| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream marked org.mozilla.Thunderbird end-of-life. Flathub split it
into two replacement IDs:
org.mozilla.thunderbird monthly release channel (new default)
org.mozilla.thunderbird_esr ESR / long-term-support channel
Move to the lowercase monthly-release flatpak, which is what Mozilla
now recommends for regular desktop users and gets features at the same
cadence as Firefox.
Renamed references in:
* meta/flatpak.txt - the package list the user installs from
* meta/base.txt - comment in the mail-bits section
* dot_config/sway/config - window-match app_id rule for marking
* dot_config/mimeapps.list - mailto/ics/webcal handler .desktop names
* run_onchange_after_deploy-thunderbird.sh.tmpl - profile path under
~/.var/app/<id>/.thunderbird/
* run_onchange_after_deploy-tb-eer.sh.tmpl - flatpak override target
and sandbox path for External Editor Revived bridge
* run_onchange_after_deploy-pteid-pkcs11.sh.tmpl - Mozilla-family
flatpak NSS DB registration list
* README.md - doc snippets and xdg-mime example
On-host migration:
flatpak install -y flathub org.mozilla.thunderbird
# Preserve accounts, OpenPGP keys, calendars, EER bridge wrapper:
mv ~/.var/app/org.mozilla.Thunderbird ~/.var/app/org.mozilla.thunderbird
flatpak uninstall -y org.mozilla.Thunderbird
chezmoi apply -v
update-desktop-database ~/.local/share/applications 2>/dev/null || true
Verify mail handler:
xdg-mime query default x-scheme-handler/mailto
# -> org.mozilla.thunderbird.desktop
|
| |
|
|
|
|
| |
Unofficial Microsoft Teams client for Linux. Needed for Sii work
communications inside the Win11 VM is overkill for chat; running it
natively on the host keeps Teams notifications visible outside the VM.
|
| |
|
|
|
|
|
|
| |
snx-rs: Rust reimplementation of Check Point SNX VPN client; needed
for work VPN access. AUR package.
com.nomachine.nxplayer: NoMachine remote desktop client; needed for
work remote access.
|
| | |
|
| |
|
|
|
|
|
|
| |
Same sandbox model, but the Google-phone-home bits (Safe Browsing
pings, sync, FLoC/topics, variation seed, etc.) are patched out at
build time. Better aligned with the LibreWolf+arkenfox philosophy
applied to the primary browser. Update lag vs upstream Chromium is
acceptable since this is only the fallback browser.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Defense-in-depth for the cross-sandbox handoff vector: when the
LibreWolf/Thunderbird flatpaks open a downloaded PDF or video via the
OpenURI portal, the receiving app currently runs natively with full
$HOME access — defeating part of the browser/mail isolation.
- meta/flatpak.txt: add org.pwmt.zathura, io.mpv.Mpv
- meta/wayland.txt: drop native zathura + zathura-pdf-mupdf
- meta/media.txt: keep native mpv (streamlink, /tmp/mpvsocket IPC,
fast yt-dlp) — flatpak mpv is *additional*, only as the mimeapps
default for video/audio to receive sandboxed handoffs
- dot_config/mimeapps.list: rewrite mpv.desktop -> io.mpv.Mpv.desktop,
zathura-pdf-mupdf.desktop -> org.pwmt.zathura.desktop, and replace
stale userapp-Thunderbird-* entries with org.mozilla.Thunderbird.desktop
- run_onchange_after_deploy-flatpak-overrides.sh.tmpl (new):
--filesystem=xdg-config/{zathura,mpv}:ro so the flatpaks read our
chezmoi-managed configs as a single source of truth
- README: media row + new deploy-script row
Manual one-shot on host: chezmoi apply -v.
The pteid bridge already iterates a flatpak app list, so cartão de
cidadão remains correctly registered for the Mozilla flatpaks. Native
mpv config (input-ipc-server) keeps working since each flatpak has its
own /tmp; no socket collision.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move Thunderbird from native pacman to org.mozilla.Thunderbird flatpak,
mirroring the LibreWolf migration. Bubblewrap isolates the mail client from
the rest of $HOME (ssh keys, password store, gpg sockets); intra-process
isolation regression is real but minor (same tradeoff as the browser).
