generated from small-tech/watson
-
-
Notifications
You must be signed in to change notification settings - Fork 2
/
org.small_tech.comet.yml
68 lines (60 loc) · 2.31 KB
/
org.small_tech.comet.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
app-id: org.small_tech.comet
runtime: io.elementary.Platform
runtime-version: '6'
sdk: io.elementary.Sdk
command: org.small_tech.comet
finish-args:
- '--share=ipc'
- '--socket=fallback-x11'
- '--socket=wayland'
# Needed to read prefer-color-scheme with Granite.Settings
- '--system-talk-name=org.freedesktop.Accounts'
#
# Needed to read commit message files.
#
# The app uses host permissions instead of home permissions to support projects
# mounted as external drives and network shares. As mount points can (and do)
# differ, it makes sense to use host permissions to ensure that all such projects
# work instead of attempting to compile a list of all popular mount points to
# support.
#
# In terms of security, what matters is whether an app has home permissions or not
# since, once an app has home permissions, it can easily escape the sandbox and
# run arbitrary code and even escalate its own Flatpak permissions (as the settings
# file is kept within the person’s home directory).
#
# As the threat model here assumes that either that the app author is malicious
# or that the app’s source repository has been compromised and modified by
# a malicious actor, the use of granular filesystem permissions on an app that
# already has home permissions is security theatre.
#
# In this scenario, the real security in the system is not provided by the
# Flatpak sandbox but by the following two properties of the system:
#
# 1. The app being free and open source.
#
# 2. The extent to which the automated and manual reviews of the source code, as
# carried out by the elementary OS app review team, can catch malicious behaviour.
#
# Sources:
#
# - https://flatkill.org/2020/
# - https://github.com/flatpak/flatpak/issues/3637
# Necessary to configure Git from the welcome screen using flatpak-spawn --host.
- '--talk-name=org.freedesktop.Flatpak'
modules:
- name: gspell-1
config-opts:
- '--disable-static'
- '--disable-gtk-doc'
sources:
- type: 'archive'
url: 'https://download.gnome.org/sources/gspell/1.8/gspell-1.8.3.tar.xz'
sha256: '5ae514dd0216be069176accf6d0049d6a01cfa6a50df4bc06be85f7080b62de8'
cleanup:
- '/bin'
- name: comet
buildsystem: meson
sources:
- type: dir
path: .