-
-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Self Hosted Repositories #81
Comments
Zap will only support AppImages for now. Support for other package managers are not something this repository would like to pursue. We do not have any other trustable AppImage index otherthat appimage.github.io |
Github.com could be used as the index because it offers structured releases. AppImage trust/reputation could then be implied from Github stars. It could be similar model how people install To increase trust even more, "verified" Github.com accounts could be maintained by Zap or external list maintainer, for ex. when VSCodium project has official Github.com repo, it can be "verified" by Zap or external list maintainer. No need to maintain own lists and builds, just one flag. More here #77 |
AppImage.github.io are only references to GitHub.com and other source code repositories's release pages. appimage.github.io does not host any AppImages. Basically, appimage.github.io works as a verified and tested list of AppImage repositories |
In other words, AppImage.github.io is very expensive list of "verified" flags. Unverified projects are not available, they are not discoverable in Zap. For example, VSCodium is not available in AppImage.github.io / Zap even it has releases on Github.com. So the problem is discoverability. Github.com solves this by providing search API. Separate problem is ranking - Github.com solves this by Stars. Another problem is "approval/verification" flag/badge, this is solved by AppImage.github.io however this limits other aspects. So, a good package manager could:
Github.com and other distribution platforms could help with point 1. |
As of right now, zap supports GitHub releases although it's not really implicit. |
The As a user, I do not care where the package is placed; I just want to type one command with approximate package name and have the package installed. I may not know the exact name, so package manager should discover/search it for me. This is true while searching AppImages and .exe with modern search services such as Google. Somehow, the discoverability service will present me sorted results, Google uses its index which is based on multiple criteria.
Github Stars are very good basic indicator that I may want that package - because most people will search for popular packages. It is similar how Google ranks webpages by popularity or term searches. Yes, some malicious site (not hacked, but malitious form start) could get high rank in search results, however it is not probable at all. Similarly, popular packages on Github.com are popular because many people use them. Maybe there is even backdoor in the codebase, however people trust that they are no backdoors. Incidents can happen on popular webpages, as well as in popular Github.com releases. Attackers could hack websites and Github.com accounts as well. It is responsibility of owners to secure their websites and Github.com accounts. No verification from Zap or appimage.github.io can ever prevent such attacks. Even now, Zap could happily install hacked/malwared packages and we would know in days, weaks, or never! Moreover, I would argue that using appimage.github.io is a big security risk. Because attackers could just hack appimage.github.io one time and hack ALL the packages by changing source URLs. But Attackers will not hack ALL Github.com accounts at once. Of course, Stars are just one indicator. Maybe, the fair rank method is This could be generalized for GitLab and others. At least they provide date_of_last_commit for sure. Then, one JSON file placed on Zap server or appimage.github.io can provide "verification" of Github.com packages. This could give higher rank to discovered packages or Zap could offer flag
Third party verification services could be used by Zap. They just provide list of verified or malicious packages. Maybe Zap user could install own list for personalized protection. For example, software developer would install curated list which contains verified packages and graphic designer would install another list of curated packages. But the point is, Zap users can decide for themselves to install any package on the internet (Github + GitLab + Bitbucket + ...). Just like they can search it with Google and install it or just like they can search it on Github.com, sort it by stars and install it 😁 |
@trymeouteh Sorry for spoiling the thread but if Zap supported Github.com integration then this would make all AppImages hosted on Github.com available in Zap and maybe it would be sufficient boost of new AppImages for your usecase. Other platforms such as GitLab could be integrated later. Why do you want to have custom repositories? Would you like to have private repositories or would you like to just increase the number of available AppImages in Zap? |
The reason for having repositories is for users to be able to use an official zap repo and other 3rd party repos the users trusts to install AppImages that are verified by the repo maintainers. As long the repo maintainer is trusted, this is a more secure way of installing Appimages than being able to install an AppImage from any github repo since the user would have to choose the right repo and not the wrong repo that was forked and could be malicious. |
@trymeouteh Are there other AppImage repositories in addition to appImage.github.io ? It should be defined what repository means here. In general (as understood in Linux distros), repository includes maintainers that:
AppImage.github.io is not such repository because It just does one thing or possibly two things:
appImage.github.io just links to Github.com accounts which offers AppImages and project owners do the rest. So it is not repository, just list of recommended Github software which support AppImage format. AppImage repositories are not feasible nor needed to maintain (points 2, 3, 4), because the point with AppImage format is that you do not need to have maintainers as with Linux distros. AppImage is similar to like So let's call it "recommended list of AppImages" and not "repository". The philosophy behind AppImages Alternatively, user will search "vscodium" on Github.com, then click on the project with the most Github Stars, then verify that this is the official Github.com account of the project and then downloads the AppImage file. This is the benefit of AppImages - users just go directly to the project authors and download AppImage. Currently, Zap is not philosophically compatible with such approach because it does not allow to search for as many AppImages as possible. It limits search results by recommended list of approved Github.com accounts by appImage.github.io maintainers and that is the reason that AppImage projects are missing in Zap. But yes, if Zap supported custom Github.com recommended lists then other people could easily create custom approved Github.com account lists with lower cost than appImage.github.io and personalized for their company/organization or category (graphic designer, programmer, sysadmin, home media center, ...) I wrote JSON format for such list above, however now I think JSON is not really needed, it could be just simple file with lines:
