Client: Provide a flatpak package of Keybase client

The difficulty is probably that we use root to mount a FUSE filesystem at /keybase.

I have to vote too for this issue, would love to see keybase more isolated and standalone. And I'm sure you'll figure out a way, maybe what flatpak already offers is private enough? There's also always #flatpak@freenode to ask from too.

It's also a nice way to support other platforms like gentoo or sabayon +1 as I'm on Sabayon. Snapcraft is also good if you are Ubuntu based already

from the #flatpak IRC today:

mwleeds: anyone know if flatpaks can mount fuse filesystems?
It's apparently what's stopping keybase from making a flatpak

nedrichards: mwleeds: I don't think it can

alexlarsson: mwleeds: no, because fuse requires root, in particular, it needs the setuid fusermount binary

mwleeds: alexlarsson: nedrichards: ah ok :(

alexlarsson: I mean, they could use e.g. HostCommand to run it on the host
It depends a bit on the exact needs

halfline: keybase has this cool /keybase thing that's sort of like afs or something
you put your stuff in there and anyone else on /keybase can get to it

alexlarsson: Do they implement a fuse fs that they want to mount on the host?

halfline: yup to /keybase
i guess the app itself would need to see /keybase too
it probably uses it under the hood ?

alexlarsson: Well, nothing in flatpak can mount the fuse filesystem
Because it needs root
And anyway if it was mounted in the sandbox nothing else could see it

halfline: right it would need to be mounted twice i guess

mwleeds: Why twice? Can't the flatpak see the mount on the host somehow?

alexlarsson: However, you might be able to start it with something like HostCommand

mwleeds: Maybe --filesystem=/keybase

alexlarsson: yeah, no need to do it twice
but it has to be done outside

mwleeds: ok. Maybe I'll try doing that

halfline: well it would have to be bind mount at a minimum... i mean the app doesn't have the same fs root ...

alexlarsson: However, the thing that has to run on the outside is fusermount
Not the keybase fuse implementation
That can run in the sandbox
Normally libfuse spawns fusermount itself, but this would need a bit of custom code to do it otherwise

halfline: already seems to do it on its own
ExecStartPre=-/usr/bin/env fusermount -uz /keybase
ExecStart=/usr/bin/kbfsfuse -debug /keybase
Restart=on-failure
(from ╎❯ cat /usr/lib/systemd/user/kbfs.service )
oh
no
the -u means unmount
it's just cleaning up stale mounts before starting

alexlarsson: yeah
so, what you need to do is this, from libfuse:
snprintf(env, sizeof(env), "%i", fds[0]);
        setenv(FUSE_COMMFD_ENV, env, 1);
        exec_fusermount(argv);
but, as a HostCommand
But that should be doable, as HostCommand lets you pass both env vars and fds
mwleeds: can they go from there?

mwleeds: ah, hopefully that won't require re-implementing much of libfuse in keybase

alexlarsson: no, not really
This is just the setup

mwleeds: alexlarsson: I'll post on https://github.com/keybase/client/issues/8264 and see if they want to do it themselves or want help

alexlarsson: https://github.com/libfuse/libfuse/blob/fuse_2_9_bugfix/lib/mount.c#L399
Thats the code they want to replace
https://github.com/flatpak/flatpak/blob/master/data/org.freedesktop.Flatpak.xml#L38
Here is the hostcommand dbus call
obviously they also need to request access to that
(which, basically neuters any real "sandbox")
Also, obviously this requires "fusermount" to be installed on the host
But, since flatpak itself uses that thats pretty safe

mwleeds: yeah but maybe it could be done in a way that you can run it without that permission and kbfs wouldn't work but at least it wouldn't fall apart

alexlarsson: yeah
If they are interested but fail to make it work i can help them
I've wrangled libfuse before...

So @cjb or anyone else involved in Keybase development: do you want to do this? If not, I'll try to put a manifest together

Would be cool to have help, thank you! And, I might be wrong, but I don't think the Keybase app itself makes file accesses inside /keybase, at least today.

So, one thing is problematic, there is no way ever that a flatpak app can create a mountpoint like /keybase, as it is running as a user with no root rights.

@alexlarsson isn't that the problem that using HostCommands solves?

HostCommand lets you run fusermount to mount the FS, but it cannot create the mountpoint. That needs write permissions in /.

Oh, got it. Well maybe the best we could do is show a message to the user telling them to make the mountpoint and then restart the app.

Maybe it should ask for a path? Always using a global for seems rude.

Yeah, I guess that's up to the keybase team. I doubt they want the flatpak'd client to use a different mountpoint than the client otherwise would.

The idea is that the /keybase mountpoint's the same across platforms (same on macOS) and you can pass /keybase paths around to other users and use them in scripts. So that's why it uses the rude global path. :)

The idea is that the /keybase mountpoint's the same across platforms...

Bad idea. Path for your program could be defined in /etc/profiles.d/. You can define variable $KEYBASE or just use $HOME.

...use them in scripts. So that's why it uses the rude global path. :)

Would the ~/keybase location not be sufficient enough for that functionality? Current methodology seems kind of upside down, instead of just telling the shell where to go you are insisting on a certain place. Ease or difficulty to script is a feature of the chosen shell and therefore users concern.

Also these: #10033 #9643 #8960 #4739 #2604 #3349 #4162 https://milouse.keybase.pub/

Looks like Keybase now uses ~/.local/share/keybase/fs as its mount. There's also a link from /keybase to /var/lib/keybase/mount1 and from there to ~/.local/share/keybase/fs on my system, but I think those are just for backwards compatibility so maybe it's not too bad that a flatpak won't have those.

On my HP Stream laptop, the best OS I found is EndlessOS but they do not support deb.... THey use a lot flatpack, What work around I can use to make keybase work on my EndlessOs ?

The solution is mount bind.
https://unix.stackexchange.com/questions/198590/what-is-a-bind-mount?answertab=active#tab-top

Why FUSE instead other options like WebDAV?

Simple - change mounting from root to none root with bind directory. Use mount bind or fuse link is on top of this two post.

Flatpak has been using FUSE for a while now, any possibilities to reinvestigate the option?
https://www.phoronix.com/scan.php?page=news_item&px=Flatpak-1.3.2-Released

@alexlarsson wouldn't a GVFS module that you bindmount as /keybase inside the flatpak container solve the problem here?