geoclue 2.0 has been introduced in debian (by myself) end of 2013 and the code base is completely different...

Ubuntu kept geoclue(1) on live support for some reasons, so this issue is completely different

Problem is similar, but not just in the geoclue itself. I'm following discussion at gitlab and it looks like a deeper issue. Sorry for blaming you and your app, because it seems it's more like a Gnome Settings fault and maybe with permissions as well.

Well, as replied in the gitlab issue, you can just do `/sbin/iwlist wlp4s0 scan` on the machine to trivially get all the AP MAC addresses and signal strength (and thus the location). So IMVHO, disable geoclue solves nothing if your machine is compromised (Edit: except if you have stuff like SELinux or apparmor configured in a strict way).

OTOH, fix the fact that geoclue/GNOME is not asking the permission to get the location anymore might fix accidental leakage of information to Mozilla Location Service

It's not my application I'm just packaging it in Debian

Pinging the correct person/assigning the but to the correct project is key if you want to have a bug fixes. So the problem is maybe similar the the root cause and the person who can fix it is not

Yes, this should be solved somehow. Maybe limit access to this to root only and maybe network manager?

This was an original complain, but it seems it was done unintentionally.

OK, sorry for taking so long to reply. Things kept being busy.

A popular avenue for cybercrime is building botnets, which means you don't need access to someone's password... you just need to get persistent remote code execution on their system. Sandboxing is good for breaking the "persistent" part by making it possible for a security fix to flush out any infection that already took hold.

Botnets are then used for things like:

• Ad fraud (You have your bots wander around the web, acting like real humans, to build up a "valuable eyeballs" score in the ad network's systems, then send them to garbage sites you built where you get paid to show ads to "valuable eyeballs". (You also get to charge people for sending them "high-quality visitors" which are actually bots as part of building up that score.)
• Sending spam
• Using DDoS for extortion or to attack competing groups of criminals
• Attacking other systems without revealing your location or as a force-multiplier (eg. When you buy knowledge of an un-patched vulnerability, better to multiply the number of systems you're checking for it by a million so you can check and root as many as possible before it gets patched.)
• etc. etc. etc.

My point is that you have to pick your battles and rank your threats. Yes, everything should be open-source but it's penny-wise and pound-foolish to be so focused on companies/individuals exploiting lax laws that you don't properly address the threat of people actively breaking laws they don't fear. Sandboxing helps against the latter.

If a state actor is going after me, the big threats are:

1. Passive data acquisition (The NSA was hugely against SOPA and PIPA because they knew that threatening piracy would prompt encryption of traffic to become commonplace. Likewise, last I heard, they were building a huge data center to archive everything that flows through U.S. Internet backbones so they can try to decrypt it later when computers become more powerful.)
2. Directed attacks (Open-source software won't help if the NSA wants to spy on you. It's known that they can intercept mail and courier shipments to modify the contents, and that they can do things like hiding logging devices inside the plugs of USB cables.)

Personally, I think the biggest threat from state actors is the Intel Management Engine, AMD PSP, and ARM TrustZone, which are built into every CPU you buy these days, run closed-source firmware, have a higher permission level than any code you're allowed to install including the OS itself, and, in modern CPUs, block the CPU from running an OS if you strip them out by connecting a chip programmer directly to the motherboard.

(Intel CPUs have a watchdog timer that keeps resetting the CPU until the Management Engine boots and turns it off, the Management Engine only accepts code signed by Intel.)

Oh, certainly, but the CPU itself has a much more attractive mechanism for state actors to rootkit.

If you're not running something like one of the POWER systems by Raptor, then worrying about state actors is a very ineffective way to decide how to allocate your efforts toward making your system more secure.

(I can't afford a Raptor system at the moment, but you can see why I'm in no hurry to upgrade off my pre-PSP, pre-UEFI AMD system when it meets my needs just fine.)

Not true. Sandboxing is important on closed-source OSes because Microsoft or Apple or Google aren't going to just say "OK" if cybercriminals walk up and ask to be let in the way they will if the NSA walk up with a legal writ. Different threats have different things which are or are not effective against them.

