Add maintaining-flatpak-package.md

added 1 commit

afc09f5d - Update maintaining-flatpak-package.md

for visibility, here is the comment from the whonix maintainer linked above: (that another user alerted us of)

The CCS Monero Debian Package Repository for 2 years (!130 (merged)) has been successfully completed. The CSS has expired at the beginning of this year. No extension request is planned. It is recommended to use the official Monero flatpak installation method which documented. Monero (XMR): A Reasonably Private Digital Currency The monero-gui Debian package by Kicksecure has been deprecated and removed from the repository.

I support this proposal. Users often ask 'can we trust the flatpak' - this will answer those doubts and ensure packages are up-to-date and working for 1 year. @BigmenPixel has been providing a great service already for over 1 year.

For visibility: BigmenPixel is satisfied that milestone one is obtainable after a successful workflow run @ https://github.com/BigmenPixel0/monero-gui/actions/runs/4571525631 (github uses a slow method to build on arm64; combined with a 6hour max run time. splitting jobs up into smaller parts / use of cache has solved these problems. They still want this idea to remain a Draft until 100% certain (will provide an update for the next meeting @ 8th April https://github.com/monero-project/meta/issues/819)

added 1 commit

da3e4e36 - Update maintaining-flatpak-package.md

Compare with previous version

changed the description

can @BigmenPixel be paid to maintain the flatpak while still being considered an official distribution of the GUI wallet? what i mean is, currently the flatpak is considered 3rd party, once a token is created and it becomes verified, as a user i consider monero repo/core is blessing it as an "official" distribution. im not sure how all of the other distribution methods are handled besides github releases and getmonero.org releases which are handled by core/maintainers. so can we have both? pay @BigmenPixel to maintain the flatpak but keep the verification in the hands of core/maintainers.

Ok so if you have a read of the question above @ https://github.com/flathub/flathub/issues/3905#issuecomment-1496171547

Basically - there is a github token, that allows direct pushes to https://github.com/flathub/org.getmonero.Monero

This token has to be known by BigmenPixel - and handed to Monero Core (to eventually add to a flatpak workflow script that will push changes "up stream")

Ideally , only core would have this token, but this is not the case (if my understanding is correct). so, what we will end up with - is the "truth" @ monero core repos, then users will compare this truth (that has been verified by 'our people') to what exists @ the flathub repository.

So the improvement to the current situation will be that we have something to compare it to, again, this is new to me, but this is where i am at right now. But , we can not say, that flatpak is "not" third party, because, we will always need to trust flathubs infrastructure. users would still have to confirm hashes (if possible) that can be verified somehow.

Basically - there is a github token, that allows direct pushes to https://github.com/flathub/org.getmonero.Monero

its built in the same github action area that the rest of monero is built and it pushes to flathub directly if im not mistaken: https://github.com/obsproject/obs-studio/blob/3fed2e081e4bb657dd1db15fc1df7679a53b8030/.github/workflows/flatpak.yml#L117

Ideally , only core would have this token, but this is not the case (if my understanding is correct). so, what we will end up with - is the "truth" @ monero core repos, then users will compare this truth (that has been verified by 'our people') to what exists @ the flathub repository.

there are two tokens, one to push the build to flathub and one generated by the monero gui app flathub account that is to be embedded in a public monero asset like getmonero.org: https://github.com/flathub/flathub/issues/3905#issuecomment-1468076615

Please have a look at https://github.com/obsproject/obs-studio/blob/master/.github/workflows/flatpak.yml which uses https://github.com/flatpak/flatpak-github-actions to build its Flatpak. You can comment out flat-manager-client part and build only flatpak bundles for now – when we review the pipeline, I will send you a token allowing to push directly to our flatpak repository.

As for verification badge, @BigmenPixel0 can log in at https://beta.flathub.org/login and generate an HTTP token that needs to be exposed at a specific org.getmonero address.

and please correct me if im wrong.

So the improvement to the current situation will be that we have something to compare it to, again, this is new to me, but this is where i am at right now. But , we can not say, that flatpak is "not" third party, because, we will always need to trust flathubs infrastructure. users would still have to confirm hashes (if possible) that can be verified somehow.

i dont see this as any different than any other monero binary not wholly owned by monero. such as github. imho i think we should fund @BigmenPixel to be the maintainer but the tokens should be in control of monero core/maintainers.

@kinghat i support this proposal, i just want to make sure people understand exactly whats going on here. As it stands, the tokens will be shared between BigmenPixel and Core. The monero core-repo is the "verified truth" and it will be "mirrored" to the flathub repo that BigmenPixel has full control over also (can push/change anything there) but we can compare what exists on the core repo / commit history to the flathub one. From what i can see, this is pretty much the only improvement (but its a huge one).

