Allow a flatpak to discover/call another flatpak

[Jehan]

Hi!

GIMP has this nifty new feature for opening RAW images, which is we use third-party advanced RAW software for the job. The idea is: why bother reimplementing a shitty 3-slider RAW developer as a plugin which will mostly be a toy when there are really good complete ones, and several being Free Software, like darktable or rawtherapee.
So now when someone tries to open a RAW in GIMP, we detect installed darktable and rawtherapee and redirect the call to the user's favorite RAW software (if both are installed, one can choose one's favorite in GIMP's preferences). When the editing stops on this third-party software, it automatically sends back the result to GIMP for further editing.

Unfortunately this feature stopped working with flatpak. Flatpaked GIMP don't see DT/RT installed by the system packaging, nor installed as flatpak.

Let's say we don't mind not detecting non-flatpak DT/RT. After all, flatpak is a sandbox and one of the goal is to shield the system. But couldn't there be an API to detect other flatpaks and being able to run them? I see there is a darktable flatpak for instance. It would be awesome if we could detect it within GIMP flatpak and run org.darktable.Darktable.

[TingPing]

You can open URIs but it doesn't work for local file://'s so that is probably the best way to expose that. It does create an easy sandbox escape but the user will have to explicitly allow it.. don't know if that makes it ok.

[Jehan]

How would it work exactly? I'm not sure I understand your workaround.

For info, right now (out of flatpak), we discover the third-party app in a Linux OS by simply checking its availability in the path.

[TingPing]

You let the host handle file associations and you would just pass it the raw file.

[Jehan]

Not all RAW software will work well with GIMP (currently only darktable and rawtherapee). There is a coded layer between GIMP and the RAW software. This specific feature has been closely created together by developers of all 3 projects (GIMP, darktable and RawTherapee) so that there is a back-and-forth interaction/connection.

In particular if we just let file association handle the file, once the user is done developing the RAW, the third party software would not give back the result to GIMP. And that also means we can't just give the file to the RAW software in a common way. GIMP actually runs a command with specific options.
Here is the workflow currently:

• the photographer opens a RAW file in GIMP;
• GIMP automatically opens the RAW file in DT/RT;
• the photographer tweaks/develops the image in DT/RT;
• when finished, the photographer closes DT/RT (no need to save/export anything);
• GIMP automatically loads the result of the developed RAW;
• the photographer can continue working on the image in GIMP.

So no, we can't just let the host handle file association. The point is not to redirect the file towards some other software and not hear about it anymore. That feature would make no sense at all (if that's what we want to do, we'd just say we don't support RAW images). The point is acknowledging that the RAW development is better done in a specialized software, but further image editing are better done in GIMP. This is basically a workflow where various more specialized software work together seamlessly and are connected, sharing images and work-in-progress at different steps, like a "Free Software graphics suite" or something.

[matthiasclasen]

Well, thats just not how sandboxes work: they isolate applications from each other and from the host system. If you want deep integration, you can ship the auxiliary software as part of your flatpak, and have it run in the same sandbox. Otherwise, you may need an api between the two apps to facilitate this sort of interaction. A d-bus api would be much easier to integrate in the existing tooling than launching the app with special options.

[Jehan]

Ok we'll discuss this.
It may indeed be better than a flatpak-specific communication protocol.
I opened this on our side: https://bugzilla.gnome.org/show_bug.cgi?id=791362

[matthiasclasen]

This is basically a portal question, so moving it over to xdg-desktop-portal

[wjt]

Given an application-specific D-Bus API, and --talk-name=com.example.Foo in the app which needs to be able to tell Foo to do things, that app can tell whether Foo is installed by either trying to call a method on it (which would fail if it's not installed) or calling ListActivatableNames on org.freedesktop.DBus (the bus daemon itself, not the portal) to see whether it's present. The other half of this would be a “please install this app” portal.

