@fuxoft Still better than snapd. There is confusion between flaming the architecture and developers. For me its interesting only the "echo xxxx > ~/.bashrc", because that's real issue, which need more thoughts.

@fuxoft How is it different from traditional packages? By installing a package you give its author unlimited root access to your system.
Flatpak is not perfect and it currently allows apps to get access the host because they wouldn't otherwise work. But it's not a security nightmare. And if it is, then all means of software distribution on Linux are.

@sesivany Many people are under the impression that Flatpaks are akin to "Light VMs", isolated from the main system, unable to cause serious harm. That's very dangerous impression.

@fuxoft @sesivany For me, it is more a "Light VM" in the meaning, that it separate dependencies. You can have latest Firefox in old distribution or stable software on bleeding edge version of some distribution. There is nothing about file system sandboxing.

@fuxoft @mirek Well, Flatpak already allows apps to be completely sandboxed on the file system and get access to the host in a controlled way. Quite a few apps already work that way. Quite a few don't and need full access for compatibility reasons. The Flatpak project doesn't hide the option is there and that the sandbox is not enforced for all apps.

@mirek @fuxoft
Yeah, if you check flatpak.org index page, there are lot of benefits and features mentioned, but not a word about better security or sandboxing.
It's not even the immediate goal of Flatpak. Now it's: let's get apps on board, and solve the distribution problem, and in the future let's work with their authors to make them run securely.

@sesivany @fuxoft I think that the main problem is that "You are NOT getting security updates" on flatpak bundled stuff.

@andrej @fuxoft #Flathub is building tools to notify about new versions of used modules, but it is and has always been responsibility of maintainers. All my flatpaks have their modules up to date.
And BTW that applies to Linux distros as well. Most packages in Ubuntu universe never receive an update during the release lifetime.

Sign in to participate in the conversation