One issue is that the permissions are hard to understand.<p>The end user doesn’t know, like, what bus-xyz or a socket is and if this app needs it!<p>The permissions may also change over time. Like a PDF reader may not need a particular permission unless you open a link or play an audio.<p>The apps have to be shipped in restricted mode, and ask user-understandable permissions. Basically, like phones.
This report would be better received if it wasn't from 4 years ago and posted on a domain named <i>flatkill.org</i>--seems 'politicized'.<p>Any shortcomings of sandboxing has to be compared with something else to be practically meaningful. A sandbox that works when an application is appropriately packaged is better than not running in one for all applications.
> Almost all popular apps on Flathub still come with filesystem=host or filesystem=home permissions<p>This is <i>way</i> oversold. That's true of "all popular apps" because those apps are legacy things written to run in the host filesystem and store state to the home directory. And there are good reasons to want to do this.<p>That's not an indictment of the technology, that's just saying that Thunderbird or whatever hasn't been ported to run in a sandbox yet. I mean, yeah. But why complain about the perfectly good sandbox technology and not the app?<p>Edit: this one is even worse:<p>> A perfect example is CVE-2019-17498 with public exploit available for some 8 months. The first app on Flathub I find to use libssh2 library is Gitg and, indeed, it does ship with unpatched libssh2.<p>So, that's a ssh client vulnerability. And indeed, you absolutely want your apps to ship current binaries with vulnerabilities patched, and this app didn't. <i>So isn't it a good thing you deployed that app in a sandbox?</i> Again, why complain about Flatpak when it likely is what's saving you from a client vulnerability?
Yep. I refuse to touch it. But we need a usable (and more documented) "QubeOS" including curated "app store" and app containment with overlay filesystems to separate data, OS, and application concerns sanely, predictably, and securely. XCP-ng implements O_DIRECT that allows zfs to be used as a backing store.
I really don't think the app model makes any sense for a Linux desktop anyways.<p>You need this sandboxing on the phone not because of security but because the developer of the app is untrusted, that's the opposite of Gimp / Krita / VLC or whatever else is packaged where the author is trusted and the sources are available.