|
Does Zap do a checksum for every single appimage once downloaded to ensure it is not tampered with? And if Zap supported recommended lists, will it supports other git sites such as gitlab and gitea and not be centralized to github only? |
I do not think so. Even if it did then there would need to be official or verified hashsum placed somewhere and Zap would need to discover it and understand the format. In February, this was discussed: I think that it is good idea to support recommended lists with arbitrary URL. For example, Zap would have flag such as |
One issue with verified lists are that, sometimes repositories get forked, and sometimes the repositories are moved to a different organization. It becomes hard to keep track, and keep the list up-to-date over time. Some repositories we add as verified, might lose AppImage releases over time, and some might not follow the official AppImage naming conventions / AppImageSpec standards. I am interested in doing something similar to what Flathub managed to do, see https://github.com/flathub, by doing so, we are asking the maintainers to be responsible for the AppImages they create, and those appimages that they want to put it on the Appstore. They can then write custom scripts to build the AppImage from the CI, and the publish them to the releases within a github organization that the zap / appimage community manages, similar to how flathub manages it. All we would want the application maintainers to add is, link to the AppImage, or a script to build it, simplifying their release process by a lot. Then, we can create checksums automatically, gpg verification if necessary, etc. Doing this opens a door of many possibilities! |
That issue is real but it is general issue present also in repositories managed by maintainers and index like Github.com or appimage.github.io. Someone needs to be responsible for keeping the list up to date. Regarding Flathub. I think that a Flathub clone will not be successful. Because, why not just use Flathub which already offers so many packages if Flathub clone with AppImages offers fewer packages? AppImages design replaces the need for solutions such as Flathub and offers advantages which can not be offered by Flathub. Flathub model:
This needs to have huge administration resources and creates problems which require more administration resources:
This is problematic because final Flatpack binaries could be modified by anyone (maintainers) in malicious way. Also they can be modified to be more platform specific, which is a good think but at the cost of possible malware, huge administration cost and centralized distribution online system. Flathub is similar to Linux distro repositories, it is just working for more that one Linux distribution. On the other hand, AppImage format allows software authors to create one file and publish it where they want. No middleman. No maintainers. No disputes who owns the project. That is the advantage and disadvantage of AppImages. With AppImages, discoverability of genuine AppImages must be solved by third party tools, for example, search engines or package managers. Source: https://appimage.org/ |
Hmm, you got a point. Do you have any ideas on what we can do on apps like krita? https://krita.org/en/download/krita-desktop/ |
It may look like AppImage is suited for regular OS users, however that is not true. Regular users just use Ubuntu with Snap/Snapcraft/Snap Store or Flatpack/Flathub and they do not care. AppImage is more decentralized with all the benefits and disadvantages, mostly around trust and platform specificity. There is no big player in the AppImage ecosystem, however it could find its place on the market. There are five cases in the AppImage ecosystem (popular platforms are for ex.: Github.com, Gitlab.com, SourceForge.net, ... and they are always structured):
Case 5. is the worst because it needs huge resources to convince them to publish AppImages or to package AppImages for them. However in the future, more companies will join the AppImage ecosystem. Many will leave because their product does not run with the same experience on every platform. And many will produce multiple AppImage builds for multiple platforms. Case 4. is not very good, because software authors need to submit them somewhere (where? how? is it worth it?, ...). Case 3. is good because because third party recommended lists could emerge in the ecosystem - they could just link to genuine builds directly at HTTPS non-popular domains such as official websites of software projects (krita.org). Case 2. is better because it is the same as 3. but with more automation. It would lower the cost of maintaining recommended lists. However this requires a standard. There was a discussion that maybe it is sufficient that software authors publish just hashes in a structured way and ecosystem would handle AppImage distribution while verifying authenticity in package managers: Case 1. is the best because it can be automatized and one integration could make many genuine AppImages discoverable for users. So, Krita is case 3 because it offers URL on krita.org:
It could be moved to case 2 or case 1 by convincing them or just implement something in AppImage ecosystem to handle case 3. Case 3 can be handled by recommended lists from community. Maybe JSON format. Community can create such lists and host them online at HTTPS websites. Standards could help here. It is similar to appimage.github.io however appimage.github.io is a closed list and just links to projects and not AppImage files directly, which is problematic because Krita offers just URL of AppImage and not Github.com account: (Krita is actually Case 1 with that kde.org popular platform but lets ignore this for now) The format for a case 3 recommended list could be JSON and contain:
However with Case 1, it could be much simpler! Just Github.com URL or KDE.org URL is needed and everything can be automatically downloaded/cached/recached. Take a look: https://download.kde.org/stable/ and https://download.kde.org/stable/krita/ So, Case 3 is all about building community around some JSON or other standard and Case 1 is all about building integrations of popular distribution platforms. PS. I checked if Krita AppImage hosted on kde.org is actually build by authors and it looks like it is, so it is Case 1. They also offer community-maintained Flatpack hosted on Flathub. However the first choice they offer is AppImage so they want to offer their build with priority. AppImage tools should offer ways to verify package integrity. For example, display krita.org domain and then user can verify somehow that the authors published the file on kde.org. It would be nice if on krita.org there is cryptographic checksum (hashsum) and it is automatically compared to the downloaded file grom kde.org, however that needs some standard rethink and authors-convincing. |
Hmm, good point on kde.org as a standard publishing format.
