your installed system. *only* use "flatpack/or ..." when there is absolutely no other available solution. use https://software.opensuse.org/search
I really must have missed these results, I did look for them :( Thanks for pointing it out: <https://software.opensuse.org/package/matrix-element-web> How about the community provided packages on these repositories and in the opensuse universe, how strustworthy are these builds and compilations? Is there some safeguards against misuse and malicious codes compilation or such things in the build infrastructure of opensuse, or are there always multiple people guarding and owning these projects and packages or how does all this work? do I just trust this repository or project, oneclick install etc? thanks also for all the threads answers. I wonder if flatpak would be a different aproach to this trust issue and if maybe flatpak software has some kind of capsulation or containersiation (or what it could be called and technically designed these days?), barriers and "virtualisation" of processes and access rights and such stuff agains malicious software, so that the local system would be less compromised? or is there no such features inside flatpak? Or is the opensuse apparmor the means and place to look for more restrictions safetey and lockdown of such comminity packages or something? ty a lot.
* cagsm <cumandgets0mem00f@gmail.com> [06-14-22 07:06]:
On Mon, Jun 13, 2022 at 8:41 PM Patrick Shanahan <paka@opensuse.org> wrote:
more questions by a noob with linux and desktop. The elements chat (formerly riot chat) for the matrix ecosystem and network, seems to be available via flatpak flathub according to imnsho: *always* utilize packages built specifically for your installed system. *only* use "flatpack/or ..." when there is absolutely no other available solution. use https://software.opensuse.org/search
I really must have missed these results, I did look for them :( Thanks for pointing it out: <https://software.opensuse.org/package/matrix-element-web>
How about the community provided packages on these repositories and in the opensuse universe, how strustworthy are these builds and compilations? Is there some safeguards against misuse and malicious codes compilation or such things in the build infrastructure of opensuse, or are there always multiple people guarding and owning these projects and packages or how does all this work? do I just trust this repository or project, oneclick install etc?
how safe are you walking across the street? that said, I use several "community" projects owned by individuals I trust. I use zypper and add repos. I do not use "oneclick", but manually dl and install. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc
On Tue, Jun 14, 2022 at 3:12 PM Patrick Shanahan <paka@opensuse.org> wrote:
How about the community provided packages on these repositories and in the opensuse universe, how strustworthy are these builds and compilations? Is there some safeguards against misuse and malicious codes compilation or such things in the build infrastructure of opensuse, or are there always multiple people guarding and owning these projects and packages or how does all this work? do I just trust this repository or project, oneclick install etc? how safe are you walking across the street?
well I am trying to find some ways and starting points to bootstrap into this universe. The zypper says I need to check the trust before accepting it e.g. via some other ways to acquire the authors pgp key for example via the homepage. seriously how to establish and start trust from scratch? this is software running on the machine after all. I may trust the opensuse distro, I tried to verfiy downloads isos opensuse keys and stuff. So how to extend trust to this authors packages? first: sudo zypper addrepo https://download.opensuse.org/repositories/home:ecsos:messenger:matrix/15.4/... Adding repository 'An open network for secure, decentralized communication. (15.4)' ....................................................................................................................................................................................[done] Repository 'An open network for secure, decentralized communication. (15.4)' successfully added URI : https://download.opensuse.org/repositories/home:/ecsos:/messenger:/matrix/15... Enabled : Yes GPG Check : Yes Autorefresh : No Priority : 99 (default priority) Repository priorities are without effect. All enabled repositories share the same priority. then: sudo zypper ref New repository or package signing key received: Repository: An open network for secure, decentralized communication. (15.4) Key Fingerprint: B302 1BFB 9FA8 05CD E0DA EA33 CFFB A00A 8B66 2DFB Key Name: home:ecsos OBS Project <home:ecsos@build.opensuse.org> Key Algorithm: RSA 2048 Key Created: Sun 05 Sep 2021 10:29:07 AM CEST Key Expires: Tue 14 Nov 2023 09:29:07 AM CET Rpm Name: gpg-pubkey-8b662dfb-61347fd3 Note: Signing data enables the recipient to verify that no modifications occurred after the data were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise. Note: A GPG pubkey is clearly identified by it's fingerprint. Do not rely the keys name. If you are not sure whether the presented key is authentic, ask the repository provider or check his web site. Many provider maintain a web page showing the fingerprints of the GPG keys they are using. Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): All i find so far is this user who has a lot of projects on the build infrastructure of opensuse, so this might mean this author is very capable and knwoledgable. so far so good. but how to verfiy this key and the bits? <https://build.opensuse.org/users/ecsos> I dont see homepages or other means and other main sources of authority for keys? or how is this supposed to work? how to establish trust to this author and its produce?