Three cross-sandbox glue points handled in repo:
- run_onchange_after_deploy-thunderbird.sh.tmpl: profile path moves from
~/.thunderbird to ~/.var/app/org.mozilla.Thunderbird/.thunderbird
- run_onchange_after_deploy-pteid-pkcs11.sh.tmpl: refactored to iterate
over (LibreWolf, Thunderbird) instead of hard-coding LibreWolf, so
cartão de cidadão signing/encryption works for S/MIME in TB
- run_onchange_after_deploy-tb-eer.sh.tmpl (new): bridges
external-editor-revived's native messaging host into the sandbox via
a flatpak-spawn --host wrapper + relocated manifest
Other surfaces (Bridge, Radicale, libsecret, mako, OpenPGP) are covered
by Flathub default permissions.
Manual one-shot migration on host (after pulling + just sync): close TB,
copy ~/.thunderbird/. into ~/.var/app/org.mozilla.Thunderbird/.thunderbird/,
chezmoi apply -v, then xdg-mime default org.mozilla.Thunderbird.desktop
x-scheme-handler/mailto. Once verified working, archive the old profile
via mv ~/.thunderbird ~/.thunderbird.pre-flatpak.bak.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend meta/flatpak.txt format to allow per-line URL for non-Flathub
.flatpak bundles. Lines are now either '<id>' (Flathub) or '<id> <url>'
(downloaded + installed via 'flatpak install <file>'). Bundle entries
are skipped on pkg-apply/pkg-fix when already installed, and re-fetched
on flatpak-update only when the version embedded in the URL differs
from the installed version.
Use this to migrate Portuguese Citizen Card (pteid-mw) off the AUR
'autenticacao-gov-pt-bin' pseudo-flatpak unpack to the upstream-shipped
flatpak bundle from amagovpt/autenticacao.gov GitHub releases — same
codebase the AUR PKGBUILD already vendors, but properly sandboxed.
Refactors duplicated install logic in pkg-apply/pkg-fix into a private
_flatpak-install helper. ID-only contexts (pkg-status, undeclared,
pkg-list) now extract the first whitespace-separated token instead of
treating each line as a single ID.
Caveat: PKCS#11-based Citizen Card web auth in the LibreWolf flatpak
remains unsolved — the .so lives inside the autenticacao-gov sandbox
and would need a 'flatpak override' + 'modutil' bridge to be loaded
across sandboxes. The CLI/GUI eID app works as expected.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move LibreWolf from native librewolf-bin to Flathub
io.gitlab.librewolf-community. Bubblewrap isolates the browser from
$HOME (\\.ssh, password-store, gnupg, ssh-agent socket) at the cost
of namespace chroot + IPC/network namespace isolation between content
processes (mozilla bug 1756236, P3, considered defense-in-depth).
seccomp-bpf — the dominant sandbox layer — is preserved.
- meta/flatpak.txt: + io.gitlab.librewolf-community
- meta/browser.txt: - librewolf-bin
- run_onchange_after_deploy-firefox.sh.tmpl: profile path moves to
~/.var/app/io.gitlab.librewolf-community/.librewolf
- dot_config/mimeapps.list: librewolf.desktop -> flatpak app id
- dot_local/bin/executable_linkhandler: flatpak run wrapper
- README.md: blurb + new profile path
arkenfox-user.js + chezmoi user-overrides.js deploy keep working
unchanged because the flatpak profile is still on the host fs.
|
|
|
- Delete meta/gaming.txt entirely (no longer used; takes discord with it)
- Delete now-empty meta/office.txt; LibreOffice and Okular move to flatpak
- Trim meta/browser.txt: chromium and torbrowser-launcher now flatpaks
- New meta/flatpak.txt: 4 Flathub app IDs (chromium, okular, libreoffice,
torbrowser-launcher), under --user scope
- Add flatpak runtime to meta/extra.txt
- Teach pkg-apply / pkg-list / pkg-fix / pkg-add / pkg-status / undeclared
to branch on the magic 'flatpak' group name (no parallel recipe namespace)
- New flatpak-update recipe; update aggregate now refreshes flatpaks too
- _active-packages now skips flatpak.txt (it remains pacman-only)
- pkg-apply (no args) installs pacman groups together, then flatpaks
- First flatpak install auto-adds the flathub --user remote
|
sommerfeld