---

The status quo is that, if you don't mind being GNOME specific and your app can talk to org.gnome.Software, you can tell it to show the details page for an app:

org.gtk.Actions.Activate("details", [GLib.Variant("(ss)", ("system/flatpak/flathub/desktop/org.gnome.dfeet/stable", ""))], {})

Or to install it (without user confirmation):

Activate("install", [GLib.Variant("(su)", ("system/flatpak/flathub/desktop/org.wesnoth.Wesnoth/stable", 1))], {})

Aside from the GNOME-specificity, there are some big caveats:

• You have to know the remote name and branch name for the app
• You can't tell when the app has been installed (or cancelled) without polling

I imagine that a better interaction would be (on GNOME):

• App calls InstallApp(window_id, "com.example.Foo", {"preferred-remote": "org.flathub.Stable"})
• If Foo is not installed:
  • User gets a cut-down version of the GNOME Software details page as a dialog, where they can choose to install Foo or cancel
  • Once they do one or the other, Response fires
• If Foo is already installed:
  • Response fires at once? Unfortunately, this would allow any application to test for what other applications are installed, which has been deemed undesirable in the past, though at least the user would be spammed with dialogs for each app that's not installed so it would be visible…
• Assuming success, App can now activate and talk to Foo over D-Bus

Seem plausible? @manuq can you comment from the point of view of wanting an API like this?

One thought was whether we could instead add a hint to OpenURI / OpenFile of the preferred application to use to open something, and in the case where that app is not installed, the portal could offer to install it.

[manuq]

@wjt yes, your description matches exactly what an ideal portal API would look like.

• Ability to check if another app is installed from a flatpaked app.
• Ability to offer the user to install the app if not installed (through gnome-software in GNOME).
• Continue the original app flow once the other app is installed.

And I agree, making this a user-facing portal mitigates the sandbox flaw of discovering other apps.

Regarding app A start talking to app B, our use-case only needs app B installed. We talk to gnome-shell to launch the other app with the org.gnome.Shell.AppLauncher.Launch() DBus method, and if that doesn't work we try org.gtk.Application.Activate().

[matthiasclasen]

I think sneaking this into OpenURI might not work for all cases - you might not have a uri / file to open with the app, but instead a D-Bus request to make, or sth.

The overall plan sounds good to me.

If we are concerned about discovering installed apps, we could add a separate permission for that.

[hadess]

One thing that I'm really not sure about is how you'd solve that original workflow without either questions that the user can't answer naturally, or a lack of question that would mean that too much is opened.

What would the UI look like for those apps? How do you trigger those links/API calls between applications?

From afar, it looks like a souped-up "OpenURI" with a signal back when editing is done, an "Edit In..." call, something which Android's Intent can already do.

Should this be part of a wider "Sharing" mechanism between apps instead? Or do we really want to poke holes just between those applications and no others?

[hadess]

Or do we really want to poke holes just between those applications and no others?

On that, applications from the same domain on iOS have more open permissions between themselves, so that Google's YouTube application can offer to open a location in Google's Maps application rather than in the native/default maps application. I don't know if there's a mechanism to do that for arbitrary applications though.

[treitter]

Or do we really want to poke holes just between those applications and no others?

On that, applications from the same domain on iOS have more open permissions between themselves, so that Google's YouTube application can offer to open a location in Google's Maps application rather than in the native/default maps application. I don't know if there's a mechanism to do that for arbitrary applications though.

It looks like Universal Links allows one iOS app to open another by attempting to opening a URL. A special file on the web server is checked at the time the target app is installed to determine whether it allows other apps to make it open a given URL.

Notably, if the app is not installed, attempting to open a supported URL will open the URL in Safari; it won't take the user to the app's detail page in the App Store. The rationale is the user always gets an immediate, meaningful view of the resource without being prompted to install the app. But the website can have a clear "install the companion app for a better experience" link.

