Flatpak 1.3.2 is now officially released. The major highlight of this release is the new setup process, which uses on a custom FUSE file system. It includes a significant change in how flatpak installs the system as a user.
Until today’s release, flatpak pulled in a temporary directory owned by the user and then asked the flatpak system helper to import from this directory. Perversely, since flatpak cannot trust the user directory, it had to copy those files during the import process, causing redundant Input-Output cycles as well as using additional temporary disk space.
To overcome the shortcoming, the Flatpak dev team have come up with an efficient new installation technique called custom fuse filesystem. It is like a local sandbox that the user writes to, and when done, the access is revoked safely, so that the files may be directly imported into the repository system without a copy.
“The new setup uses a new custom fuse filesystem which the user writes to, and then when this is done we can safely revoke any access to this from the user, meaning the files can be directly imported into the system repository without needing to make a copy,” says Alexander Larsson from Flatpak on their Github page.
It makes packaging flatpak a little more complicated since flatpak now need to have a user. Flatpak searches by default for a user called “flatpak.” App packagers must create a new function in the package with this username. They do get choice to use a different name by configuring as –with-system-helper-user=USERNAME.
A notable change in the new version is Flatpak now ships with a custom SELinux module (enable with –enable-selinux-module) as the Unix socket over the system bus was passed through the new code, which is forbidden by SELinux default policy. Packagers should install this module to ensure the new feature is functional and that the flatpak system help binary gets the correct SELinux context.
Additional added features include:
- New permission –socket=pcsc for access to smart cards
- Storage of the description, comment, icon and homepage fields from
the flatpak repo files in the remote configuration
- Runtime tries the determine the branch
- Print maximum icon size when icon-validator fails
- Override function can now disallow access to a dbus name
- Flatpak list now has a new runtime column