Investigate how to add Trezor Suite to Flatpak/Flathub repository

[prusnak]

This will make it easy for Flatpak users to install Trezor Suite via means they are familiar with.

Hopefully, udev-rules can be installed as a part of the bundle, too.

https://flatpak.org
https://flathub.org

[indolering]

Flatpak offers a lot of advantages over AppImage and Snaps [1, 2]:

1. AppImage's reliance on bundling libraries translates into relying on each distro's security backports, whereas Flatpak's runtimes are updated automatically.
2. The best-case scenario for sandboxing on AppImage is fragile seccomp filters and Snaps only support AppArmor profiles. Flatpak provides a cross-platform sandboxing mechanism (bubblewrap) and tight integration with the platform (filepicker/powerbox, distro specific LSMs, etc). This makes it much easier to compartmentalize the codebase to contain internal attacks as well as isolate the application from external applications.
3. It's much easier to make Flatpaks reproducible as there aren't a complex interactions between each target's distro and the build system.
4. There are efforts to run Flatpak applications via lightweight virtual machines, akin to Qubes. This would dramatically increase the level of isolation between Trezor and the rest of the system.

Flatpak also drastically reduces the support burden. AppImage requires building for each distro and is painful to use in practice. Flatpak's runtimes reduce the support burden from O(n) distros to O(1) and are much easier to make reproducible. The same is theoretically true of Snaps, but Canonical only really supports Ubuntu. Virtually every non-Ubuntu distro has chosen Flatpak because Red Hat actually put money behind making Flatpak distro neutral. You have the choice between the Freedesktop runtime (major version ~yearly with ~2 years of support) or the RHEL runtime (major version ~3 years, ~10 years of support); although the latter has a drastically reduced set of supported packages.

IMO, the only real reason to support Snaps is positioning in the Ubuntu app store. For an advanced technical crowd like Trezor's, the install instructions for Flatpak shouldn't be a high barrier to entry. You could also create a downloadable shell script (or AppImage!) that performs the same task. I believe there is also a way to perform an end run-around the Ubuntu app store via Apt, but I have to check on this.

[prusnak]

@indolering can you help us with the flatpak packaging?

[x80486]

Started working on it. I don't have a Trezor device yet, but I'm planning on getting one some time in the future — so initially I would rely on someone to test the application (if I can get it done).

Have one question: is Trezor interested on maintaining it? The only reason I ask is because this application is going to be very sensitive (security-wise) for almost everyone, so it's always better if the maintainers/owners are enrolled in the update/maintenance of the packages.

Being said that, I'm running into a problem with these dependencies: BitGo/blake2b and BitGo/blake2b-wasm. Looks like there is no release for the same — and that package it's pretty much dead also.

Moreover, if I were to build the desktop application only, is it needed to clone the entire repository, or just ../packages/suite-desktop/?

[indolering]

@prusnak I don't have a lot of spare time : (

[indolering]

IMO, the only real reason to support Snaps is positioning in the Ubuntu app store. ... I believe there is also a way to perform an end run-around the Ubuntu app store via Apt, but I have to check on this.

AFAICT the only way around the Ubuntu app store restrictions would be to submit a stand-in package to the Universe repo that includes flatpak as a dependency and kicks off the flatpak install process using a postinit script. However, I doubt Ubuntu's package managers would be very open to this end run around the Ubuntu app store policies as it is part of an explicit monetization strategy for Canonical.

You could also create a downloadable shell script (or AppImage!) that performs the same task.

There are two alternative methods that accomplish a similar UX without having to give up cryptographic chain-of-custody:

1. Use a combination of an AptURL to install Flatpak apt://flatpak,gnome-software-plugin-flatpak?section=universe and a flatpakref link or flatpakrepo file to install everything else (see also).
2. Provide a .deb file with the flatpak dependency but uses a postinit script to install the actual Trezor Flatpak package.

As udev isn't directly supported in Flatpak and the USB permissions portal is still a WIP (xdg issue, xdg PR, Flatpak PR) you will need to maintain the udev and bridge packages for a while longer. You can roll the udev, bridge, and flatpak installs into a single .deb file for now and eventually drop the udev and bridge dependencies once the USB permissions portal is added to Flatpak.

[prusnak]

As udev isn't directly supported in Flatpak and the USB permissions portal is still a WIP (xdg issue, xdg PR, Flatpak PR)

Thanks for the info. In this case, there's no real benefit in dealing with Flatpak/Flathub now and it will make sense to start the effort once the USB permissions portal is implemented.

[indolering]

Thanks for the info. In this case, there's no real benefit in dealing with Flatpak/Flathub now

It should reduce your maintenance burden, improve security, and increase availability.

and it will make sense to start the effort once the USB permissions portal is implemented.

IMHO blocking this on the USB permissions system just complicates the initial port.

Even if the USB portal system were available today, I would get Trezor Suite working on Flatpak communicating with bridge over dbus before refactoring it to use a new USB permissions system. Won't you need to maintain equivalent platform abstractions on Windows and Mac anyway?

My mental model of udev and bridge are incomplete, but AFAICT the situation isn't any better for AppImage: it's an unstable interface and any userland components will need to be upgraded in lockstep with the kernel.

[Ondra-Zik-SL]

Right now, it is possible to run Trezor devices with the Flatpak installation of the Electrum wallet, which indicates that the situation is improving. However, the udev rules still need to be installed as a separate system package. This requirement appears to be the case even for the latest Trezor Suite AppImage also.

It also seems to work without the Trezor bridge installed, using WebUSB.

[Ondra-Zik-SL]

A similar issue with udev rules and Flatpak is being discussed here: flathub/com.valvesoftware.Steam#8. One user suggests a quite nasty workaround, but I'm not sure if it is something we want to do: flatpak-spawn --host pkexec cp $the_udev_rule_in_our_install $the_host_udev_path.

[mmilata]

What about adding our udev rules to the upstream repository? It won't land in everyone's system anytime soon and there's no guarantee upstream accepts it but it's probably the cleanest solution. Example PR: systemd/systemd#22730

[prusnak]

What about adding our udev rules to the upstream repository? It won't land in everyone's system anytime soon and there's no guarantee upstream accepts it but it's probably the cleanest solution. Example PR: systemd/systemd#22730

I had not idea such thing exists. Let's do it! 🚀