Flatpaks should be used for preinstalled programs for better security/updates

Write suggestions and new ideas in here
More ideas here http://community.linuxmint.com/idea/welcome
Forum rules
  • Only post ideas here that are specifically about the Linux Mint distribution or its websites.
  • So that developers and users from any distribution can discuss ideas in one place, post ideas about improving software to the collaboration website for that software instead.
Post Reply
frofrout
Level 1
Level 1
Posts: 6
Joined: Fri Dec 22, 2017 1:40 pm

Flatpaks should be used for preinstalled programs for better security/updates

Post by frofrout » Fri Dec 22, 2017 1:53 pm

Greetings! With the news that Ubuntu 18.04 will be using Snaps instead of the default non-sandboxed deb programs, I would suggest that Linux Mint looks into using Flatpaks for LibreOffice/Chromium/Firefox and all the other default programs that are also available as Flatpaks.

User avatar
BenTrabetere
Level 5
Level 5
Posts: 770
Joined: Sat Jul 19, 2014 12:04 am
Location: Hattiesburg, MS USA

Re: Flatpaks should be used for preinstalled programs for better security/updates

Post by BenTrabetere » Fri Dec 22, 2017 5:01 pm

No, no, no, 100 times no. I feel the same way about AppImages and Snaps, but maybe not as strongly. Flatpaks, Snaps and AppImages have their place, but not for major core applications.

I can understand running a browser in a sandbox. But why would you want or need to sandbox LibreOffice, and if there is a need, what advantage would Flatpak have over Apparmor and Firejail?


Just for giggles I installed the LO flatpak - it took over a minute to launch. Granted, a lot had to do with my ancient system (Athlon 64 X2 4200+ with 4GB RAM), but I suspect there still would be a performance hit on more capable hardware. The installed version of LO launches in less than 6-seconds.

I tested the component applications I frequently use (Writer, Calc, Draw and Base), and three of the four ran smoothly. Base was the exception. The current flatpak is missing the Java Runtime Environment, and LO-Base is pretty much useless without it.

mr_raider
Level 6
Level 6
Posts: 1317
Joined: Sun Jun 20, 2010 9:50 am
Location: Montreal, QC

Re: Flatpaks should be used for preinstalled programs for better security/updates

Post by mr_raider » Fri Dec 22, 2017 5:15 pm

Can anyone explain to me the fetsih for flatpaks and snaps? What's wrong with the .deb system, as I recall it it stands for "Debian package" which is one of the most robust and solid package management systems in all of linuxdom.

If I need a program, I look for a deb first.
Image

User avatar
jimallyn
Level 18
Level 18
Posts: 8551
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: Flatpaks should be used for preinstalled programs for better security/updates

Post by jimallyn » Fri Dec 22, 2017 7:59 pm

mr_raider wrote:Can anyone explain to me the fetsih for flatpaks and snaps? What's wrong with the .deb system
The deb system is a good one, but sometimes you might want a newer version of a program than what is in or available for your installed Mint (or other Linux). The advantage of flatpaks is that they contain most of the dependencies within them, so you don't get the problem of "I can't install that because to do that I'd have to install this and this and this and uninstall that and that and that." Also, I guess some of the new packaging systems install the programs so that they run inside a "sandbox" where they can't screw up anything else in your system, and they are harder for anything external to screw them up.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

mr_raider
Level 6
Level 6
Posts: 1317
Joined: Sun Jun 20, 2010 9:50 am
Location: Montreal, QC

Re: Flatpaks should be used for preinstalled programs for better security/updates

Post by mr_raider » Fri Dec 22, 2017 8:27 pm

jimallyn wrote:
mr_raider wrote:Can anyone explain to me the fetsih for flatpaks and snaps? What's wrong with the .deb system
The deb system is a good one, but sometimes you might want a newer version of a program than what is in or available for your installed Mint (or other Linux). The advantage of flatpaks is that they contain most of the dependencies within them, so you don't get the problem of "I can't install that because to do that I'd have to install this and this and this and uninstall that and that and that." Also, I guess some of the new packaging systems install the programs so that they run inside a "sandbox" where they can't screw up anything else in your system, and they are harder for anything external to screw them up.
that sounds suspiciously "windows like" where ever .exe ships with a ton od .dll filles.
Image

User avatar
BenTrabetere
Level 5
Level 5
Posts: 770
Joined: Sat Jul 19, 2014 12:04 am
Location: Hattiesburg, MS USA

Re: Flatpaks should be used for preinstalled programs for better security/updates

Post by BenTrabetere » Sat Dec 23, 2017 4:29 am

mr_raider wrote:Can anyone explain to me the fetsih for flatpaks and snaps?
I think Flatpak, Snap and AppImage are attempts to solve, or at least address, the 'too many package systems' issue. I do not think they could or should be used to replace an established package management system like .deb, but they can fill a void.

