Originally posted by treba
View Post
Announcement
Collapse
No announcement yet.
Flatpak 1.0 Released For Delivering The Best Linux App Sandboxing
Collapse
X
-
- Likes 4
-
Originally posted by Candy View Post
Please don't abuse the word "security" here. There are no long term investigations done and there are no external sources that made an audit over flatpak. I would clearly see some industry like organization that makes security audits like the german BSI or ENISA or NCC to first confirm whethere there are security concerns or not. Just because everyone abuses "security" here (and in special the developers themself) doesn't make it secure at all. It's just a selling argument by causing FUD in the public and trying to catch the customers with the "security" kind of argument.
I agree with you that it's probably a bit early to trust their solutions completely (especially the portals). But at least conceptually they are doing the right things. Plus they build on long established technology (for example cgroups) or on orthogonal projects (pulseaudio, pipewire, wayland).Last edited by treba; 20 August 2018, 09:49 AM.
- Likes 5
Comment
-
Originally posted by treba View Post[...] the concepts they introduce resemble those of mobile platforms like android/iOS. And those have long proven to be very successful.
You need to understand that Linux is also used within the industry and high sensible areas like Healthcare or Defense. I can't sell this to a customer (argument wise), if there is no proof that the system actually holds what it promises. And I don't wave around in the public hoping that everyone will just deliver flatpaks in the near future, before "questions" has been answered. Otherwise we end up jumping in a big black shit-hole with flatpaks, if someone "official" organizations warn's the customer from using flatpaks because the underlaying eco-system (aka runtime) is a hole for secutiry vulnerabilities because no one want's to update their flatpaks anymore and delivers old outdated and with secutiry flaws contained old libraries etc (e.g. not updating an old libpng or other such libraries).
This is a high security concern and risk.
When we buy say "RHEL" licenses in dozens of packages, then we can be sure that we get the support we need because we paid for it. But with flatpaks companies as Red Hat for example will refuse all responsibility and pointing us to flathub (a community driven platform) and making them responsible for delivering broken programs. This is an absolute no go.
- Likes 1
Comment
-
Originally posted by You- View PostThis is an interesting update:
Permissions now use an up-front verification model: users are asked to confirm app permissions at install time, if an update requires additional permissions, the user must also confirm.
See dialog that is getting in the way of getting the thing done, ignore what it says and click ok.
- Likes 1
Comment
-
Originally posted by Candy View PostPlease don't abuse the word "security" here. There are no long term investigations done and there are no external sources that made an audit over flatpak.
This is not the same. Neither Android nor iOS require an external proprietary runtime to be downloaded and installed.
https://www.androidpit.com/install-g...y-services-apk
So is the Webbkit ("webview") component https://play.google.com/store/apps/d....webview&hl=en
I have no idea about iOS.
And no matter how many times you repeat it, Flatpack runtimes aren't proprietary, they are just dependencies.Last edited by starshipeleven; 20 August 2018, 11:33 AM.
- Likes 12
Comment
-
Originally posted by boxie View PostLet's hope that does not lead to user fatigue.
See dialog that is getting in the way of getting the thing done, ignore what it says and click ok.
Afaik PrivacyGuard on Android/LineageOS enforces a preset of permissions denied to applications by default.
But for some things you need to ask the user and the user has to learn to read shit and decide. It's not like you install dozens of applications each day.
- Likes 1
Comment
-
Originally posted by Anarchy View PostWhat advantage does Flatpak hold over Appimage and snaps?
The biggest difference between Flatpak and Snap seems to be that Snap is centralized around the Canonical store, while Flatpak is entirely decentralized in that regard.
Snap also uses a Snap daemon that runs in the background while Flatpak instead consists of a collection of oneshot applications that perform their task and then exit.
Flatpak is also heavily pioneering the portal design where all system access is done through a portal application that lives outside of the sandbox, something that Snap seems to be working towards support of as well.
- Likes 5
Comment
-
Originally posted by Jabberwocky View PostI would like to get Adobe Reader working in Flatpak or similar framework. My dilemma is I don't want sensitive documents (that requires XFA forms) on my Windows file system and I don't want to run the Linux version of Adobe Reader outside of "a sandbox". At this point in time no open source PDF reader supports the version of XFA forms used by financial institutions and governments that I am forced to work with. Not sure if it's against Adobe Reader's EULA to use it in my desired way. I know there is a playonlinux solution which is currently my best compromise that I am aware of....
In the worst case, I prefer printing them out, then scanning them than using Adobe products. I wish portable html forms were used instead...
Originally posted by Candy View PostPlease define "The Best Linux App Sandboxing"Originally posted by Anarchy View PostWhat advantage does Flatpak hold over Appimage and snaps?
Runtimes are partially shared among applications (with OSTree IIRC), which makes them lighter to download. It is restrictive by default (and now seems to actively asks for permissions), and I like the idea of portals, such as a native file dialog to send over a file instead of giving them whole filesystem access. I think it mirrors a bit Android in that respect.
Flatpaks are auto-updating, Appimages are not, AFAIK.
I'm not sure you can install snaps as an unprivileged user, but you can with flatpaks.
And lastly, I only know how to build flatpaks because someone showed me recently, but it isn't complicated, and dependencies are nicely separated, so I guess updates shouldn't take up a lot of space together with OSTree? I don't think it would be possible to offer binary diffs with Appimage, for instance.
But I must say that while flatpak is nice and tidy for proprietary software or the ones requiring complex dependencies (I use an Android studio flatpak, for instance), it doesn't beat regular package management for software that's packaged by the distribution. Moreover, Nix (or Guix) is really promising for an advanced package manager that can do a lot of the above (but no sandboxing).
Candy you were quite aggressive with you post, and the second part was (I'm sorry) mostly complete bulsh*t. What did platpak developers do to you?
- Likes 5
Comment
Comment