The Android approach is more flexible and respectful of the user's wishes though, so it seems like a better model for us. Eg, if there's an OpenStreetMap-based app that claims to support URLs like "https://maps.google.com/*", the user can set the default handler. My understanding is, on iOS, only the controller of maps.google.com is allowed to determine which (at most one) app is allowed to handle each URL regex starting with its domain.

[treitter]

Though I guess the original topic is best supported by a custom URI. The specific apps that support it could register as supporting that scheme and the calling app won't have to hard-code their names or URL structures. Opening a generic URI is a bit different than a service-specific URL though and only the former is appropriate for passing arbitrary local data.

Sorry if the last comment was a bit of a divergence :)

[mrmcq2u]

https://lists.freedesktop.org/archives/xdg/2014-January/013068.html - Problem 3 here is somewhat relevant.

[marcthe12]

I see 3 use cases:

1. Actually communication between apps via dbus or some other ipc.
2. Basically a safer version of flatpak-spawn flatpak run
3. Share a file/socket between 2 app (The orginal question).

Number 2 is needed for browser native messaging host system like firefox's. It could also allow run extensions that just provide binary run with another set of permissions. Inkscape has a cli and sandboxed latex will help alot.

[bnordgren]

Just piling onto the discussion here. Other cross-flatpak dependencies (already packaged) are that the OpenShot app leverages both Blender and Inkscape.

One of the nice things about Flatpak is that the packaged apps don't need to be flatpak aware. Seems like many of the suggestions fundamentally want to change how programs are executed under linux. If an app has a preferences dialog to specify the path to another executable, why shouldn't I be allowed to type "flatpak run my.app.Here app " from within a sandbox? Or make a script in $HOME/bin that does the same? Seems like the choices are: flatpak adapts to apps as they are written, or it forces all app writers to add "flatpak support".

The simple solution, of course, is to build flatpaks with combinations of apps. Need access to another app? Bundle it. This also gives the package maintainer control over the version bundled.

[rugk]

I think no adaption is required, you just need some patches to have – as you said – some script in a bin dir that then executes the flatpak run command. Patches, to make applications work better in flatpaks, are already used in many apps today on Flathub e.g., so this is not a problem IMHO.

[bnordgren]

I don't believe you can currently call flatpak from within flatpak. Check out the following and tell me what I'm missing:

[bnordgren@mine Title]$ flatpak ps
Instance   PID    Application           Runtime
2257365655 327395 org.openshot.OpenShot org.kde.Platform
[bnordgren@mine Title]$ flatpak enter 2257365655 bash
[📦 org.openshot.OpenShot ~]$ flatpak ps
bash: flatpak: command not found

Need to have a command that runs before you can point an app to the command you want to run.

[rugk]

No you cannot, but if this was implemented, the application inside the flatpak would not need to be adjusted, you would likely only need to put in some wrapper scripts for the used binaries.

[marcthe12]

Lets raise this to flatpak to handle fine grained permission to flatpak(for all flapak commands, usefull fo flatseal software centre and this case) and also permission to expose ipc stored in $XDG_RUNTIME/app.

[bnordgren]

Randomly casting about the internet, I learned about flatpak-spawn, which in line with my example up above should work like:

[bnordgren@mine]$ flatpak run --command=bash org.openshot.OpenShot
[📦 org.openshot.OpenShot]$ flatpak-spawn --host flatpak run org.blender.Blender
Read prefs: /home/bnordgren/.var/app/org.blender.Blender/config/blender/2.91/config/userpref.blend
/run/user/1000/gvfs/ non-existent directory
found bundled python: /app/blender/2.91/python
DEBUG:BlenderGIS-master.core.checkdeps:GDAL Python binding unavailable
DEBUG:BlenderGIS-master.core.checkdeps:PyProj unavailable
DEBUG:BlenderGIS-master.core.checkdeps:Pillow unavailable
DEBUG:BlenderGIS-master.core.checkdeps:ImageIO Freeimage plugin available

That opened the standard blender gui. Tweak the command line to put in the required command line arguments, and viola. From the man page (guess it still pays to RTFM):

       Unlike other flatpak commands, flatpak-spawn is available to applications inside the sandbox. It runs COMMAND outside the sandbox, either in another sandbox, or
       on the host.

       flatpak-spawn uses the Flatpak portal to create a copy the sandbox it was called from, optionally using tighter permissions and the latest version of the app and
       runtime.

