Flatpak package for Linux

[rugk]

It would be nice if you could publish this as a flatpak on flathub e.g.

Flatpaks are a new software distribution mechanism for Linux distros, can thus installed on any distro and are easy to update.

Here is how to get started.

┆Issue is synchronized with this Jira Task

[lolrepeatlol]

Would it be possible to have a Flatpak be a VPN since it's sandboxed?

[rugk]

I'm not sure and very likely depends on how it's done and how it integrates into the system. Online I could only find https://linuxpunx.com/2021/04/05/flatpak-and-whatip/, which seems to indicate it can at least have access to the network interfaces.

[andersk]

FYI, I’m packaging mozillavpn for Nix at NixOS/nixpkgs#147975. (Nix is unrelated to Flatpak, but satisfies a similar sort of use case: it installs on any Linux distro without relying on or interfering with system packages.)

[HiruNya]

I tried my hand at this but unfortunately I got stuck at the requirement for PolKit which doesn't seem to be supported (that link is from a while ago so I'm not sure if anything has changed since then). I don't know enough about how a VPN and PolKit work so I gave up 😅 . Depending on what Mozilla VPN needs root privileges for, you might be able to replace it with Portals.

[oskirby]

I think we can work around the use of Polkit by explicitly requesting permissions to access the D-Bus name org.mozilla.vpn but unfortunately I don't think that would be enough for a flatpak build of the VPN client. We currently require root permissions to run a D-Bus service that manipulates routing and the network interfaces, which would break in a Flatpak sandbox.

[ahjolinna]

any hope? or is this dead/abandoned? (would like to see this for my SUSE's MicroOS ...or other immutable distros)

[herzenschein]

I've been testing the current flatpak based on 6.6 and it works well.

In case others aren't aware of this, you can build the flatpak by navigating to the linux/flatpak folder and either:

# Building in one go
flatpak-builder build --install-deps-from=flathub --force-clean --ccache --install org.mozilla.vpn.yml
# Building the flatpak manually
flatpak-builder flatpak-build-dir --force-clean --install-deps-from flathub --repo=mozillavpn-master org.mozilla.vpn.yml
flatpak-builder --run flatpak-build-dir org.mozilla.vpn.yml mozillavpn # This just tests whether the flatpak runs
flatpak build-bundle mozillavpn-master mozillavpn.flatpak org.mozilla.vpn
sudo flatpak install mozillavpn.flatpak

I've noticed however that if you install the flatpak as --user it keeps requesting Polkit for the password every once in a while, which is fairly annoying.

Could we get some collaboration from the Flatpak folks and from the KDE SDK folks to resolve the remaining issues? :>

[volkertb]

@herzenschein For a minute there, I thought that was just the holy grail you've given me on Christmas day: a single-line command to build and install the official Mozilla VPN client on a non-ubuntu Linux distro.

So I just did git pull on the main branch, ran flatpak-builder build --install-deps-from=flathub --force-clean --ccache --install org.mozilla.vpn.yml, and waited...

For a couple of minutes, everything looked promising, until eventually it failed with this:

[..]
Fetching git repo https://github.com/mozilla-mobile/mozilla-vpn-client, ref refs/heads/main
remote: Total 0 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Fetching full git repo https://github.com/WireGuard/wireguard-tools
Fetching full git repo https://github.com/WireGuard/wireguard-apple
Failed to download sources: module mozillavpn: Not a gitlink tree: 3rdparty/openSSL

Sigh... 😞

I'll try the manual build steps that you also shared. Maybe it's currently broken in main and I should try an earlier tag?

[volkertb]

@herzenschein That same Not a gitlink tree: 3rdparty/openSSL error already shows up when I try the first manual command from your instructions above:

flatpak-builder flatpak-build-dir --force-clean --install-deps-from flathub --repo=mozillavpn-master org.mozilla.vpn.yml

This is on Clear Linux OS, rolling release version 42790, and with the main branch as of my time of posting (Christmas Day 2024).

By the way, this MozillaVPN Flatpak build script apparently uses some outdated dependencies. The Flatpak build process warned about version 6.6 of the dependencies org.kde.Sdk and org.kde.Platform being end-of-life.

I'll try checking out a release tag and building the Flatpak with that.

