 So, yeah, welcome box office if you assume anything related to popcorn. This is not the right Presentation, I'm sorry. What I'll talk about is putting LibreOffice into a sandboxed XDG app Bundle, if you happen to be at Guarek this year, then most of it will sound familiar I gave Pretty much the same talk back then This time I'll concentrate more on the part that we as LibreOffice will have to do to make this wonderfully working reality So Maybe some of you even haven't heard yet about what XDG app actually is It is an initiative that The year started a while back It's hosted in the GNOME or rooted in the GNOME and free desktop as the name Communities and tries to address two Goals or reach to goals One thing is to make it easier for developers to produce binaries that will run On arbitrary Linux distros so that you just build it once And then run it everywhere and not have this problem of having to deliver it for various Various Linux distros The other aspect is There's so much software out there From people some of you might you might know them others you have no idea about Who they are what they wrote why they wrote that actually if there's anything bad in there On the way to you maybe somebody put something bad in there so you want to have some some security and in downloading something from the internet and running it and How to do that of course is to run that app in some kind of sandbox that Shields the rest of your system From whatever that app does so the app is limited in what it can do For us of course that means if we are limited in what we can do We need to Find ways to still let the user do what he wants to do with our app So I'll come back to that later So that's xdg app the broth as you'll know to first concentrate on this part of building Just once Run everywhere So what is our matrix of pain there? most of you know we have Hundreds of configure switches more or less obscure ones we have Close to a hundred external sub modules that we depend on that need to be there in some way on the Platform that we later run on either we bring them with us or we depend on them being available already on the platform We have about a hundred localizations That's also the thing to consider if you want to package some software you just package it for the US market for the globalized Everybody speaks English market or do you go into the individual? Locals and Please actually face your users there So we're famous for being able to Break whatever the same is out there and whatever frame work is out there and Montage created this lovely t-shirt some people even wear it and Yeah, that's this is one more One more a framework where we can see if we can Stretch its limits. So yeah do that As a send for us or for any application that wants to go out into the world be available Publish the source compile yourself as one option, but most of your engines want to have some binary This is especially as we as with our TF heads on now No, we do Mac builds we do Windows builds that's Plain business because there's one target to target. You just need to make sure that Whatever is your base version of Windows or Mac that you want to target when it comes to Linux? It's rather fractured because the Linux world Is not one stable one common API but a lot of different Individual libraries that have their IP eyes and each distril bundles a different set and Use different ways to to deliver software be it our PM lead that Libraries having different still names to link against and stuff like that So what we as TDF do for example is to to produce That and our PM packages for it's 86 and it's 86 64 builds all the distros do that themselves of course anyway for for their versions of LibreOffice But sometimes users do want to use A version that is not yet available. Maybe the distro if only for testing for example So they demand to also have Bills done by TDF of the latest For example So our TDF build is this somewhat crippled or used to be somewhat crippled for example It's been a pain to to update to GTK 3 or to get rid of this old You know VFS, which is a method of Excessing non file system data like HTTP or FTP or whatever some but Centralized common way There's an old implementation a new one and we were stuck with the old implementation Because that was the only thing we could Expect from a baseline that we want to run on which is a very old Linux so Hope is that we'll Reach a point where we can just build once and Be done with it another Thing that my benefit from this is our buy-by-sect repose Which you're also Done by somebody with a fat machine to keep us How's warm in the winter? These people just More or less randomly pick from this matrix of 100 or 300 configure switches So it might happen that by accident They pick one switch to build against the system that on their machine Which then when you download that huge by my second repo then that one Little library has a different name on your machine. So that was one Famous case where you need to with at least one of the repos you need to If you run it on the fedora, you need to rename or sibling one system library into a different name so that then the The library office app will find it and then be happy again But that's unfortunate things that you've done with a huge buy-by-sect report. I want to use it and then find out there's one little Issue that keeps me from from using it if we would use xg app Binary bundles for that and that will be a thing that could have happened by definition so actually try to To stuff the graphers into this framework. How does that look like? xg app as I said is a standardized interface into which to in which the standardized environment Applications run so they do define this very precise API of what is available That's the one point the other when you do want to build such a Application into this