Flatpaks in templateVMs

I want to use flatpaks to instal apps that are unavailable in the default repositories and because I use flatpak for development.

Currently I have created a less-trusted template which I connect to sys-firewall and limit outgoiing connections to dl.flathub.org and other related ones.

This seems to work okay, and apps work fine in all app vms and appear in the app menu (after you install the required xdg-desktop-portals which for some weird reason didn’t exist by default).

However I would also like to use them in my main templatevm, but this seems generally unrecommended, especially connecting trusted templates directly to a net-vm.

I tried using instead HTTP_PROXY= flatpak to use the proxy vm, this makes finding updates work without a net-vm (before it would fail immediately). But actually installing or updating anything fails with name resolution failures and HTTP_PROXY doesn’t seen to make dns work for anything.

What are the security risks of installing flatpak apps from for example flathub in trusted templatevms?

Not really an avid user/fan of flatpaks so, I can’t weigh in too much but, AFAIK the issue lies with who/what one trusts upstream thus, how well said upstream is audited & maintained as well as one’s ability to keep them update. This last bit is where you’d likely be “flying solo” as, currently Qubes core-agent update mechanism would not capture the flatpak updates so, you might be looking at adding a cron job or something similar (systemd service?) to your flatpak TemplateVMs to achieve this.

That said, I had a call to take a look at flatpaks myself and, saw your post so, maybe this will help with installs. For some reason, flatpak seems to be a bit fickle about how it consumes http_proxy env variables. What I found to work was wrapping an explicit URI with double quotes like this:


Here’s a sample bash snippet that allows me to install flatpaks from a repo within a root shell from a TemplateVM (debian-11-minimal) with no NetVM assigned:

# 1. Install Flatpak
apt install flatpak -y
# (Optional) Install the Software Flatpak plugin
#apt install gnome-software-plugin-flatpak

# 2. Add the Flathub repository
export http_proxy=""
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

ftr after upgrading flatpak from 1.10 to 1.14 flatpak update started erroring out with “error in name resolution”, setting all_proxy=… instead of http_proxy helped to move further but it still fails with same error when installing update. strace doesn’t show actually any attempt to resolve dns but looks like some files in flatpak tree are missing, need to dig more later