[volkertb]

Okay, there is apparently a subdirectory 3rdparty directly under the mozilla-vpn-client project root, but there is no openSSL directory inside it. Maybe it can't be bundled with the sources due to an incompatible license? If so, it would be helpful if the script would instruct the user to download it and unpack it to that subdirectory themself.

Let me see if I can find any info on this in any of the documentation... Maybe @herzenschein just forgot to mention this step in the instructions he shared. That can happen.

[volkertb]

OK, I got a bit further. In .gitmodules, the Git submodule 3rdparty/openSSL is defined:

[submodule "3rdparty/openSSL"]
	path = 3rdparty/openSSL
	url = https://github.com/KDAB/android_openssl
	shallow = true

However, no matter which of these suggested Git submodule update commands on StackOverflow I try, it's not downloading that particular submodule for some reason. 🤔

I'm going to try checking out that GitHub project into the 3rdparty/openSSL manually, and then I'll retry the Flatpak build.

Still weird that it's not pulling this particular submodule automatically. I have to say that I'm not very familiar with Git submodules. Until now, I've never seen the need to use submodules in any of my Git projects yet. So although I've used Git for years, my knowledge on this is somewhat lacking.

[volkertb]

Ah, another clue: the file .gitmodules indeed specifies the submodule 3rdparty/openSSL, but the file .git/config does not. But the latter does define other 3rdparty submodules. I guess that by default, the latter takes precedence over the former. Maybe that's why the file .gitmodules was shown in a dark grey color in my Git-aware bash shell?

Aha: this answer on StackOverflow seems to be what I'm looking for:

@Stann I am a bit late. But, speaking from experience, git will use the path specified in the .git/config. Basically, git reads the .gitmodules file (when explicitly told to do so) and then saves the relevant info in the config. In the event the URL does end up changing, you will need to perform a force init or manually delete the existing submodule section from config and then perform a submodule init again. – SNikhill Commented Jul 7, 2022 at 6:21

Okay, so I removed all [submodule] sections from the .git/config file. Let's see if I can reinitialize the submodules. If that doesn't work, I'll just delete the entire working copy and do a clean checkout of the entire project again, and then update the submodules inside it, before I try building the Flatpak again.

[volkertb]

OK, this is really weird. I started with a fresh new working copy by following the initial steps in the general build instructions:

git clone https://github.com/mozilla-mobile/mozilla-vpn-client.git
cd mozilla-vpn-client
git submodule update --init --recursive

And it downloaded a lot of submodules, but it still skipped submodule 3rdparty/openSSL, even though that submodule is most definitely listed in the .gitmodules file:

[submodule "3rdparty/openSSL"]
	path = 3rdparty/openSSL
	url = https://github.com/KDAB/android_openssl
	shallow = true

And even if I delete the entire 3rdparty directory from the project (which is not empty in the initial Git repo) and then recursively reinitialize the submodules, it then proceeds to download all of them, except for 3rdparty/openSSL. 🤷🏽‍♂️ See below:

rm -rf 3rdparty/
git submodule update --init --recursive

Output:

Submodule path '3rdparty/adjust-android-sdk': checked out '98a78ddc0ce52287f7b39132c3ee6ff82b9546ee'
Submodule path '3rdparty/adjust-ios-sdk': checked out '73e4121098cad1854579575d79eff3beb1ee65b3'
Submodule path '3rdparty/glean': checked out '9f785a92bdcacc862c609cd3e02b05b68c74862a'
Submodule path '3rdparty/i18n': checked out '7da43c55c078456cd2b14df3d7ec7a52848bc5e9'
Submodule path '3rdparty/sentry': checked out '63699d75a77a689abd8016c52577e799f3dbad4f'
Submodule path '3rdparty/sentry/external/breakpad': checked out '53abd9137b7f8439a2174169042dd6b30721dcf3'
Submodule path '3rdparty/sentry/external/crashpad': checked out 'b670429f08535f9409c681cc79e72904e27a0080'
Submodule path '3rdparty/sentry/external/crashpad/third_party/lss/lss': checked out 'e1e7b0ad8ee99a875b272c8e33e308472e897660'
Submodule path '3rdparty/sentry/external/crashpad/third_party/mini_chromium/mini_chromium': checked out '4332ddb6963750e1106efdcece6d6e2de6dc6430'
Submodule path '3rdparty/sentry/external/crashpad/third_party/zlib/zlib': checked out '13dc246a58e4b72104d35f9b1809af95221ebda7'
Submodule path '3rdparty/sentry/external/libunwindstack-ndk': checked out '5a3cf38dbaa9603dc0943fa0fb1ad69d52799af0'
Submodule path '3rdparty/sentry/external/third_party/lss': checked out '171a36a8e0d1e456f63d342a09f811f9273a64af'
Submodule path '3rdparty/wireguard-apple': checked out '12b095470ad29ecea7436088f6e5fa701e6445a6'
Submodule path '3rdparty/wireguard-go': checked out 'ee1c8e0e8789e413cca3c1c3464cd3708d518b33'
Submodule path '3rdparty/wireguard-tools': checked out '139aac59a5ab7da913d4b6dd62692fa90e2ccad4'