framework, then there's of course some sort of SDK Which is all the headers or the libraries that you need that match the runtime environment That is somewhat unfortunately build of some not some But the the next is true about some yokto distro that is mostly aimed at Embedded and has as we then found out with a break every tool chain approach and has some slide obscurities like it's the first Instance where I found a distro that lacks one of the obscure pearl Pearl archived for modules that we need still need during the build because we have this legacy part of the install set creation that is still based on some 15 year old pulse grips help us to Eventually fix that by by removing that Part of our system anyway, what I do from now is just from the outside copy that one Perl module the system both copy that into the the yokto SDK now the point for example that there was no glue library there for the OpenGL that is a Kind of wrapper library to simplify things Good news what that there was Anyway, always the only two places I think in our code base that used it and that could both be removed so we drop one of our hundred external dependencies By doing that anyway one other thing That took a while to debug is that one of our externals that we do include Because it is not available on the on the base that we run on One of them ran in XML config script, which is like package config just especially for lipxml and should give you the command line arguments to link against XML config but in this yokto base for whatever reason that XML config batch script just come is reduced to one line which says exit one So we turn failure so the configuration of our external module I think it was red land that use of that kept failing very strange error statement for now went into the our internal red land module and Patched that to no longer call XML config So with that out of the way Configure and building Does work smoothly so it is able lots of stuff that is not available in Base there and some of it doesn't make even make sense yet For example cups. There's no printing yet from from inside of the sandbox come to that in the moment There's no Java in there so it is able Java so Solution probably if you want to keep Java available for the extensions in LibreOffice you need to bundle a JDK that a JDM into our app Most of the things we depend on from the system we can use the actual system once there is about 30 cases where things are not available in the in the runtime platform but where we have These external libraries bundled and so we use those This is still x11 based Moving forward to our wayland For now it's 11. What falls out of all that then is Not that small bundle of about 350 megabytes. So that's what users will then need to download I'll talk how many languages That's just one Maybe I'll interlude here with a little Demoing of it before I come to the explanation of how the sandboxing actually works So to You then have that Then have that bundle the application bundle can download that you can push that up to application repositories in the internet from where you can download it I've done all that Just too much bandwidth here, and then there's a little Application that is for example already Available in Fedora latest Fedora releases already have this xdg app thing And if you want to run an application Inside it you do this xdg app run and then there's a name for the Application and I was all in colors Surprisingly the process and you can even pass parameters and What you see is that Your average another standard the brothels sandboxed You don't know as much of it from the first view But if you for example want to open a file then There is a file dialogue opening up and you have a home directory Yeah, that's that's the sandbox part home directory is empty We are running as a fake in an environment where you don't have your Normal home directory so this app if it were malicious couldn't modify your data or you can read your data There's nothing much here that we could open we do have And in the root there's an app directory where our app there our installation actually is so if you Know how in the process installation tree looks like this looks familiar. It's just the tree So we might try to Open the license file that's included there and that will work. So Read only because the installation trees is read only So that's not that much Fun for for for actually using a Leero as you could draw your drawings in there for fun And then throw them away because I've been safe to outside the sandbox You can't say inside the sandbox. So when you reopen the office your wonderful drawing that did it last time would reappear But you can't get it out there. So That needs to be changed and there is hope there is change available there's a Feature and I fake that into this Leero office, but that's a otherwise vanilla one. I I Took the feature that we do have two different file dialogues anyway we have the system one and we have the The Leero office internal one which has a different feature set and look the same across all systems I took that out and replace that with one that is the sandbox specific file open dialogue and when I use that one and Now the file open the file open no dialogue looks very different So I have different. This is Kind of mock-up state for how it will look like in the future So this is still all work in progress how to the ECGF framework will look like in the end and So for now you can Navigate into your your true home directory. So here's my documents folder. There's some test ODT I can't see like that And war there it opens I have some debug code in there so What it actually does open inside the sandbox is not nothing in the home directory, but there is a Fuse file system behind the scenes so that maps that file from outside the sandbox into some run user Whatever