xdg-app discussions at the GNOME DX hackfest

[Allan Day <allanpday gmail com>]

Hi all,

I just returned from the recent GNOME Developer Experience Hackfest in
Cambridge, UK. We discussed xdg-app a fair bit, particularly in terms
of the overall user experience it could provide. I've copied my
(incomplete) notes below, for those who might be interested.

Allan
---

Direct download vs centralised repositories
-------------------------------------------

Being able to download apps direct from their authors is desirable,
both in enabling control by application authors, and specialist
in-house applications. At the same time:

 * There are security/trust issues with downloading apps from the web,
and this can be a particular issue in the Free Software world.
 * There are also obvious UX advantages to app stores, in enabling
users to easily discover applications, see ratings, etc.
 * It therefore seems desirable to adopt a two-pronged strategy, where
direct downloads coexist with a centralised repositories that are
hosted by runtime author/maintainers.
 * Ideally, application submissions to an application repository would
be vetted and reviewed. This would guarantee a certain level of
quality and trustworthiness, and enhance the brand and reputation of
the platform. Resources and maintanence are an obvious issue with
this.

Preventing malicious apps
--------------------------

Where possible, application distribution needs to be designed in order
to prevent malicious applications entering the ecosystem, and provide
protections against them for users.

One possibility - certificates could be issued for authors wanting to
release xdg applications. These would then be used to sign
applications, and unsigned apps could then be flagged as untrusted.

Software could allow users to report malicious applications (this
could be integrated into Software), and certificates could be revoked
as necessary. A corresponding process might be required for
applications that have unintentional security issues.

Application sandboxing v bundling
---------------------------------

 * Sandboxing on its own may not have direct (or obvious) benefits for
application authors.
 * If sandboxing is optional, there is a danger that its value will be
undermined.
 * The architecture of xdg-app has implications for the design of
application sandboxing.

Therefore, it might be premature to introduce bundling before
sandboxing has matured, and there might be value in linking xdg-app
and sandboxing, so that xdg-app is introduced with mandatory
sandboxing. At the very least, careful thought needs to be given to
the implications of xdg-app for sandboxing, before the former is
released into the wild.

Runtimes
--------

 * GNOME will need to provide guarantees about API/ABI stability for
each runtime version.
 * Infrastructure to continuously check for API/ABI breakage in the
runtime is desirable.
 * Software will need to inform users when apps depend on an old
runtime that has known security bugs. There might well need to be a
way for users to disable/uninstall these apps.
 * Vendors will likely need to modify/adapt runtimes to work with the
OS. Therefore, there might need to be tooling/specifications with
which it is possible to check (or certify) that an OS conforms to the
upstream runtime definition.

Miscellaneous questions and topics
-----------------------

 * How to handle codecs?
 * There will need to be support for other operating system add-ons
(fonts, dictionaries, input method engines, keyboard layouts, etc).
 * Should Builder be able to download and install runtimes?