You won't see me disagreeing. I wish forums would offer an NNTP bridge so I could read and reply in Thunderbird.

Except that:

1. The web has too much inertia for you or me to get rid of and the convenience of it is the only thing preventing companies from pushing mobile-style apps on desktop users.
2. I'm talking about technologies that work equally well for web or native applications. Again, even the best open-source developers make mistakes and overlook things.

I'm focused on practical improvements in the life I experience, not ideals which would require me to become the next Richard Stallman or Gandhi to make a difference.

Sandboxing is like using flame-retardant materials in construction. It's not a substitute for firefighters; it's an effort to reduce the chances of a blaze starting and to minimize the damage that happens before they arrive.

There will always be human programmers making mistakes.

I'm not against the idea, but, again, that doesn't protect against well-intentioned human making mistakes which are then exploited by malicious individuals. That's what sandboxing helps with.

I don't remember saying anything about forcing gaming companies. What I remember saying is that games are very well-suited to sandboxing since any software design that could also run on a console is inherently pretty self-contained already.

(eg. For the hard drive, games generally only need access to their own files and a place to store save files while most other kinds of applications will want an Open/Save dialog and the ability to let you choose where to put documents of some sort.)

Heck, games running on a console are getting ever more sandboxed in order to make it as hard as possible to use bugs in them as a springboard for gaining the root access needed to run pirated copies of games.

Sandboxing isn't a binary "if you don't sandbox everything, it's useless" thing. My point is to sandbox as much as possible because, the more you sandbox, the harder it is for an attacker to find a way to compromise your system in a persistent way.

Focusing on the nVidia binary driver as a problem with sandboxing is as ill-suited to the reality of today's situation as focusing on the Sony rootkit. The nVidia binary driver is the only noteworthy piece of closed-source kernel code on Linux, while the vast majority of attack vectors are through userspace code.

It's an important part. As I keep saying, open-source isn't magic fairy dust. LWN.net has a list of discovered security vulnerabilities in open-source packages.

No, we can't agree, because it fundamentally depends on what kind of threats you're trying to protect against. You're focused on state threats, where open-source is the best protection as long as your CPU isn't bypassing it with a built-in exploit. I'm talking about the attack vectors that don't require state backing to gain access to, which show up in open-source software too, and which sandboxing is very helpful for.

Last I checked, Linux game DRM doesn't install kernel modules, so it's much more within the read of a company like Valve to have the Steam client provide sandboxing as an option and provide some kind of financial incentive to companies to turn it on. (eg. Maybe take only a 29% cut of the profits rather than the usual 30% cut.)

As for the DRM-free stuff offered by places like GOG.com, that's easy to sandbox using existing options like Firejail.

Would GOG's DRM-free release of Stellaris be a sufficiently mainstream example?

I only started playing Stellaris recently, so I haven't played a whole game through regardless of sandbox or no sandbox, but this seems to work flawlessly and would be comparable to how Steam would set up a sandbox:

Firejail also includes utilities to automate the process of editing your .desktop launchers to work via it.

Arguing that it's what we have now or something like tiles or tails is silly. We might as well be back on MS-DOS with that attitude. Security is not a black-and-white thing.

That's sort of like saying "Most people run Windows 95/98, so why run Linux on our server or upgrade Mac users to MacOS X when it won't make them more secure?"

Thankfully, the people making the open-source ecosystem you champion so vehemently see things differently and are working diligently to add security and sandboxing even as you dismiss it.

Apparently not else Guix would NOT use this C based in your view insecure Init system and every other distro that use the C based Init systems. Also your comparison with most people run windows therefor you should also run windows is a false comparison, one is what you do, and again pick your best tails or whatever Distro and one is what 3rd party does you try to tell a 3rd party what to do... that are 2 completely different things, and maybe you say you don't want to do that, but you defended the person that wanted to did that.

I see a few flaws with your argument,
1. sure criminals can do some effective attacks but most of that attacks are meaningless. Yes the numbers are high but it's a shotgun approach 99% don't lead to real damage. Like with my dad downloading some botnet thing on android, the provider detects it, he finds out which device it is worst case shuts down the infected device and somebody has to find the problem.
2. I don't see how that could be fixed, it's not that the android sandbox system is to bad for that, it just asks do you allow this new app to send data to the internet and every app wants to do that... and then it does... that all rights a botnet needs.