I do not use "oneclick", but manually dl and install.
about this oneclick, I was actually thinking this would also simply add this one repo of "ecsos" and prepare zypp, but when selecting that oneclick stuff from the pages at <https://software.opensuse.org/ymp/home:ecsos:messenger:matrix/openSUSE_Tumbleweed/matrix-element-web.ymp?base=openSUSE%3AFactory&query=matrix-element-web> or <https://software.opensuse.org/download/package?package=matrix-element-web&project=home%3Aecsos%3Amessenger%3Amatrix> a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? <https://paste.opensuse.org/46477611> Why this huge difference to that single repo that is given in the expert details on software opensuse org Thank you a lot.
* cagsm <cumandgets0mem00f@gmail.com> [06-14-22 13:26]:
On Tue, Jun 14, 2022 at 3:12 PM Patrick Shanahan <paka@opensuse.org> wrote:
How about the community provided packages on these repositories and in the opensuse universe, how strustworthy are these builds and compilations? Is there some safeguards against misuse and malicious codes compilation or such things in the build infrastructure of opensuse, or are there always multiple people guarding and owning these projects and packages or how does all this work? do I just trust this repository or project, oneclick install etc? how safe are you walking across the street?
well I am trying to find some ways and starting points to bootstrap into this universe. The zypper says I need to check the trust before accepting it e.g. via some other ways to acquire the authors pgp key for example via the homepage. seriously how to establish and start
<trim>
<https://build.opensuse.org/users/ecsos> I dont see homepages or other means and other main sources of authority for keys? or how is this supposed to work? how to establish trust to this author and its produce?
I do not use "oneclick", but manually dl and install.
about this oneclick, I was actually thinking this would also simply add this one repo of "ecsos" and prepare zypp, but when selecting that oneclick stuff from the pages at
or
a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? <https://paste.opensuse.org/46477611>
Why this huge difference to that single repo that is given in the expert details on software opensuse org
I cannot help you with YaST as I quite some time ago began exclusively using zypper. I can advise that I have successfully used packages built by "ecsos". but, ymmv I endorse no-one. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc
On Tue, 14 Jun 2022 19:25:41 +0200 cagsm <cumandgets0mem00f@gmail.com> wrote:
a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? <https://paste.opensuse.org/46477611>
Why this huge difference to that single repo that is given in the expert details on software opensuse org
Exactly, WHY add a dozen repos? I just download, park in a folder of my own choice, insert that folder as a repo in Yast and done. But the underlying question isn't just a check to see if the file had been changed enroute, it's a check on whether the original author is trustable at all and there's no way of knowing that unless you know the person! I'm willing to risk using binaries from Suse, that's *already a compromise* compared to compiling, but that's where it ends. Flatpacking 'could' be the future answer for many reasons but if ever I install a binary flatpack it will have to come from Suse as well. BTW since when does a flatpack have to be binary? Right now hundreds wanna become the github of the future, millions of clickmoney waiting, but github is no more trustworthy than a used car salesman called Honest Igor :-) -- Oh Lord of the Keyrings on high, have I got bad news for you: the word trust is nowhere to be found in my security dictionary.
