An experimental Flatpak remote designed to prototype Flathub's transition to OCI. Someone promised me a magical land of shared storage and composefs, I guess we'll find out. 😄
- Uses flatpak-tracker to find flatpaks on Flathub that need runtime updates
- Auto imports, updates the runtime, builds, and then publishes a test flatpak
- Help Flathub reviewers with real testing!
- Tracks all Flatpaks published in Aurora, Bazzite, and Bluefin
- Full flatpak packaging pipeline with full automation using all the latest container tech.
- Chunkah and zstd:chunked enabled for partial pulls on the client
- Serves the remote from GitHub Pages; pushes images to
ghcr.io/projectbluefin/testhub - Under no circumstance will this remote ever go to production
- Things the core team wants to test (Ghostty, Goose) to hopefully aid in getting their flatpaks getting submitted to flathub.
- Purpose is to gather data for using OCI for Flathub distribution.
This potentially unlocks all container registries and git forges as Flatpak hosts in a format supported by flatpak. This is a prototype and not a replacement or substitute for Flathub's official process.
- Flatpak — Application sandboxing and distribution framework
- OCI Image Format Specification — Standard for container image formats
- bootc — Transactional, in-place operating system updates using OCI images
- Podman — Daemonless OCI container engine
- Skopeo — Tool for inspecting and copying container images
- flatpak-builder — Builds Flatpak applications from manifests
flatpak remote-add --user --if-not-exists testhub oci+https://projectbluefin.github.io/testhub
| Package | Description | Install |
|---|---|---|
| Ghostty | GPU-accelerated terminal emulator | flatpak install --user testhub com.mitchellh.ghostty |
| Goose | Goose AI agent | flatpak install --user testhub io.github.block.Goose |
| LM Studio | Local LLM inference | flatpak install --user testhub ai.lmstudio.LMStudio |
| Firefox Nightly | Firefox Nightly browser | flatpak install --user testhub org.mozilla.firefox.nightly |
| Thunderbird Nightly | Thunderbird Nightly email client | flatpak install --user testhub org.mozilla.thunderbird.nightly |
| VirtualBox | Oracle VirtualBox | flatpak install --user testhub org.virtualbox.VirtualBox |
Copy/paste install commands
flatpak install --user testhub com.mitchellh.ghosttyflatpak install --user testhub io.github.block.Gooseflatpak install --user testhub ai.lmstudio.LMStudioflatpak install --user testhub org.mozilla.firefox.nightlyflatpak install --user testhub org.mozilla.thunderbird.nightlyflatpak install --user testhub org.virtualbox.VirtualBoxflatpak update --user
All images are signed and include an SPDX SBOM. Replace <app> with the app name (e.g. goose).
Verify the signature:
cosign verify \
--certificate-identity=https://github.com/projectbluefin/testhub/.github/workflows/build.yml@refs/heads/main \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/testhub/<app>:latestExit 0 means valid. See all attached supply chain artifacts:
cosign tree ghcr.io/projectbluefin/testhub/<app>:latestInspect the SBOM:
cosign verify-attestation \
--type spdxjson \
--certificate-identity=https://github.com/projectbluefin/testhub/.github/workflows/build.yml@refs/heads/main \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/testhub/<app>:latest \
| jq '.payload | @base64d | fromjson | .predicate'Scan for vulnerabilities:
grype registry:ghcr.io/projectbluefin/testhub/<app>:latest