Now, with all the above considered, we still have to trust flathubs infra to not do anything weird, (same way we cant trust github to not mess with things, thats why we have members of Core sign hashes with their pgp keys) so flatpak will always remain 3rd party. (hashes are not reproducible afaict https://github.com/flatpak/flatpak-builder/issues/251)

to clarify - this proposal is +1 for me, but flatpak will never be official. and always considered 3rd party, users just need to be aware.

@BigmenPixel is aware of the above^ and is looking into methods to make things more secure for us.

I tried to get hashes from a workflow and check them in the flatpak packages on my machine. They are correct.

Monero-gui new release -> start a workflow -> get artifacts with their hashes -> push it to Flathub.

Monero-gui will build the flatpak binaries. (and print hashes of them all). They will then be directly pushed to flathub (not to the org.getmonero.Monero repository). Users who install monero-gui through flatpak, will have matching hashes to the files produced by the workflow run on the monero-gui repository

the flathub repo that BigmenPixel has full control over also (can push/change anything there) but we can compare what exists on the core repo / commit history to the flathub one.

im saying core or maintainers should have full control over it. or make @BigmenPixel part of that group.

to clarify - this proposal is +1 for me, but flatpak will never be official. and always considered 3rd party, users just need to be aware.

then i wouldnt start using the "verified" moniker as not to confuse people. it would be nice if there was some input from higher-ups on this.

it would be interesting if @BigmenPixel could produce any stats that the current flatpak already provide to show its current interest. i think we should not discontinue different certain binary builds but we should probably make flatpak the go to way to consume monero on linux.

@kinghat just to add, my understanding of the situation has became more clear now. There will be no more org.getmonero.Monero repo after milestone 1 is complete - binaries directly from the monero-gui repo will be pushed to flathub. I am just now waiting for confirmation that the Core team, will be sent the Token privately from a member of the Flathub repo (i can't see why this won't happen). If this is the case then i am 100% satisfied. Users can double check hashes (or some kind of police script to confirm daily - but i would not worry about that)

I like your point on researching current interest (which has also increased due to the whonix maintainer pointing people to the flatpak version).

it would be interesting if @BigmenPixel could produce any stats that the current flatpak already provide to show its current interest. i think we should not discontinue different certain binary builds but we should probably make flatpak the go to way to consume monero on linux.

Are you talking about the number of downloads?

There will be no more org.getmonero.Monero repo after milestone 1 is complete

i think it will still have the same application id(org.getmonero.Monero).

Are you talking about the number of downloads?

yep! are these the only metrics that can be observed or are there finer grain ones that the repo maintainer has access to?

There. But it's public.

resolved all threads

@BigmenPixel in your proposal, can we delete "and obtain verified status."? This will happen after milestone 1 is complete, but, we should not confuse people as to what exactly that means. Instead, can you add the benefits of moving the manifest to the core repo? and the advantages over the current situation? for example (briefly) with milestone one, the files built on the monero-gui core repository will be the files that end up on the end users machines, and hashes can be verified. There will be no org.getmonero.Monero third party repository. only the monero-gui core repository will be pushing files to Flathub.

added 1 commit

a7575f13 - Update maintaining-flatpak-package.md

Compare with previous version

changed the description

mentioned in commit 55fef6e2

merged

On behalf of BigMenPixel, i am going to ask the community to pay out the entire CCS on March 21st 2024. 1 year after the maintenance began. they have been keeping up with updates / providing support: https://klausenbusk.github.io/flathub-stats/#ref=org.getmonero.Monero&interval=infinity&downloadType=installs%2Bupdates and have done the heavy lifting for the flatpak workflow hosted on the monero-gui core repo: https://github.com/monero-project/monero-gui/blob/master/.github/workflows/flatpak.yml

Getting "Verified" on flathub is now largely out of their hands. Sentiment seems to be unclear now and i suggest this is re-discussed in BigMenPixels next maintenance CCS.

I could receive money for 1 year of the maintaining but not for the moving the manifest because it's not done still

i agree with paying out @BigmenPixel in whatever is deemed the best way. the updates and maintenance have been demonstrated over the year. they have also been responsive to feedback and any issues that have risen. thank you @plowsofff and @BigmenPixel.

To mark milestones 2,3,4,5 as completed 83pHQUrhBQsMcDSnhzNiUjJxk4R1oMUgjJ1YcqDfaNAWVtBGXKvPjCA7WzQmPY674hQUwAj8RjxNTYyGzmrTAiz6C1ZbgBb

Add maintaining-flatpak-package.md

Maintaining flatpak package `org.getmonero.Monero`

Summary

Installing and using

About me

Milestone 1 (3.5XMR)

Milestone 2 (6.5XMR)

Activity

Add maintaining-flatpak-package.md

Maintaining flatpak package org.getmonero.Monero

Summary

Installing and using

About me

Milestone 1 (3.5XMR)

Milestone 2 (6.5XMR)

Merge request reports

Activity

Maintaining flatpak package `org.getmonero.Monero`