Lost in translation - should we improve our communication with firejail package maintainers?

[glitsj16]

Since implementing the new D-Bus filtering, the importance of having xdg-dbus-proxy installed is pretty obvious. Although a CLI warning is thrown when that isn't found, the potential benefits of having xdg-dbus-proxy gets lost in translation. IMO it is a pretty vital part of firejail (profiles) these days, allowing for granular control that simply wasn't available before. Besides, users noticing all the dbus-* items in our profiles might be lulled in a false sense of security if they run an OS that doesn't do its best to ensure xdg-dbus-proxy is installed.

In that context I wonder if we should try to better communicate the importance of xdg-dbus-proxy to distro package maintainers. After a very brief check I noticed the folloing:

• Arch Linux doesn't mention it in its PKGBUILD, not even as optdepends;
• Debian/Ubuntu have it in Recommends, whis is better, but still no guarantee;
• only Fedora does it 'the right way' IMO, its firejail.spec simpy requires it.

Another case in point is the local AppArmor file we provide. That too isn't installed by default it seems. Fedora is excused, as it strictly uses SELinux. But Debian/Ubuntu and Arch Linux both configure firejail for AppArmor support, yet there's no trace of firejail-local (which needs to be installed as firejail-default under /etc/apparmor.d/local) in their firejail package. We have comments in several profiles refering to that file, carrying instructions on how to opt-in to apparmor. IMO this needlessly confuses users. Shouldn't be that hard to at least include a copy of it somehere (e.g. under /usr/share/doc/firejail).

I'm obviously not a package maintainer, and I probably overlook something relevant and important here. Hence the Q: how can we improve reaching out to these fine folks that package Firejail for most users out there?

[rusty-snake]

the potential danger of not having xdg-dbus-proxy

fixed that for you 😄

I probably overlook something relevant and important here.

A hard dependency is maybe against some packaging guidelines. Although it is more of a emergency compatibility mode. Because all filter is considered as allow. Meaning if we replace dbus-user none with dbus-user filter+dbus-user.talk org.freedesktop.portal.Desktop because org.freedesktop.portal.Desktop is ✔️ users w/o xdp end up with much weaker.

IMO it is a pretty vital part of firejail (profiles) these days

And the strongest argument pro firejail in firejail vs. bubblewrap discussions.

how can we improve reaching out to these fine folks that package Firejail for most users out there?

We could even start with our own packages they don't have any rec/sug/optdep/dep/.. on xdg-dbus-proxy too. https://github.com/netblue30/firejail/tree/master/platform

BTW

Debian maintainer: https://github.com/reinerh (you know 😉 )
Ubuntu (therefore Mint) maintainer: Since firejail is in universe it is community-maintained unmaintained 🙊
Fedora maintainer: https://github.com/odubaj
Arch maintainer: https://github.com/p5n (If I'm correct)

[glitsj16]

We could even start with our own packages they don't have any rec/sug/optdep/dep/.. on xdg-dbus-proxy too. https://github.com/netblue30/firejail/tree/master/platform

Wow, that's interesting! No better place to start requiring xdg-dbus-proxy than 'home' :-)

[reinerh]

* Debian/Ubuntu have it in _Recommends_, whis is better, but still no guarantee;

I can't really force it to get installed. As long as firejail runs fine in many cases without having xdg-dbus-proxy installed (even if only a subset of features is functional), I can only add it to Recommends (which will cause xdg-dbus-proxy to get installed in automatically in default apt configurations; Recommends are already stronger than Suggests, which are used for dependencies only needed in edge cases).
If it should be a hard dependency, then firejail needs to refuse to run when xdg-dbus-proxy is not installed.

Another case in point is the local AppArmor file we provide. That too isn't installed by default it seems. Fedora is excused, as it strictly uses SELinux. But Debian/Ubuntu and Arch Linux both configure firejail for AppArmor support, yet there's no trace of firejail-local (which needs to be installed as firejail-default under /etc/apparmor.d/local) in their firejail package. We have comments in several profiles refering to that file, carrying instructions on how to opt-in to apparmor. IMO this needlessly confuses users. Shouldn't be that hard to at least include a copy of it somehere (e.g. under /usr/share/doc/firejail).

On Debian (and therefore also Ubuntu) /etc/apparmor.d/local/firejail-default is installed by a postinst script, that's why you don't see it inside the package. But it will be there after installation. :-)

[glitsj16]

Thanks for your thorough explanations, much appreciated!

If it should be a hard dependency, then firejail needs to refuse to run when xdg-dbus-proxy is not installed.

That's a crystal clear statement. I'm not even remotely familiar enough with the availability of xdg-dbus-proxy to argue in favor of such a hard dependency. My main concern is that users are/seem to be rather agnostic about this whole situation. Not that I have a golden solution though. I bet even a fullscreen GUI warning shown at post-install is easily clicked-away and forgotten about heh.

Just noticed that firejail-local contains some comments that might be helpful.
These are indeed not inside the file created by the package.

Would be great to include it somewhere, /usr/share/doc/firejail/examples sounds fine. Thanks for taking an interest. I really should drop a line on the Arch Linux bugtracker about this, they seem to be the least well-informed party on this subject.

[polyzen]

If it should be a hard dependency, then firejail needs to refuse to run when xdg-dbus-proxy is not installed.

That's a crystal clear statement. I'm not even remotely familiar enough with the availability of xdg-dbus-proxy to argue in favor of such a hard dependency.

https://repology.org/project/xdg-dbus-proxy/versions

On the upside, xdg-dbus-proxy is an indirect dependency of Steam (at least on Arch Linux), and installed on about 80% of the systems that provide package usage statistics:
https://pkgstats.archlinux.de/packages/xdg-dbus-proxy

Would be great to include it somewhere, /usr/share/doc/firejail/examples sounds fine. Thanks for taking an interest. I really should drop a line on the Arch Linux bugtracker about this, they seem to be the least well-informed party on this subject.

Please do! You already did ;D https://bugs.archlinux.org/task/70596

[rusty-snake]

On the upside, xdg-dbus-proxy is an indirect dependency of Steam

It's also a (hard-)dependency of flatpak. Therefore Fedora and Mint have it installed by default.

[glitsj16]

@polyzen Thanks for the repology link, bookmarked!
I hope the Arch Linux package will get xdg-dbus-proxy in (opt)depends soon. After all the input here - thanks to all - we can look forward to enjoy a less D-Bus ridden firejail future. @kris7t really provided an excellent piece of work.

[polyzen]

This is (finally) implemented in the Arch package.

[reinerh]

I'm obviously not a package maintainer, and I probably overlook something relevant and important here. Hence the Q: how can we improve reaching out to these fine folks that package Firejail for most users out there?

The best way to communicate with maintainers is through changelogs and release notes. :-)
I think we do a quite good job of documenting our changes there. It's then the maintainer's job to adapt packaging as needed.

[reinerh]

If you are still unhappy about a packaging decision, please open a bug on the distro's bug tracker. That's also a (more active) way to communicate with maintainers.

[glitsj16]

Indeed, that's where I'm heading next.