[Mikenux]

Brief proposal, based on file sharing:

• Apps can request to open/send a specific file type with/to a specific app or an app chosen by the user. Apps can also ask to close an app after sending a file (GIMP-RAW case), if possible. They can also request to open file with commands, except commands capable of modifying the file.
• Apps can send multiple files in batch to another app. The user is always asked about this. The receiving app knows what to do with these files.
• Apps can share their own (i.e. not user's) asset files with other apps, read-only.
• Apps can open other apps automatically if the open app always gets the focus. However, this requires the cooperation of window managers (they cannot offer the option not to focus new windows).

[poperigby]

I think it's also important that Flatpaks are able to directly open another app, with certain arguments. For example, a Doom mod manager I was trying to package needed to be able to launch a Doom sourceport with certain arguments.

[ntninja]

I think it's also important that Flatpaks are able to directly open another app, with certain arguments. For example, a Doom mod manager I was trying to package needed to be able to launch a Doom sourceport with certain arguments.

Thing is, allowing that unconditionally would allow apps to break each others sandboxes, since an app A could just launch sh -c "…" in app’s B sandbox. Even if it is restricted to the app’s declared default command there are still cases were some apps allow callers to request them to do arbitrary things, such a running an arbitrary command after completing a task (common with backup programs, for instance). In addition, highly sandboxed App A might use this to spawn a command in effectively unsandboxed App B to facilitate a complete sandbox escape (by causing App B to write to .bashrc, etc…).

As such, such a mechanism would at least require a per-app opt-in. This would likely involve some kind of sanctioned ipc-command this may be, but not necessarily is, different from the main command already part of the manifest.

.

That said, I can think of a scheme (if someone is willing to do the one-time upfront work) that would enable this within the constraints of Flatpak’s existing infrastructure without burdening upstream projects:

1. App B includes a helper D-Bus service executable exposing a well-known interface for running its main command with a given set of command-line parameters, environment variables, file descriptors and working directory. The Flatpak Portal may provide good inspiration for such an interface, but note that all filepaths (including all files that the application needs to access and also the working directory) need to be passed as file descriptors, since its unwise to assume that filepaths will be the same between containers.

   It would be up to the Flatpak app maintainer to decide which combinations of parameters the given application may reasonably accept and reject bad combinations. A reasonable default implementation would be to only accept a single file parameter and ignore all received environment variables – if more use-cases are discovered that make sense to be allowed for the given App the scope of allowed parameters can be expanded later on.

2. App B then exposes this executable with a well-known bus-name, such as <AppId>.Launcher

3. App A declares a --talk-name=<AppId>.Launcher permission in its manifest to be granted access to said bus-name of App B.

4. App A ships a wrapper script with the usual executable name of the program shipped as part of App B that forwards all invocations to the previously mentioned D-Bus interface, passing all open file descriptors, as well as a file descriptor referring to the current working directory and all received command-line arguments over the D-Bus interface to the D-Bus service executable in App B. It then waits for a D-Bus signal indicating the the remote program has exited and exits with the received exit status.

   The wrapper script also needs to handle the case where the target bus-name does not exist. A reasonable thing to do, IMHO, would be to display message dialog to the user explaining that the target application is not installed and offer to open the Software manager to do so (by doing the equivalent of running xdg-open appstream://<AppId>).