Of the three, I prefer AppImage, and it gives me the opportunity to play with applications that I would never install to my system. I am currently using four AppImages on a regular basis, most of which are development versions. I am playing with two versions of GIMP 2.9.5, a RAW processor that is an early stage of development called Filmulator, a paint program called AZPainter, and two note taking applications, BoostNote and MrWriter.
Last edited by Moem on Sat Dec 23, 2017 12:33 pm, edited 1 time in total.
Reason: Fixed a quote

frofrout
Level 1
Level 1
Posts: 6
Joined: Fri Dec 22, 2017 1:40 pm

Re: Flatpaks should be used for preinstalled programs for better security/updates

Post by frofrout » Sat Dec 23, 2017 11:26 am

BenTrabetere wrote:No, no, no, 100 times no. I feel the same way about AppImages and Snaps, but maybe not as strongly. Flatpaks, Snaps and AppImages have their place, but not for major core applications.

I can understand running a browser in a sandbox. But why would you want or need to sandbox LibreOffice, and if there is a need, what advantage would Flatpak have over Apparmor and Firejail?
LibreOffice - As a journalist (for example) you open attachments for a living, pretty much. Knowing the .doc can't conquer your computer is a pretty strong argument for using it as a Flatpak instead.

Firejail in the repo is insanely behind on the updates. Meanwhile, Flatpaks are updated automagically and are protected with SELinux. Even if Firejail was actually kept up to date, messing around with Firecfg seems unnecessarily difficult when the alternative is to just use a Flatpak.
Apparmor? Oh please. No one in their right minds want to set that crap up.
mr_raider wrote:that sounds suspiciously "windows like" where ever .exe ships with a ton od .dll filles.
And the current situation in Linux is any better? Lots of dependencies for everything that may, or may not be installed automagically?

With Flatpaks the programs are sandboxed/isolated, which is as far away from Windows as you can get.

User avatar
BenTrabetere
Level 5
Level 5
Posts: 770
Joined: Sat Jul 19, 2014 12:04 am
Location: Hattiesburg, MS USA

Re: Flatpaks should be used for preinstalled programs for better security/updates

Post by BenTrabetere » Sat Dec 23, 2017 12:17 pm

frofrout wrote:LibreOffice - As a journalist (for example) you open attachments for a living, pretty much. Knowing the .doc can't conquer your computer is a pretty strong argument for using it as a Flatpak instead.
I think there is a place for Flatpak (Snap and AppImage), and I admit there are valid reasons for using one to run mainstream applications like LibreOffice or GIMP. My issue is replacing .deb with Flatpak (Snap and AppImage) as default package manager for mainstream applications.

I understand why the LibreOffice Flatpak might be attractive to a journalist, although I
think running it in a virtual machine will offer much better protection against a rogue .doc conquering your computer. I installed the LO Flatpak, and the default directory was /Home/Documents, so it is accessing the resources outside its pretty sandbox.

frofrout
Level 1
Level 1
Posts: 6
Joined: Fri Dec 22, 2017 1:40 pm

Re: Flatpaks should be used for preinstalled programs for better security/updates

Post by frofrout » Sun Dec 24, 2017 12:37 pm

BenTrabetere wrote:
frofrout wrote:LibreOffice - As a journalist (for example) you open attachments for a living, pretty much. Knowing the .doc can't conquer your computer is a pretty strong argument for using it as a Flatpak instead.
I think there is a place for Flatpak (Snap and AppImage), and I admit there are valid reasons for using one to run mainstream applications like LibreOffice or GIMP. My issue is replacing .deb with Flatpak (Snap and AppImage) as default package manager for mainstream applications.

I understand why the LibreOffice Flatpak might be attractive to a journalist, although I
think running it in a virtual machine will offer much better protection against a rogue .doc conquering your computer. I installed the LO Flatpak, and the default directory was /Home/Documents, so it is accessing the resources outside its pretty sandbox.
Well of course it should be able to access the documents folder. How else is the program supposed to work, at all? :?

Running a VM is something I doubt most journalists will be interested in doing. I'm a nerd and even I don't want to do it.

I also don't really see why you're so against Flatpaks when they are more secure and unlike the current LM system, they are updated regularly. This means Flatpaks would be beneficial for most people, most of the time. Ubuntu is making the leap into Snap and I feel it would be strange for LM to stick around with .debs when Canonical (rightly) seems to convinced that Snap/Flatpak is the future.

Also I'm not saying every program should be a Flatpak. I've never heard of a 0-day against GIMP in all my life, but Thunderbird/Firefox/Chromium/LibreOffice would all greatly benefit from the sandboxing.

Post Reply

Return to “Suggestions & New Ideas”