| 1 |
Mykyta Holubakha <hilobakho@×××××.com> schrieb am Sa., 6. Okt. 2018 um |
| 2 |
13:18 Uhr: |
| 3 |
|
| 4 |
> Signed-off-by: Mykyta Holubakha <hilobakho@×××××.com> |
| 5 |
> |
| 6 |
> I'm proposing to add a new eclass: appimage.eclass, to facilitate |
| 7 |
> extraction off AppImage bundles. The rationale is that some upstreams |
| 8 |
> have migrated to distributing their proprietary software exclusively as |
| 9 |
> AppImage bundles. (for instance dev-util/staruml-bin). |
| 10 |
> |
| 11 |
> An example ebuild can be seen at https://git.io/fx3Mg |
| 12 |
> |
| 13 |
> |
| 14 |
I was also thinking of something, too. This direction of development |
| 15 |
happens for a couple of years already, with more and more vendors / |
| 16 |
upstream jumping on it. It was also highly recommended by Linus Torvalds as |
| 17 |
a way of distributing packages easily along different linux flavors. I |
| 18 |
don't think we should easily deny the direction where this is going. |
| 19 |
|
| 20 |
Most appimages are distributed through central well-known servers. The |
| 21 |
files have a sha1 BuildID attached to them (can be seen via file command), |
| 22 |
which can possibly be used to verify them, so decreasing the possible |
| 23 |
vulnerability to such packages somewhat. There might also be additional |
| 24 |
ways to verify the integrity of them through the appimage API. They are |
| 25 |
statically linked packages with no external dependencies, and contain a |
| 26 |
squashfs filesystem in it. |
| 27 |
|
| 28 |
From a users point of view, I think it'd be a good idea, to give users the |
| 29 |
possibility of installing appimages with the package manager, so they can |
| 30 |
be handled accordingly, instead of just let them download the files and |
| 31 |
move them into a separate folder in ${HOME} for execution. This would be |
| 32 |
especially useful for propietary bin-packages, as well as for some big |
| 33 |
packages, which are actually hard to maintain for proxy-maintainers, and |
| 34 |
therefore get removed from the tree (freecad comes to my mind as an |
| 35 |
example). |
| 36 |
|
| 37 |
2. Are we OK with executing AppImage bundles downloaded from the |
| 38 |
> Internet (an alternative would be to implement a proper extractor |
| 39 |
> program, which would unpack the images without executing them, and add |
| 40 |
> it to DEPENDs). |
| 41 |
> |
| 42 |
|
| 43 |
It think, this has mostly the same attack vectors which apply for |
| 44 |
bin-packages. So there's not much new from my point of view. |
| 45 |
|
| 46 |
|
| 47 |
> +# @FUNCTION: appimage_src_unpack |
| 48 |
> +# @DESCRIPTION: |
| 49 |
> +# Unpack all the AppImage bundles from ${A} (with .appimage extension). |
| 50 |
> +# Other files are passed to regular unpack. |
| 51 |
> |
| 52 |
|
| 53 |
I'm not sure, if it makes sense to unpack them. Most of them are not built |
| 54 |
on gentoo systems, so the extracted binaries and libraries might not easily |
| 55 |
run without having the ebuild maintainer check every single one of them for |
| 56 |
run-time dependencies. |
| 57 |
|
| 58 |
For example, the freecad appimage contains a bin/mkdir program linked |
| 59 |
against libselinux.so.1 which is not available on non-selinux profiles by |
| 60 |
default, or its usr/lib/freecad/lib/DraftUtils.so, a freecad internal |
| 61 |
library, links against libboost_system.so.1.55.0 while we have |
| 62 |
libboost_system.so.1.65.0. |
| 63 |
|
| 64 |
I would propose to keep them packed and install them in /opt/AppImages or |
| 65 |
something like that, thus providing only a src_install function with the |
| 66 |
eclass. Ebuild maintainers could then just add a .desktop file or extract |
| 67 |
one from the image if it's present and add it to the files/ directory for |
| 68 |
desktop integration. |
Archives