External data checker for Flathub

29 Nov 2019

To work around restrictions surrounding redistribution and repackaging of proprietary applications, Flatpak supports storing only the URL and metadata needed for verifying file integrity in the app bundle. During installation, such files are downloaded and extracted completely locally, thus not breaking the license.

However, this solution is not ideal. If the vendor decides to use an unversioned URL or removes older releases when new versions are released, it makes the application impossible to install until the Flatpak maintainer updates the metadata. It has become a growing problem for Flathub, and annoying enough that fine people at Endless wrote a tool which periodically checks Flatpak manifests and submits pull requests with fixed extra-data information, and started to run it on few chosen apps.

The fact that it operated without a Flathub stamp of approval meant that it remained rather unknown. Thanks to Will Thompson’s patience, last week it was transferred to Flathub organization on Github and can be considered officially supported. It is enough to define x-checker-data in application’s manifest and it will be scanned every hour.

If you maintain an extra-data app – or use one and want to contribute! – please take a look at the documentation of flatpak-external-data-checker. It will prove useful also for regular applications, as it can detect broken checksums of any external data too. While we do not run it on all applications yet, it will happen in near future.