plays And that's the file URL that I'm using inside the sandbox, but it By a fuse from outside the sandbox is actually the same file as the one in my in my whole dear So Key, this is the same box one. This is bright one Yeah Can you open the same file it sure if it will be Still where there is the test there's a test yeah, it even works for this version. This is a Slightly outdated version. So things are moving quite fast They're at the moment but It's persistent. Yeah So running out of time hurry up a bit the interesting part about the sandboxing For for our bill as I said in the beginning People are not sure about what they download from the internet That's probably not the most the biggest motivation to run the liberal first sandbox But another very real and very important use case for actually sandboxing the brothels is that we do have Bugs some of them still in our code and some of them might be security The risks so if you do have a document from somewhere on the on the internet And you don't trust its author then it might happen that if you open that It could compromise your system. So if you do run that in a sandboxed the brothels then You're much better off. So that's that's the very real use case for for sandboxing the brothels So how does this you go full screen again So that's how does this? file accessing work so the idea behind all this Getting out of the sandbox or reaching resources from outside the sandbox The philosophy behind how to do that as always There needs to be some code which runs outside the sandbox in the trusted system So it's from your trusted fedora distro That is actually executing some code on your behalf. So you initiate While you're running inside the sandbox you initiate some activity outside the sandbox That can access resources outside the sandbox and because you as a user and not your program behind your back because you as a user in UI initiate that the Sandboxing framework will then open a small little hole That allows that resource to be accessed from within the sandbox. So the the magic point about is The code that actually does the allowing and opening of the channel into the sandbox runs outside the sandbox so that the application can't temple with it and The request to actually do something needs to come from the user and not from the automatically from from the application itself So what's done with this file dialogue that I presented that's a debas in the face from The sandbox to the outside world. You can request to open the dialogue that dialogue goes up in the outside world It's the dialogue that the the application itself can't control because it's a real GUI dialogue that the user has to operate You select a file there. You have the full access to all the files They're just that one file that you select is that made available as a set by a fuse to inside The the the sandbox application That's the the simple idea The way to work Comes the office with all its Ideas of what it wants to know about its environment So simple apps Will be happy with just having that one file We for example want to know About whether some other instance of LibreOffice locked that file Or there's also a feature in Calc to have multiple users work on the same file And then there's some some additional file next to the original to the file itself That records all that information. So we don't want to only have this one file We want to create another file next to that and that's where things start to get interesting and And Way, you need to make sure that your sent boxing Features Make that available. So you saw that the the test document that I opened that opened up and read only mode Because we can't create this lock file next to it There's also The way these files are made available Now it's why a fuse and in a previous instance It was done by a GIO and a special document URL scheme That would have had for us the benefit that When we open some document by a GIO, we know it's from remote So we don't try to create this lock file anyway, so our code paths would already have Taking care of some of the things that we need to now take care of to make it for example available Possible to do to save files. This is for now only file open file safe will be the next thing Printing is a thing that needs to be addressed both in the sandboxing API as probably as well then in our code base So they'll be a number of small Tweaks and fixes that will be needed in our code to make it actually Have you work inside a sandbox? Well, it like a show with that dialogue that was just some some ten lines of code to to swap in Using this special file open dialogue I think in all these cases won't be much work. It'll be little little tweaks here and there another thing That will come up is how to handle these 100 localizations whether to build a hundred different Apps each with one localization or to bundle all the localizations and have a have a app that is even larger than 350 max for the windows for example the windows Install that you download that includes all the languages and then at installation time You just use or choose the ones that you want to put on your artist So that's a precedent for people Downloading that much data anyway and not complaining too much about it So it might be feasible to to to include all of them or majority of them Some other minor issues is like we try to only have I have one instance of the broth is running Why are some protocol of our own listening on some you mix the main socket? This of course is something that is also Forbidden in the sandbox to create arbitrary sockets To listen on them. So but there's also a divas Service to do pretty much the same thing so we can can use that So it's one of the things that just needs a little tweaking and that's It for For me, so if you have any questions, I think it's time for coffee