cat .gitmodules | grep submodule

Output:

[submodule "3rdparty/wireguard-tools"]
[submodule "3rdparty/wireguard-apple"]
[submodule "3rdparty/openSSL"]
[submodule "3rdparty/wireguard-go"]
[submodule "3rdparty/adjust-ios-sdk"]
[submodule "3rdparty/adjust-android-sdk"]
[submodule "3rdparty/glean"]
[submodule "3rdparty/sentry"]
[submodule "3rdparty/i18n"]

As you can see, all the other submodules are downloaded, and in the case of sentry, its submodules are also recursively downloaded. But 3rdparty/openSSL is the only one being ignored, and the reason for this eludes me.

I guess I could just manually run git clone --depth 1 https://github.com/KDAB/android_openssl 3rdparty/openSSL and then try performing the Flatpak build again, but this is really bugging me right now. I want to understand why this particular submodule is being skipped.

(Indeed, I have nothing else to do on this Christmas Day, but I'm actually enjoying this. 😅)

[andersk]

@volkertb A Git submodule is stored in the repository in two parts (documentation):

the superproject tracks the submodule via a gitlink entry in the tree at path/to/bar and an entry in its .gitmodules file

You can see the gitlink entries here:

$ git ls-tree origin/main:3rdparty/
100644 blob d0a233f8087440c82cec85afb4ee80ecb7ac9394	README.md
160000 commit 98a78ddc0ce52287f7b39132c3ee6ff82b9546ee	adjust-android-sdk
160000 commit 73e4121098cad1854579575d79eff3beb1ee65b3	adjust-ios-sdk
100644 blob b3c073618f8e1a4002eab1610c0a14750b7dcf8b	adjust_https_to_http.diff
160000 commit 9f785a92bdcacc862c609cd3e02b05b68c74862a	glean
160000 commit 7da43c55c078456cd2b14df3d7ec7a52848bc5e9	i18n
160000 commit 63699d75a77a689abd8016c52577e799f3dbad4f	sentry
160000 commit 12b095470ad29ecea7436088f6e5fa701e6445a6	wireguard-apple
160000 commit ee1c8e0e8789e413cca3c1c3464cd3708d518b33	wireguard-go
160000 commit 139aac59a5ab7da913d4b6dd62692fa90e2ccad4	wireguard-tools

and in the web interface.

Using git log -p -- 3rdparty/openSSL, you can find that the gitlink for 3rdparty/openSSL was deleted in commit 37793a9 (#5198). The deletion seems to have been intentional, although the corresponding entry in .gitmodules should also have been deleted.

[volkertb]

When I delete the entire 3rdparty directory again and then do git submodule sync, it looks like the 3rdparty/openSSL submodule simply isn't in the upstream repo:

Synchronizing submodule url for '3rdparty/adjust-android-sdk'
Synchronizing submodule url for '3rdparty/adjust-ios-sdk'
Synchronizing submodule url for '3rdparty/glean'
Synchronizing submodule url for '3rdparty/i18n'
Synchronizing submodule url for '3rdparty/sentry'
Synchronizing submodule url for '3rdparty/wireguard-apple'
Synchronizing submodule url for '3rdparty/wireguard-go'
Synchronizing submodule url for '3rdparty/wireguard-tools'

Apparently, just declaring a submodule in the .gitmodules file isn't enough. That file just contains the mapping between the submodule directory in the project and the remote repo to fetch it from.

