496733 – KleverNotes should not exit the sandbox

Bug 496733 - KleverNotes should not exit the sandbox

Summary: KleverNotes should not exit the sandbox

Status:	REPORTED

Alias:	None

Product:	KleverNotes
Classification:	Applications
Component:	Plugins (other bugs)
Version First Reported In:	1.1.0
Platform:	Flatpak Linux

Importance:	NOR normal (vote)
Target Milestone:	---
Assignee:	Louis Schul

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-11-27 02:17 UTC by Yaakov Selkowitz
Modified:	2024-11-27 08:56 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Yaakov Selkowitz 2024-11-27 02:17:52 UTC

SUMMARY
KleverNotes currently uses `KSandbox` to call applications on the host to support the syntax highlighters and UML diagram plugins.  Instead, the necessary tools should be included in the flatpak (either directly, or as extensions).  This would make the app self-sufficient, not require the elevated `org.freedesktop.Flatpak` permission to break out of the sandbox, and not require the user to install additional software on their host.

If you concur, I can provide a patch which removes `KleverUtility::isFlatpak()` and all use of `KSandbox` which works for me in a locally built Fedora flatpak with the additional tools included.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: on Fedora
KDE Plasma Version: 6.2.3
KDE Frameworks Version: 6.8.0
Qt Version: 6.8.0

Comment 1 Louis Schul 2024-11-27 08:56:31 UTC

(In reply to Yaakov Selkowitz from comment #0)

Thanks for the suggestion but I'm opposed to it. 

Including them directly is a no go for me :
- Currently there's already 4 that should be included (3 syntax highlighter and PUML) that could be okay. But what if I want to support more highlighter or more external program where is the limit ? How big could this flatpak be ?
- KleverNotes is a note taking app which happen to support the use of external program. User should receive a note taking app and nothing else, if they want the rest they have the choice to download the other program, I wont force the rest.

Extensions:
The current system is the closest thing I was able to do to mimic extension without to much overhead. But if you're able to pull that off without exiting the sandbox and without including everything, I'm sold !

Side note:
- I have a feature on my list to let people use script (python, C, C++, whatever) to interact with the note. And I have a working proof of concept with the current system.

To sum things up:
- Including everything: You can forget that idea, I won't change my opinion about it.
- Having an extension system: The current one was an easy way to do it. I don't plan on changing it (at least now, who knows), but if you have the tools to do it, I would be happy to review the code.