Caveats of this approach:

1. The called App (App B) cannot identify which app it was that called it (https://gitlab.freedesktop.org/dbus/dbus/-/issues/171)
2. The launching application in App A will always think that the target application is installed since a correspondingly named executable (the wrapper script) will always be present – this will either just need to be accepted (the idea of just displaying a dialog explaining the situation would go a long way, IMHO) or require some minimal cooperation from the calling application

Albeit caveat 1 may be a major issue for some Apps, I think that for most of the use-cases mentioned above it would not be a problem and, most importantly, not require any modifications to any of the applications involved.

[Mikenux]

Reading this proposal, it seems to assume that App A has direct permission to communicate with App B's launcher. If this is that, then that's not correct for that part. The user should be asked about App A wanting to open App B and then grant permission to open App B or not. However, it's more than that: the user also needs to know why App A wants to open App B with commands. The problem with commands is that it's hard to communicate them in an understandable way in a user interface. When there is a file, we can say "App A wants to open the file with App B with custom settings", but even "custom settings" is not ideal... but the context helps if the user is asking to launch something with commands in App A. So remember that any proposal needs to be constructed in such a way that we can present a user interface that makes sense to grant the access.

[smcv]

Thing is, allowing that unconditionally would allow apps to break each others sandboxes, since an app A could just launch sh -c "…" in app’s B sandbox.

Flatpak certainly shouldn't go in a direction that would allow for that sort of interaction.

App B includes a helper D-Bus service executable exposing a well-known interface for running its main command with a given set of command-line parameters, environment variables, file descriptors and working directory

If the receiving app is expected to participate in being discovered or "called", then I don't think the full generality of arbitrary command-line parameters, environment variables, fds and working directory is necessary, or safe. "Most" applications can be subverted by a malicious caller if the malicious caller can set environment variables of their choice.

I'd prefer an interface that looks more like receiving a message, or being asked to open a file or a URI - even if it's accompanied by a side-channel that provides a pipe/socket/fd for continuing communication with the caller. Obviously, if the receiving app wants to load potentially dangerous things from that file or URI, then that's up to its maintainer (and then they can deal with the resulting CVEs when an attacker tells them to do something malicious), but I think the interface needs to be set up so that the simplest/most naive implementation is not immediate arbitrary code execution.

When there is a file, we can say "App A wants to open the file with App B with custom settings", but even "custom settings" is not ideal...

As someone who thinks about security, I would be mentally reframing this as "App A wants to cause arbitrary code execution in App B" and I suspect I'd be right more often than not.

So remember that any proposal needs to be constructed in such a way that we can present a user interface that makes sense to grant the access

I think that's a key thing here.

[Mikenux]

For commands, it's certainly possible to show all arguments by clicking a button or expander, but that wouldn't mean anything to naive users.

The alternative is to say nothing about the commands and protect the file: read-only file, Internet access disallowed (or dynamic where access is requested from the side of the app that will open the file), and certainly other things I didn't think of. It would be the same for opening an app without a file. Also, although not really a case here, we will need a solution for commands as I am thinking of remote control apps such as an app controlling a presentation.

Also, is it reasonable for this problem to just focus on sharing a file between apps and opening an app without arguments? (and therefore to leave aside the commands)

What do you think?

[ntninja]

My proposal is intended as a “works right now” solution that is almost entirely transparent to shipped applications. It requires --talk-name=… permissions, so it obviously bypasses any permission checks that Portal APIs usually put in place.

If the receiving app is expected to participate in being discovered or "called", then I don't think the full generality of arbitrary command-line parameters, environment variables, fds and working directory is necessary, or safe. "Most" applications can be subverted by a malicious caller if the malicious caller can set environment variables of their choice.

The idea here is that the caller will submit as much information as possible and the callee will then only use the information it deems useful – in the case of environment variables that would usually mean ignoring all or most values, blindly applying all of them is a very bad idea, yes. Similarly, the callee should reject any combination of command-line parameters it deems problematic. I’ve added some wording to emphasize the importance of this.