After having read the official documentation on Git Submodules (yeah, I know, I should have done that earlier 🙈), I now have a theory on what's wrong here:

The developer that added the 3rdparty/openSSL subdmodule to this project probably ran git add -u out of muscle memory, before they committed the changes. That's a mistake I've made myself more than once. With the -u option, only the added mapping in the (existing and already tracked) .gitmodules file was committed, but not the created 3rdparty/openSSL submodule directory, since that directory wasn't tracked yet. Normally, you can't commit empty directories in Git, but if I understand the documentation correctly, submodule directories are a special case.

I'll try to add and commit the submodule 3rdparty/openSSL locally and then I'll try to update all submodules again. If that works, that makes this theory even more likely, I believe.

[volkertb]

So I tried adding the (shallow) submodule locally, and indeed, the 3rdparty/openSSL directory was added, and strangely enough, there were no changes in the .gitmodules file after that command compared to the existing file in the repo, which seems to corroborate my theory so far:

$ git submodule add --depth 1 https://github.com/KDAB/android_openssl 3rdparty/openSSL
Cloning into '[REMOVED]/mozilla-vpn-client/3rdparty/openSSL'...
remote: Enumerating objects: 523, done.
remote: Counting objects: 100% (523/523), done.
remote: Compressing objects: 100% (264/264), done.
remote: Total 523 (delta 279), reused 429 (delta 254), pack-reused 0 (from 0)
Receiving objects: 100% (523/523), 36.17 MiB | 7.59 MiB/s, done.
Resolving deltas: 100% (279/279), done.
$ git status
On branch main
Your branch is up to date with 'origin/main'.

Changes to be committed:
  (use "git restore --staged <file>..." to unstage)
	new file:   3rdparty/openSSL

$ ls 3rdparty/openSSL/
android_openssl.cmake  build_ssl.sh  CMakeLists.txt  LICENSE  no-asm  openssl.pri  README.md  ssl_1.1  ssl_3

[volkertb]

Sorry I missed your earlier comment, @andersk. Thanks for clarifying. So in fact, the opposite of my theory was true: the 3rdparty/openSSL submodule was partially deleted instead of partially added. I applied the same removal as in your PR to my local working copy, and I'm now going to try building the Flatpak again. I'll let you know how it goes.

[volkertb]

@andersk Your change didn't work, unfortunately. Let's discuss in your PR further.

[volkertb]

Update: the change did work. I initially did something wrong on my end, but with the fix in the PR, I got it to compile.

Now I'm getting a permissions-related error with the "All in one go" command when it tries to install the Flatpak after building and exporting it to the local repo:

error: Flatpak system operation ConfigureRemote not allowed for user

I probably need to install it with sudo flatpak install. But maybe I can resolve this some other way? @herzenschein did mention that it was possible to install it for a single user, even though it would regularly prompt for a password.

[volkertb]

With the fix that @andersk submitted in PR #10153, it's working! 🥳

I ran the manual step-by-step commands that @herzenschein shared above, and I ran flatpak install mozillavpn.flatpak without sudo. I'm not getting any password prompts either. This is on Clear Linux OS version 42790, with the GNOME version 47.

A small thing that I did notice was that the switching between locations (when I select another country or city) seems to take longer than what I'm used to on my Android phone, but that's no big deal. (UPDATE: apparently this was only the case in the first switch I tried, later switches were instant. Yay!)

The UI works great, with smooth animations, and everything, even on this somewhat older machine that I'm running this on. 🙂

I hope the PR gets merged soon, since it's a very small fix.

And @herzenschein, maybe just create a PR to add the installation steps that you shared above to the "Building the client" page? Under a new paragraph titled "Building a Flatpak", perhaps? This would be useful to many people!

I hope that Mozilla will publish an official Flatpak to Flathub soon, because this will be very useful to a lot of people running non-ubuntu distros. 🙏🏾

@andersk and @herzenschein Thank you both for this wonderful Christmas present! 🎅 🎁 Happy holidays, everyone.

[volkertb]

Ah, and I assume that those pinned end-of-life 6.6 versions of org.kde.Sdk and org.kde.Platform are because MozillaVPN is not yet compatible with Qt 6.8?