Now my arguments would probably anecdotes but if you know not 1 person in your live that got in any way damaged through internet criminality significantly but we all get permanently damaged through proprietary software every single one of us, I take this permant abuse that I live through more serious than this chinese amateurs that get nothing really done.

I mean what is the biggest thread of cyber criminality probably Indian phone callers, that make you fear and transfer money, fraud happens still 99% offline via phone or visitors.

Another thing is that I don't need software to "sandbox" I do that via hardware, just have a evil pc / console and have a clean (only opensource software) pc and you are fine from having bad software. Sure there is mass survailance which you can fight with vpn and security problems but you say the state comes to you also through firmware stuff and so on... sure but I still don't get that argument do you think sandboxing protects you from them? So here sandboxing does also not help, it helps even less against state actors.

Let's look at real software world... look at windows and macosx, because it's not opensource there are no repositories with software because the companies would not allow other websites to host their software... therefor to install software you have to go on random websites that easily can be spoofed or look nice like legit ones then you download it and install it with root rights... now you can have some sanbboxing that will ALWAYS allow more than the app is needed to do, or the allowences always can be used for something else. the allowance to send data in the internet can never be so specific that it only allows the correct data be send.

So now let's compare that with Linux here you have a central installer that only installs software from this trusted source, so as example Redhat makes sure 0 criminals post there software there? Is that 100% perfect? no? but much more than downloading from some internet site a setup.exe and hope that your blackboxing stops the rootkit you just downloaded is not doing something to bad.

Now let's look further, what is the most used hardware/software from people? Android phones, here again I have 0 knowledge of any bot-net or anything alse done with a app from f-droid, yet MANY apps from google play store had and have horrible malicious features.

So could there THEORETICALLY put malicious code in free/opensource? sure, but in reality what do we see? we see that opensource means 100% safety at least in android. Now sure a map app in f-droid will also indirectly by sending the requests generate data about you that others collect, but that is a different question, we focused on cyber criminality. Also injecting Trojan code into opensource apps I also suspect only state actors would able to do, against them both approaches don't help as if necessary they have all methods to get to you anyway.

And the way this internet botnet thing could probably be running in the first place was because I had to allow starting of apps outside of the play store because I needed to install f-droid... so if it would be a opensource OS f-droid would be preinstalled and such security mechanism would not be needed to be deactivated to have a functional system without 100% proprietary malicious code. I mean even with a central repository like f-droid proprietary world can create any safety you have then I don't now 10% horrible cyber-crime software directly hosted by google. Apple tries there to be a bit more aggressive but even their numbers are not that great.

Btw internet criminals if you are not a high value target, target always the weakest chain, so if you have a better workflow more secure systems (as example Linux) than 50% of the users or even better than 80-90% then they have no interest in you they rather attack the low hanging froot if there is plenty of those why go over the harder to get stuff? Therefor all this attacks except maybe skynet which again was a state actor are technology wise extremely pathetic. Sure the rantsome stuff with companies getting their data encrypted till they send money to somebody are more sophisticated but I think the way this system got effected must been either old windows systems (I think I heard something about that) or some stupid installing of some shit from emails or so. At least that was the way in, after having a infected pc they used probably from that machine other mechanics.

Maybe our difference is also a private person vs companies. Because for company targets more sophisticated attacks are thinkable, but for private users opensource protects you pretty well.

And for me the only way to sandbox proprietary software is run it on a different pc.

OK, I've been conversing in good faith, but it's getting pretty clear that talking to you is like arguing with a brick wall if you can't grasp the concept that things aren't black and white despite my constantly trying to get through to you.

(eg. "Apparently not else Guix would NOT use this C based in your view insecure Init system" is like saying "The fact that so many people use C rather than raw assembly language is proof that they don't care about performance optimization")

Have the last word. I've got better things to do with my time.

The same is true for you "a proprietary system that is containerized is always more secure than opensource software without containerizing".