I'd prefer an interface that looks more like receiving a message, or being asked to open a file or a URI […] I think the interface needs to be set up so that the simplest/most naive implementation is not immediate arbitrary code execution.

I’m not sure I fully agree here. Exposing something that resembles the existing CLI environment that programs are used to would make it a lot easier to adopt for Flatpak maintainers, since it means that things will just work once they have figured out which parameter combinations are reasonable to accept. The key point here is that it has to be emphasized that it’s completely reasonable to start off just accepting a single file parameter and then expand the scope from there as use-cases demand more.

Assuming it is implemented as a reusable project, App maintainers also don’t need any deep knowledge of D-Bus and the involved interfaces. In particular, the intricacies of sharing files between Flatpak apps can almost entire be hidden away.

[ntninja]

Also, is it reasonable for this problem to just focus on sharing a file between apps and opening an app without arguments? (and therefore to leave aside the commands)

(Assuming you are talking about a portal-native solution here.)
Maybe I’m wrong, but I’m pretty sure if it is just about sharing files, once it ships everyone will be like “Yeah, this is great but I just need to pass this one extra piece of info along” and then the scope will have to expanded after all.

Perhaps requesting to open a single file while passing an arbitrary set of key-value attributes along would be acceptable though? The attributes would either be entirely hidden or displayed in some sort of details view and it be clarified to App maintainers that these must not be treated as arbitrary command-line arguments or environment variables.

[Mikenux]

Sharing a file for co-editing, with apps being notified when the file has changed to update their view of the file, seems like a good start. If it's just to open a file in another application, the arguments can be added later. Also, what are the cases requiring opening a file with arguments in another application in the case of co-editing, editing in one and viewing in another, or co-viewing?

Perhaps requesting to open a single file while passing an arbitrary set of key-value attributes along would be acceptable though? The attributes would either be entirely hidden or displayed in some sort of details view and it be clarified to App maintainers that these must not be treated as arbitrary command-line arguments or environment variables.

In my opinion, the only trusted source is the flatpak portals, not the maintainers. Like I said, I think the file could be protected if we don't want to show anything, but that requires other portals, but I want to be sure that's something accepted.

[Mikenux]

Here is a proposal:

• Text: App-Discovery.txt
• Mockup: App-Discovery-Sample-UI.png

This is a proposal on what is needed. It is based on the comments above.

What is to be known is if this is the direction to follow. Only after that, the missing elements to "know the cases" can be discussed.

Window Focus Idea: #42

[RokeJulianLockhart]

@Mikenux, for future reference, use tabs for indentation rather than spaces where possible, since it helps a lot when accessibility is a concern.

[Mikenux]

@RokeJulianLockhart: No problem 😉 I used tabs but it was set to "Spaces" within Text Editor.

[Mikenux]

Maybe some rules about commands:

• If any files are involved (directly by specifying files or indirectly via app launch), they cannot be deleted or modified.
• Window Focus is required to prevent launch request spam. This is also necessary in case of misbehavior, so that the user can stop the app (for example, the app launches in full screen when this is not what the user wants).
• Applications cannot exchange information/data (they cannot communicate).
• Commands affecting computer configuration (e.g. resolution) or app (e.g. application settings) can only affect them temporarily: they are no longer applicable (i.e. the original configuration of the computer or the app is restored) when the app is closed/no longer running. The closing of the app must be accessible.

Window Focus Idea: #42

[adrianinsaval]

I would like to also request functionality to grant full read access to another application's files, this can be useful when you want to load another application as a library, for example there is an addon for Blender called sverchok that has functionality to integrate with FreeCAD but this requires loading FreeCAD as a python module, it would be nice if blender could be allowed full read access to freecad's files so it may load it as a library

[janopae]

Maybe the use case of opening temporary directories in file managers is related to this? Like opening a backup archive in a file manager (un-mounting it when the file manager is closed, closing the file manager when the backup tool is closed), or showing a directory on a certain git branch/commit as a git application.