https://github.com/AppImage/appimage.github.io/blob/master/data/Krita |
Quote:
That is not ideal URL for appimage.github.io, possibly the most expensive (per package) list ever maintained. They did a good job with the presentation data and so, but it can not scale. They maintain project graphics, images but they do not maintain latest AppImage file of a project? ... URL pointing to one latest AppImage file is very ideal and sufficient for HTML websites, web search engines or package managers because the most important usecase is "to install latest AppImage release". So, any AppImage discovery tool needs at minimum latest AppImage + project name for each project it can discover from recommended lists (case 3). Description, image, release hashes, official project domain, release history, etc are very useful information however they are not important for the goal of huge AppImage discoveries. Such information do not increase the number of discovered projects, often they can discourage people to update such information, they create inconsistencies (ex. one platform contains image gallery and another does not), ... But I think that format of recommended lists should contain many additional fields such as Optional list of releases (structured, with dates etc), however the absence should not prevent it from inclusion. It would be the responsibility of maintainer to maintain such lists and not the responsibility of software authors to provide all information. But this could be non-issue if AppImages are discovered on distribution platforms such as Github.com, KDE.org, etc. Then the latest AppImage can be discovered automatically and also other metadata such as description, image, etc can be scraped automatically. Also even there could be used recommended lists, for example list of Github.com repos or list of KDE.org project folders, however all the hard work can be automatized by scrapers and nothing except Github repo names / KDE.org folder names must be maintained by maintainers.
Well, authors could send their latest AppImage on CD/DVD and ship it quick. Or just provide URL. Direct URL to AppImage is better and totally universal, but structured HTML/API is also parsable (such as Github or downloag.kde.org) even without their explicit permission or knowledge or any recommended lists. Public repos with proper license can be scraped automatically, KDE.org for sure. |
To clear possible misunderstanding, I meant that kde.org could be also integrated with AppImage discovery tools such as Zap in AppImage ecosystem. Not that kde.org should be used as a standard. In addition to Github.com with their search API, kde.org is freely scrapable/pasable and it could contain many AppImages in archives. It is the question of integration/scraper/parser maintenance (case 1) vs community list maintenance (case 2, case 3). |
Right, gotcha. Re: 1, GitHub search API for example, we do know that the search API has a rate limit. Would we want to ask the users to insert a GitHub API token? |
Here I researched the two options:
I like 1.ii because the community can help with false-positives directly from Zap and no confirmed lists must be maintained and this could be automatized very well by Zap. But also I like recommended lists from community, they could be generalized to contain URL of Github.com repository, Gitlab repository, KDE.org package folder, ... But format of the list must be very simple to be successful (no JSON, no XML, ...). Thankfully we have a standard for location of AppImage parsable resources: https://datatracker.ietf.org/doc/html/rfc1738 and thankfully Github.com and others have structured responses. Later, the problem of duplicate AppImages can emerge. For example, AppImage is distributed on Github.com as well as on KDE.org. This could be solved by just ignoring the problem and user could install two instances of the same AppImage release (multiple versions of a Linux app in 2022, anyone?). Or it could be solved again by community with duplicate lists or comparing release files on server or in Zap. |
Hi, I encountered OpenShot video editor. It has no mention about appimage but it contain appimage releases: https://github.com/OpenShot/openshot-qt So maybe custom lists of known appimage projects in simple format is also a good idea. Also Kdenlive has appimage releases https://files.kde.org/kdenlive/release/ |
Please add support for self hosted Zap repositories. Were users can add or remove repositories within Zap and be able to download AppImages from these repositories.
Zap will come with the official Zap repository.
Other package managers do this such as Pacstall, Flatpak and F-Droid.
The self hosted repository server could should be also be fully open source.
The text was updated successfully, but these errors were encountered: