For example, if my current folder (which contains the manifest) has some sensitive data, such as .vscode, .git, or any other potentially sensitive files, should I pay attention to preventing that from being uploaded with tools like flatpak-builder into public areas?
Fortunately, the Cargo package manager takes care of this, but I am not sure if flatpak-builder does, as I am working with it for the first time.
Gitignore
I found some notes in the documentation stating that Flatpak is similar to Git. If that’s the case, should I be concerned about any kind of .gitignore files?
Release optimizations
Also, should I do any additional release optimizations, with arguments like --release or --clean before create local app.flatpak file to share?
Like already mentioned, if its sensitive, it shouldn’t be part of the got repository.
That being said, while I cant say if .vscode might contain sensitive data, .git is just where git stores the data needed for its versioning, that shouldn’t be sensitive at all.
You can also check which files will be included in a Flatpak. The build folder you pass to flatpak-builder contains the files your Flatpak contains after you have build it.
The note about “Flatpak being similar to Git” mostly relates to OSTree, which Flatpak uses.
OSTree works internally similar to Git in its versioning, which is why its also called a “Git for binaries”. While this is interesting in how it helps to reduce space and download sizes, its not that important when it comes to app publishing.
If there are files which inevitable are part of the building process, but which you don’t wish to package in the final Flatpak, you can use the cleanup option in your manifest to specify files which are removed from the package after the build.
Thanks for your replies, seems I want to get more experience to understand this ecosystem!
At this moment, is it safe to share the app with everyone online,
when I built it with following command?
flatpak build-bundle repo APP_ID
I’ve built it from the folder that contain git.
Of course this folder should not be included into the bundle, just can I check its content after build? Or it is binary? Maybe some package --list analog.