Am 14.06.22 um 21:54 schrieb bent fender: snip
o risk using binaries from Suse, that's *already a compromise* compared to compiling, but that's where it en> snip
hi bent, i am impressed of you. even if i would be a good programmer, i would never be able to check the whole source code of a linux distro with all programs i use !myself! and that's the only way to be "sure" to be "save" if you do !not! do this, there is no different of downloading a source code or a binary in both ways you have to make sure that it is not changed/infected during download. ================================= I only thrust me, and this only on good days, but i do not remember when the last good day was. simoN ================================== -- www.becherer.de
On 14.06.2022 20:25, cagsm wrote: ...
All i find so far is this user who has a lot of projects on the build infrastructure of opensuse, so this might mean this author is very capable and knwoledgable. so far so good. but how to verfiy this key and the bits?
Define "verify".
<https://build.opensuse.org/users/ecsos> I dont see homepages or other means and other main sources of authority for keys? or how is this supposed to work? how to establish
What do you mean with "authority"? Do you understand how PGP was intended to work? There is no authority by definition.
trust to this author and its produce?
How is it different to downloading any other software or distribution? How do you verify openSUSE distribution? What makes you trust download binaries? Regarding OBS projects - project signing key is generated internally. Private key is not accessible from outside. Public key can be downloaded via OBS API or using osc command. I was sure it was also offered via web GUI, but apparently only project owner can download keys. These are the same keys as are provided on download.o.o for the repository where binaries built inside the project are published. So project keys allow you to detect that keys have been changed after you added repository. They do not provide any proof of origin. Like with any other PGP key, someone may sign public key in which case if you trust the person who signed it AND TRUST THAT HE ALSO VERIFIED THIS KEY you may trust it a bit more.
I do not use "oneclick", but manually dl and install.
about this oneclick, I was actually thinking this would also simply add this one repo of "ecsos" and prepare zypp, but when selecting that oneclick stuff from the pages at
or
a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? <https://paste.opensuse.org/46477611>
Why this huge difference to that single repo that is given in the expert details on software opensuse org
This is long standing problem in one click install and software.o.o. OBS project may link to another projects, in this case packages from other projects are used when building software. If project A links to and is using packages from project B it means that packages from project A now (may) depend on packages from project B. The most obvious example is update repository which is not self-contained - updated packages still depend on packages from main repository. So when building one click install definition software.o.o generates repositories for all linked projects which ensures that you can actually install binaries with all needed dependencies. The problems now are - software.o.o also adds main repositories for the distribution which is obviously redundant, as these repositories are expected to always be present - yast one click install module does not check that repositories are already present so they are added multiple times - and last but not least - with Leap 15.3 and above packages are actually built on internal SUSE OBS. Only resulting binaries are copied inside of openSUSE repository. But software.o.o STILL generates reference to those internal repositories that are not accessible from outside and result in errors when trying to install software
On Wed, Jun 15, 2022 at 7:12 AM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
Define "verify".
well that zypper text output advises to grab the pgp/gpg key by some other means at other places preferably on the original dwelling place homepage and the like of the author creator or developer. thats what i mean. i always wondered how the average user or even developer or jost anyone out there regards and works with signatures and pgp keys and so forth. trust on first use? trust just everything that comes along? i kind of remember pgp parties or cross signing events and stuff. anyhow here for example i would think something like a maybe layered multi level trust concept, buildservice output and projects using that would maybe sign the projects or authors key to make ot obvious that it is in some means running and technically generated software and binary bits on suse infrastructure. giving some loose endorsement or connection with the help of what the normal opensuse distro user is somewhat calm and at ease to use creations that are somewhat tied to opensuse and its infrastructure, even if its just as little as community packages. i start with fresh leap iso. the i add some repo from build opensuse places or many other repos that are available via download.opensuse.org. i kind of lack the clean connection to the main leap project, that the leap public key for example would be signing these subprojects or that a master suse (corporate? organisartion or foundation?) key would sign all the sub users and developers that are adding code and binary to the suse eco system. that would establish some kind of connection and trust. If i am not completely mistaken this could be done by the chain of trust with the help of pgp concepts. amd i wrong? its obvious that this is not some kind of ultimate trust. then again i fail to understand why all(?) the distros are putting the users into the place of running built binaries instead of the whole ecosystem would have eventually gone for everbody self-compiling and reproducible builds and similar?
