{"id":546,"date":"2023-01-31T23:48:33","date_gmt":"2023-01-31T23:48:33","guid":{"rendered":"https:\/\/stikonas.eu\/wordpress\/?p=546"},"modified":"2023-02-01T00:18:40","modified_gmt":"2023-02-01T00:18:40","slug":"building-flatpaks-and-freedesktop-sdk-from-scratch","status":"publish","type":"post","link":"https:\/\/stikonas.eu\/wordpress\/2023\/01\/31\/building-flatpaks-and-freedesktop-sdk-from-scratch\/","title":{"rendered":"Building flatpaks and Freedesktop SDK from scratch"},"content":{"rendered":"\n<p>Flatpak applications are based on runtimes such as <a href=\"https:\/\/invent.kde.org\/packaging\/flatpak-kde-runtime\">KDE<\/a> or <a href=\"https:\/\/gitlab.gnome.org\/GNOME\/gnome-build-meta\">Gnome<\/a> Runtimes. Both of these runtimes are actually based on <a href=\"https:\/\/freedesktop-sdk.io\/\">Freedesktop SDK<\/a> which contains essential libraries and services such as Wayland or D-Bus.<\/p>\n\n\n\n<p>Recently there were a lot of discussion about supply chain attacks, so it might be interesting to ask how Freedesktop SDK was built. The answer can be found in freedesktop-sdk <a href=\"https:\/\/gitlab.com\/freedesktop-sdk\/freedesktop-sdk\/-\/blob\/81c3ca30655a2589cf2d9bdc89b26bed924424a2\/elements\/bootstrap\/build\/base-sdk\/image-x86_64.bst\">repository<\/a>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sources:\n- kind: ostree\n  url: freedesktop-sdk:releases\/\n  gpg-key: keys\/freedesktop-sdk.gpg\n  track: runtime\/org.freedesktop.Sdk.PreBootstrap\/x86_64\/21.08\n  ref: 0ecba7699760ffc05c8920849856a20ebb3305da9f1f0377ddb9ca5600be710b<\/pre>\n\n\n\n<p>So it is built using an older version of Freedesktop SDK image. There is now an approved <a href=\"https:\/\/gitlab.com\/freedesktop-sdk\/freedesktop-sdk\/-\/merge_requests\/11557#c0952e383495bc906fbb2b66b4dd778dc9fed4a8\">merge request<\/a> that completely reworks bootstrapping of Freedesktop SDK. It uses another intermediate docker image <a href=\"https:\/\/gitlab.com\/freedesktop-sdk\/freedesktop-sdk-binary-seed\">freedesktop-sdk-binary-seed<\/a> that bridges the gap between freedesktop-sdk and <a href=\"https:\/\/github.com\/fosslinux\/live-bootstrap\/\">live-bootstrap<\/a>.<\/p>\n\n\n\n<p>So what is this live-bootstrap? If you look at <a href=\"https:\/\/github.com\/fosslinux\/live-bootstrap\/blob\/master\/parts.rst\">parts.rst<\/a> you&#8217;ll see that it is a build chain that starts with 256 byte <a href=\"https:\/\/github.com\/oriansj\/bootstrap-seeds\/blob\/master\/POSIX\/x86\/hex0-seed\">hex assembler<\/a> that can build itself from its <a href=\"https:\/\/github.com\/oriansj\/bootstrap-seeds\/blob\/master\/POSIX\/x86\/hex0_x86.hex0\">source<\/a> and also 640-byte <a href=\"https:\/\/github.com\/oriansj\/bootstrap-seeds\/blob\/master\/POSIX\/x86\/kaem-minimal.hex0\">trivial shell<\/a> that can read list of commands from the file and executes them. Then it proceeds building 130 (as of the moment of writing) other components and in the process builds GCC, Python, Guile, Perl and lots of other supporting packages. Furthermore, each component is built reproducibly (and this is checked using SHA256 hash).<\/p>\n\n\n\n<p>Some caveat: at the moment freedesktop-sdk-binary-seed still uses older binary of rustc to build rustc but in principle one could leverage <a href=\"https:\/\/github.com\/thepowersgang\/mrustc\/\">mrustc<\/a> to build it. Or possibly rust-gcc will become more capable in future versions and will be able to bootstrap rustc.<\/p>\n\n\n\n<p>So unless your flatpak application uses rust, it will soon be buildable from sub 1 KiB binary seed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Flatpak applications are based on runtimes such as KDE or Gnome Runtimes. Both of these runtimes are actually based on Freedesktop SDK which contains essential libraries and services such as Wayland or D-Bus. Recently there were a lot of discussion about supply chain attacks, so it might be interesting to ask how Freedesktop SDK was &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[64,12],"tags":[60,62,63,3,65],"class_list":["post-546","post","type-post","status-publish","format-standard","hentry","category-bootstrappablebuilds","category-kde-2","tag-bootstrappablebuilds","tag-flatpak","tag-freedesktop-sdk","tag-kde","tag-live-bootstrap"],"_links":{"self":[{"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/posts\/546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/comments?post=546"}],"version-history":[{"count":2,"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/posts\/546\/revisions"}],"predecessor-version":[{"id":549,"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/posts\/546\/revisions\/549"}],"wp:attachment":[{"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/media?parent=546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/categories?post=546"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stikonas.eu\/wordpress\/wp-json\/wp\/v2\/tags?post=546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}