More specifically, Flatpak combines the OSTree backend used for things like Fedora Silverblue with mandatory sandboxing. (You can poke some holes in it huge enough to make it utterly useless, but you can't actually turn the sandbox off entirely. That's by design because they don't want to become the de facto distribution solution for the lower layers of the stack, similar to how -webkit-prefixed CSS got de facto stabilized before browsers switched to only enabling experimental CSS on development builds.)

You show them Kramer!

🤣🤣 Gold, Jerry

and
These contain presumes that lead to mistakes.
Both of you did not ask the right questions:
1) Is flatpak a package format? the answer is really no.
2) Is flatpak a sandbox? the answer is again really no.
3) is flatpak like Fedora SilverBlue? the answer is really no.


Under the hood the packaging format of flatpak is ostree. Flatpak is more a guide and tooling to use ostree with sandboxing.
billyswong you are wrong the Sandbox flatpak uses is bubblewrap. Yes bubblewrap absolutely can stand by itself.

From SilverBlue front page:
Better support for Flatpak and rpm-ostree in GNOME Software
This is important both Flatpak and rpm-ostree are both ways of using ostree as a package storage solution.

The reality here is flatpak has a lot more in common with something like APT(Advanced Packaging Tool) than a package format. As flatpak is really a package management tool with interrogated support to setup sandbox. This makes flatpak package format be ostree and flatpak choice of sandbox be bubblewrap.

Can you run a flatpak installed application without a sandbox of some form the answer is no not quite for the reason people would expect.
https://docs.flatpak.org/en/latest/c...esystem-layout this is the catch. Flatpak application is allowed to expect a root directory layout.


Interest enough using ostree as a full OS install you still have to run some from of sandbox to provide the nicely visualised chroot.

Flatpak really provide a interface to rapidly setup a ostree for applications with their own private chroot directories with sandboxing wrapped around it. Being somewhat sandboxed is a property of ostree that Flatpak gets. Yes rpm-ostree is also somewhat sandboxed.

The easiest way I know is

I was actually thinking of filesystem=host, but that's certainly a close second for how much "neuter the sandbox" bang you get for your buck.

Speaking of "Flathub prioritizes getting things to Just Work™ over sandboxing, but Flatpak is dead-set against making CLI integration Just Work™", I just added --file-forwarding support to my command-line launcher wrapper generator proof of concept.

That means no more need to whitelist folders for applications that were using the file-chooser portal but still needed the exception for use on the command line. (Assuming, of course, that the file has no external dependencies. I use it for Firefox and Ungoogled Chromium, but I tend to make HTML-only saves of retro-programming reference material for quick offline access or use cmark as an offline analogue to grip for rendering Markdown... but that's no different than how it is with the file chooser portal.)

(You run it whenever you install something new and it creates a bunch of wrappers in ~/.local/bin/flatpak (add that to your PATH) named after the internal commands (firefox, not org.mozilla.firefox).)

It's not perfect (see the list of caveats in the file), but I daily-drive it pretty happily and none of the problems are unfixable... they just require rewriting in something other than shell script and implementing a more involved solution. (eg. The developer of Flatseal chose to actually name the binary com.github.tchx84.Flatseal so you get that rather than flatseal. Thankfully, I've got Ctrl+Up bound to filtered command history so I can just type com.<Ctrl+Up> instead of using Tab completion.)

In fact, I think the only wart I've noticed with this new version of the wrapper generator is the lack of manpages for things like MPV.

Funny how all the informative posts got 1 or 2 likes. but all of dekernel bug77 got about 20 likes.

People sure don't like that perpetually high guy, who literally is on here only to help and spread knowledge. But the fake trolls/accounts are not concerned with that. Only to shift the narrative (ermehrgerd, Ubuntu LTS bad)

Not fooling anyone. We can all make a fake account Sonadow and the rest of the Phoronix trolls. Michael should do a better job of running this forum, but I know he's busy. So I'll do it for him. Free of charge.

edit: Might as well make this post useful. Thank you again, ssokolow. Worked a damn charm and took two seconds.

Haters on suicide watch. Perpetually High wins again. Oh no.

Maybe people are just annoyed by the dislikable attitude and not about the factual stuff you write?

Maybe I don't care what you and *maybe* 10 other people that I've never met, or have any idea who they are or if they're even real that lack *any* sense humor or joy in their lives? Ever think about that?

What's also funny, the most vocal (you guys) provide nothing to the forums. Just a bunch of nonsense.

Guy's account was made post-COVID. Tells you everything you need to know.

This discussion made my day: The dude called "perpetually high" tries to update Flatpak on Ubuntu. Priceless.