aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/meta/flatpak.txt
Commit message (Collapse)AuthorAgeFilesLines
* feat(thunderbird): migrate to flatpak with NMH + PKCS#11 bridgesLibravatar sommerfeld2026-05-131-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Move Thunderbird from native pacman to org.mozilla.Thunderbird flatpak, mirroring the LibreWolf migration. Bubblewrap isolates the mail client from the rest of $HOME (ssh keys, password store, gpg sockets); intra-process isolation regression is real but minor (same tradeoff as the browser). Three cross-sandbox glue points handled in repo: - run_onchange_after_deploy-thunderbird.sh.tmpl: profile path moves from ~/.thunderbird to ~/.var/app/org.mozilla.Thunderbird/.thunderbird - run_onchange_after_deploy-pteid-pkcs11.sh.tmpl: refactored to iterate over (LibreWolf, Thunderbird) instead of hard-coding LibreWolf, so cartão de cidadão signing/encryption works for S/MIME in TB - run_onchange_after_deploy-tb-eer.sh.tmpl (new): bridges external-editor-revived's native messaging host into the sandbox via a flatpak-spawn --host wrapper + relocated manifest Other surfaces (Bridge, Radicale, libsecret, mako, OpenPGP) are covered by Flathub default permissions. Manual one-shot migration on host (after pulling + just sync): close TB, copy ~/.thunderbird/. into ~/.var/app/org.mozilla.Thunderbird/.thunderbird/, chezmoi apply -v, then xdg-mime default org.mozilla.Thunderbird.desktop x-scheme-handler/mailto. Once verified working, archive the old profile via mv ~/.thunderbird ~/.thunderbird.pre-flatpak.bak.
* feat(flatpak): support .flatpak bundle URLs; migrate autenticacao-gov-ptLibravatar sommerfeld2026-05-131-2/+14
| | | | | | | | | | | | | | | | | | | | | | | | Extend meta/flatpak.txt format to allow per-line URL for non-Flathub .flatpak bundles. Lines are now either '<id>' (Flathub) or '<id> <url>' (downloaded + installed via 'flatpak install <file>'). Bundle entries are skipped on pkg-apply/pkg-fix when already installed, and re-fetched on flatpak-update only when the version embedded in the URL differs from the installed version. Use this to migrate Portuguese Citizen Card (pteid-mw) off the AUR 'autenticacao-gov-pt-bin' pseudo-flatpak unpack to the upstream-shipped flatpak bundle from amagovpt/autenticacao.gov GitHub releases — same codebase the AUR PKGBUILD already vendors, but properly sandboxed. Refactors duplicated install logic in pkg-apply/pkg-fix into a private _flatpak-install helper. ID-only contexts (pkg-status, undeclared, pkg-list) now extract the first whitespace-separated token instead of treating each line as a single ID. Caveat: PKCS#11-based Citizen Card web auth in the LibreWolf flatpak remains unsolved — the .so lives inside the autenticacao-gov sandbox and would need a 'flatpak override' + 'modutil' bridge to be loaded across sandboxes. The CLI/GUI eID app works as expected.
* feat(browser): migrate librewolf to flatpak for host-isolationLibravatar sommerfeld2026-05-131-0/+1
| | | | | | | | | | | | | | | | | | | | Move LibreWolf from native librewolf-bin to Flathub io.gitlab.librewolf-community. Bubblewrap isolates the browser from $HOME (\\.ssh, password-store, gnupg, ssh-agent socket) at the cost of namespace chroot + IPC/network namespace isolation between content processes (mozilla bug 1756236, P3, considered defense-in-depth). seccomp-bpf — the dominant sandbox layer — is preserved. - meta/flatpak.txt: + io.gitlab.librewolf-community - meta/browser.txt: - librewolf-bin - run_onchange_after_deploy-firefox.sh.tmpl: profile path moves to ~/.var/app/io.gitlab.librewolf-community/.librewolf - dot_config/mimeapps.list: librewolf.desktop -> flatpak app id - dot_local/bin/executable_linkhandler: flatpak run wrapper - README.md: blurb + new profile path arkenfox-user.js + chezmoi user-overrides.js deploy keep working unchanged because the flatpak profile is still on the host fs.
* refactor(packages): drop gaming, manage select GUI apps via flatpak groupLibravatar sommerfeld2026-05-131-0/+7
- Delete meta/gaming.txt entirely (no longer used; takes discord with it) - Delete now-empty meta/office.txt; LibreOffice and Okular move to flatpak - Trim meta/browser.txt: chromium and torbrowser-launcher now flatpaks - New meta/flatpak.txt: 4 Flathub app IDs (chromium, okular, libreoffice, torbrowser-launcher), under --user scope - Add flatpak runtime to meta/extra.txt - Teach pkg-apply / pkg-list / pkg-fix / pkg-add / pkg-status / undeclared to branch on the magic 'flatpak' group name (no parallel recipe namespace) - New flatpak-update recipe; update aggregate now refreshes flatpaks too - _active-packages now skips flatpak.txt (it remains pacman-only) - pkg-apply (no args) installs pacman groups together, then flatpaks - First flatpak install auto-adds the flathub --user remote
generated by cgit v1.3.1 (git 2.54.0) at 2026-06-01 22:01:05 +0000