Page 2 of 2

Re: Unhappy about Flatpaks in Software Manager

Posted: Tue Oct 16, 2018 4:23 pm
by arty
http://flatkill.org/ Flatpak - (is) a security nightmare

Having both (ppa and flatpak) listed in Software Manager confuses most users
I would like a have a separate flatpak-manager package - optional!

Just do a search for LibreOffice in Software Manager
- it gives you > 100 packages to choose from :(

Re: Unhappy about Flatpaks in Software Manager

Posted: Tue Oct 16, 2018 4:44 pm
by gm10
arty wrote:
Tue Oct 16, 2018 4:23 pm
I would like a have a separate flatpak-manager package - optional!

Just do a search for LibreOffice in Software Manager
- it gives you > 100 packages to choose from :(
Yep, but only one of them is a flatpak. I don't like flatpaks, either, but I don't think a separate Software Manager is either necessary or even desirable for most users.

Re: Unhappy about Flatpaks in Software Manager

Posted: Tue Oct 16, 2018 6:56 pm
by Fred Barclay
arty wrote:
Tue Oct 16, 2018 4:23 pm
http://flatkill.org/ Flatpak - (is) a security nightmare
But (and I don't use flatpaks myself) escaping the sandbox isn't as bad as it sounds.
Is it undesirable? Highly? But even when it occurs, all your flatpaked (is that a word? :P) app sees is what every other app in your system already sees. It's not getting any extra permissions as far as I can tell.

Now that local root exploit was bad! Using SUID is hard to get right! And to the team's credit, they got it fixed quickly: https://github.com/flatpak/flatpak/issues/845]

Re: Unhappy about Flatpaks in Software Manager

Posted: Tue Oct 16, 2018 7:38 pm
by gm10
Fred Barclay wrote:
Tue Oct 16, 2018 6:56 pm
But (and I don't use flatpaks myself) escaping the sandbox isn't as bad as it sounds.
Is it undesirable? Highly? But even when it occurs, all your flatpaked (is that a word? :P) app sees is what every other app in your system already sees. It's not getting any extra permissions as far as I can tell.
Except the expectation is different. If you install an app the regular way you (should) know that you give it full access to your system and vet it accordingly before installing it. If you install an app via flathub you're told that it's perfectly safe because it's sandboxed, so you may decide to install something potentially harmful thinking it cannot break out of the sandbox.

Although to be fair, that's a consideration for only a very small number of people. The large majority of users couldn't care less about security, they just want a working app, that's why I think the approach of including the flathub source in Software Manager is the right thing to do. Nobody is forced to use it.

Re: Unhappy about Flatpaks in Software Manager

Posted: Tue Oct 16, 2018 7:51 pm
by ajgringo619
gm10 wrote:
Tue Oct 16, 2018 7:38 pm
Except the expectation is different. If you install an app the regular way you (should) know that you give it full access to your system and vet it accordingly before installing it. If you install an app via flathub you're told that it's perfectly safe because it's sandboxed, so you may decide to install something potentially harmful thinking it cannot break out of the sandbox.
The PPA version of flatpak (currently 1.04) explicitly details every permission, if any, that its apps are requesting during installation. As you stated, most users could care less about security.