Unhappy about Flatpaks in Software Manager

[arty]

http://flatkill.org/ Flatpak - (is) a security nightmare

Having both (ppa and flatpak) listed in Software Manager confuses most users
I would like a have a separate flatpak-manager package - optional!

Just do a search for LibreOffice in Software Manager
- it gives you > 100 packages to choose from

[gm10]

I would like a have a separate flatpak-manager package - optional!

Just do a search for LibreOffice in Software Manager
- it gives you > 100 packages to choose from

Yep, but only one of them is a flatpak. I don't like flatpaks, either, but I don't think a separate Software Manager is either necessary or even desirable for most users.

[Fred Barclay]

http://flatkill.org/ Flatpak - (is) a security nightmare

But (and I don't use flatpaks myself) escaping the sandbox isn't as bad as it sounds.
Is it undesirable? Highly? But even when it occurs, all your flatpaked (is that a word? ) app sees is what every other app in your system already sees. It's not getting any extra permissions as far as I can tell.

Now that local root exploit was bad! Using SUID is hard to get right! And to the team's credit, they got it fixed quickly: https://github.com/flatpak/flatpak/issues/845]

[gm10]

But (and I don't use flatpaks myself) escaping the sandbox isn't as bad as it sounds.
Is it undesirable? Highly? But even when it occurs, all your flatpaked (is that a word? ) app sees is what every other app in your system already sees. It's not getting any extra permissions as far as I can tell.

Except the expectation is different. If you install an app the regular way you (should) know that you give it full access to your system and vet it accordingly before installing it. If you install an app via flathub you're told that it's perfectly safe because it's sandboxed, so you may decide to install something potentially harmful thinking it cannot break out of the sandbox.

Although to be fair, that's a consideration for only a very small number of people. The large majority of users couldn't care less about security, they just want a working app, that's why I think the approach of including the flathub source in Software Manager is the right thing to do. Nobody is forced to use it.

[ajgringo619]

Except the expectation is different. If you install an app the regular way you (should) know that you give it full access to your system and vet it accordingly before installing it. If you install an app via flathub you're told that it's perfectly safe because it's sandboxed, so you may decide to install something potentially harmful thinking it cannot break out of the sandbox.

The PPA version of flatpak (currently 1.04) explicitly details every permission, if any, that its apps are requesting during installation. As you stated, most users could care less about security.