<https://build.opensuse.org/users/ecsos> I dont see homepages or other means and other main sources of authority for keys? or how is this supposed to work? how to establish What do you mean with "authority"? Do you understand how PGP was intended to work? There is no authority by definition.
see above. I lack the clear presentation of the involved actual people in these build projects and software the whole system outputs. you dont even find the public keys of all these people and projects on the few leftover public pgp keyservers these days any more or at all, wonder why people dont publish their keys elsewhere than just in the mere repo files. isnt this also what that zypper output advises the user?
a yast repositories gui comes up and it kind of shows like tens of repos its trying to add lot of stuff scary to me? <https://paste.opensuse.org/46477611> This is long standing problem in one click install and software.o.o. OBS project may link to another projects, in this case packages from other projects are used when building software. If project A links to and is using packages from project B it means that packages from project A now (may) depend on packages from project B. The most obvious example is update repository which is not self-contained - updated packages still depend on packages from main repository.
coming from a windows world I would have thought that in the linux ecoverse the general rule of thumb would not be just to click, install, acknowledge and use everything, but that there would be some brains behind all this. it seems as if in theory there were lot of bright and securing ideas (e.g. pgp public keys) but everybody and their brother was just clicking and okaying everything that came along and never actually checking stuff? am I really wrong? your answer here didnt even show and understand for what I meant with verifying. how do you verify a thing in the universe? somewhere back in elementary school(?) i learned that maybe a second way to make a calculation, a different technical means which eventually or hopefully would come up with the same result. checking. verifying. i wonder if i am this pedantic or if i am just incompatible with this world? thank you.
* cagsm <cumandgets0mem00f@gmail.com> [06-15-22 10:58]: ...
how do you verify a thing in the universe? somewhere back in elementary school(?) i learned that maybe a second way to make a calculation, a different technical means which eventually or hopefully would come up with the same result. checking. verifying. i wonder if i am this pedantic or if i am just incompatible with this world?
the best we can hope for is shared experience. thus pgp past that, you are the administrator of your box/environment and make decisions based on your knowledge and experience (or not). there are no absolutes except zero. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc
On 2022-06-13 09:40:20 cagsm wrote:
|Dear support, | |more questions by a noob with linux and desktop. |The elements chat (formerly riot chat) for the matrix ecosystem and |network, seems to be available via flatpak flathub according to | |<https://element.io/get-started#linux-details> | |And digging via zypper or looking for native (?) packages for opensuse |didnt bring up much current or maintained stuff? | |Then I also discovered the GUI interface in KDE called KDE Discover |<https://apps.kde.org/de/discover/> | |which also has an interface to flatpak or such. | |Now I wonder how I would use a permanent and most up-to-date element |chat instance in the best way on a current opensuse leap. | |Thanks for sharing your experiences and knowledge about whats proven |and what not and best pracices and all. ty.
A drawback to using flatpaks and their ilk is that they generally contain their own imbedded libraries, etc., so are larger than native packages. This might not be an issue for you if your machine is a personal one with only one user account; if you want to share such a package between accounts, I'm not sure how (well) that would work. Leslie -- Operating System: Linux Distribution: openSUSE Leap 15.4 x86_64 Desktop Environment: Trinity Qt: 3.5.0 TDE: R14.0.12 tde-config: 1.0
participants (6)
-
Andrei Borzenkov -
bent fender -
cagsm -
J Leslie Turriff -
Patrick Shanahan -
Simon Becherer