[Mikenux]

@janopae:

If it's the file manager mounting the archive or remote directory (for git; is that it?) by itself, then yes. However, the file manager must support the archive and the protocol.

If we cannot assume support for all possible protocols or archives, the app has to mount the remote directory or archive on its own, then request the directory to be opened. This path is then probably not the concern of this issue.

[rugk]

About the mockup in #283 (comment) without reading the proposal (txt file), I – as a flatpak/Linux user – don't get what the box "Access from file chooser" wants to tell me, nor what are the implications of enabling or disabling it. "Prevent the app from reading all assets at once" is also not helpful, because it invokes the following questions for me:

1. then if I select it that seems to be the more secure option? I just don't know why (exactly) – something with restricted file access. (wo which files, actually?)
2. "prevent […] reading at once", so if I don't select it the app can still read all files, but not at once, but sequentially, i.e. one by one, or what??
3. Also what exactly are "assets" in that context? User files? Config files? The term "assets" is vague and not usually used in Linux computing? If I say assets I think of logo assets like PNG and SVG files, but I doubt it is contraint to that. If it means "all data from the app" then just say "data"?
4. Can you maybe just list the assets or at least an example (first three or so)? Then may make it more obvious? Or find a human name?
5. What does the file chooser has to do with here? I am not using any file chooser (at least did not see in the mockup) Actually first thought about file browser like Nautilus?
6. If I disable that, i.e. the seemingly insecure option, then what files can the app access? Any on my system? Because I would expect it to be constraint to the target app (Eyes/Make Human in the example) already? Or at least so somehow the target app can control what files it exposes…

Also that free standing:

Some unsupported files can be converted

Huh? That sounds contradictory to me? Either conversion is unsupported, and they cannot be converted or it is actually supported and works? Did you miss a "[can]not" here? (Also "some" is vague again, but yeah maybe you cannot list them all… though maybe a number of files and how much can be converted may be useful?)

Otherwise, this looks great.

[Mikenux]

@rugk:

The "Access From File Chooser" option was designed to insert one or more assets from the file chooser rather than directly from the application (i.e. the application has its own presentation of files). If I remember correctly, I did this so the app wouldn't know that you gave access to another app's data and any assets you may possibly add. I had privacy in mind. However, this is now a bit ridiculous because the requester app can guess what other app you're using based on the assets you're adding, and because the requester requested access to that app. It's something to remove from the design.

What I meant by "assets" is data such as adding PNG or SVG in Inkscape to create mockups. Also, for example, I saw that KiCad made its libraries available as extensions, like its 3D models.

Regarding the name to use, I don't know which one would be the right one because English is not my native language. Usually I think we call it "Object_Name Library", but I don't know what name to use if it's to access all libraries. I'm not really into giving 1-3 examples, because then it would be better to show them all to the user (to be exact) if there is no telling name.

"Some unsupported files can be converted" is correct because it is because the files are not supported by the app that they must be converted to get a supported file. For example, GIMP does not support opening RAW files directly. It must open an app that manipulates RAW files and will "convert" the RAW file to a file that is compatible (i.e. supported) with GIMP. A list of "unsupported" files can be displayed in the settings. It's best to keep the text in the banners as short as possible when we don't know the length of the translations.

I hope this answers your questions. My design clearly needs some revision, but remember that in the end, the GNOME design team will have the final design (what I post here answers questions like "What kind of UI do we want?" and "Is it possible to make a UI?", the mockups themselves can only be a guide).

Otherwise, this looks great.

Thanks 🙂

[rugk]

"Some unsupported files can be converted" is correct because it is because the files are not supported by the app that they must be converted to get a supported file.

Ah but the message implies the conversion is automatic, i.e. "can be" aka "they are going to be converted" (maybe better wording too). Or say "need to be converted" if it should say they are not going to be opened/included.

No native speaker here neither BTW, so yeah, I let the other stuff to other people.