Flatpak – a security nightmare – 2 years later (2020)

One issue is that the permissions are hard to understand.<p>The end user doesn’t know, like, what bus-xyz or a socket is and if this app needs it!<p>The permissions may also change over time. Like a PDF reader may not need a particular permission unless you open a link or play an audio.<p>The apps have to be shipped in restricted mode, and ask user-understandable permissions. Basically, like phones.

This report would be better received if it wasn&#x27;t from 4 years ago and posted on a domain named <i>flatkill.org</i>--seems &#x27;politicized&#x27;.<p>Any shortcomings of sandboxing has to be compared with something else to be practically meaningful. A sandbox that works when an application is appropriately packaged is better than not running in one for all applications.

&gt; Almost all popular apps on Flathub still come with filesystem=host or filesystem=home permissions<p>This is <i>way</i> oversold. That&#x27;s true of &quot;all popular apps&quot; because those apps are legacy things written to run in the host filesystem and store state to the home directory. And there are good reasons to want to do this.<p>That&#x27;s not an indictment of the technology, that&#x27;s just saying that Thunderbird or whatever hasn&#x27;t been ported to run in a sandbox yet. I mean, yeah. But why complain about the perfectly good sandbox technology and not the app?<p>Edit: this one is even worse:<p>&gt; A perfect example is CVE-2019-17498 with public exploit available for some 8 months. The first app on Flathub I find to use libssh2 library is Gitg and, indeed, it does ship with unpatched libssh2.<p>So, that&#x27;s a ssh client vulnerability. And indeed, you absolutely want your apps to ship current binaries with vulnerabilities patched, and this app didn&#x27;t. <i>So isn&#x27;t it a good thing you deployed that app in a sandbox?</i> Again, why complain about Flatpak when it likely is what&#x27;s saving you from a client vulnerability?

Yep. I refuse to touch it. But we need a usable (and more documented) &quot;QubeOS&quot; including curated &quot;app store&quot; and app containment with overlay filesystems to separate data, OS, and application concerns sanely, predictably, and securely. XCP-ng implements O_DIRECT that allows zfs to be used as a backing store.

I really don&#x27;t think the app model makes any sense for a Linux desktop anyways.<p>You need this sandboxing on the phone not because of security but because the developer of the app is untrusted, that&#x27;s the opposite of Gimp &#x2F; Krita &#x2F; VLC or whatever else is packaged where the author is trusted and the sources are available.