The Future of Flatpak

(lwn.net)

306 points dxs | 1 comments | 22 May 25 23:51 UTC | HN request time: 0.205s | source

Show context

binkHN ◴[23 May 25 01:28 UTC] No.44068949[source]▶

Nice breakdown. I'm new to Linux and didn't know about this:

> Flatpak still uses PulseAudio even if a host system uses PipeWire. The problem with that is that PulseAudio bundles together access to speakers and microphones—you can have access to both, or neither, but not just one. So if an application has access to play sound, it also has access to capture audio

That's a pretty decent sized hole.

replies(1): >>44069013 #

gjsman-1000 ◴[23 May 25 01:37 UTC] No.44069013[source]▶

>>44068949 #

I sometimes see Linux users sneering at Windows and Mac design mistakes or lack of “freedom”… but then there’s stuff like this.

Of course, Linux is then conveniently redefined in a way that nobody can be responsible, with finger pointing on every issue, rather than admit design flaws like this plague Linux as a whole.

replies(3): >>44069126 #>>44069129 #>>44069527 #

bee_rider ◴[23 May 25 01:56 UTC] No.44069129[source]▶

>>44069013 #

I get that you already preempted this, but: Flatpack is a weird extra layer on top of Linux. Most distros have package managers that work just fine. These package managers predate Flatpack and basically are the main thing that the distro provides (other than the community, of course).

replies(4): >>44069155 #>>44069490 #>>44069854 #>>44071245 #

CJefferson ◴[23 May 25 04:27 UTC] No.44069854[source]▶

>>44069129 #

But those are even worse from this point of view, I have no control over which apps can access my camera, or microphone.

I'm personally disappointed that sandboxing isn't easier in Linux. I hoped it would move past Windows and Mac, imagine a world where the majority of libraries are sandboxed too, we only let compression and decompression libraries read one stream and write to another, this would improve security. This has been done by both Google (in Android) and Apple (in iOS and Mac OS X), but hasn't seen general acceptance in Linux (as far as I can tell).

replies(2): >>44070090 #>>44074849 #

realusername ◴[23 May 25 05:25 UTC] No.44070090[source]▶

>>44069854 #

Because on Linux, everything is based around trusted security since you have access to the sources whereas on iOS and Android, every single app you install could be a malware so those systems are based on untrusted security.

replies(3): >>44070165 #>>44070248 #>>44070325 #

AStonesThrow ◴[23 May 25 05:39 UTC] No.44070165[source]▶

>>44070090 #

Hahaha, oh that is a hilarious attitude, you really believe that F/OSS means that implicit trust can be granted all across the supply chain. That I have access to the source makes a lick of difference in terms of vulnerabilities or exploits that can be found.

Once in college I cited Linus's Law in an impassioned apologia for Open Source. And I was duly corrected. Because Linus's Law really has no basis in reality.

https://en.wikipedia.org/wiki/Linus%27s_law

The reason Linux has such a model of blind trust in system services and applications is because it was based on Unix, which had an even more naïve model, because mostly, it was administrators and authorized users installing that stuff, there was more top-down monitoring and control, and just a smaller incidence of naked malice.

It's the same thing we see in earlier versions of Windows, or macOS, or the Internet. Look at the Internet in the mid-90s. Was it secure, with all the open source running on it? Hell naw. Every OS and protocol is vulnerable and attacked, and every OS and protocol revises security models based on modern-day threats. F/OSS saves nobody and mitigates virtually nothing.

To answer the GP, sandboxing has to be bolted-in to Linux after the fact. Linux's POSIX model is so old and needs to be so compatible. The only sandboxing in SVR3 Unix was chroot(2), you know? The Docker support and cgroups and virtualization are all new layers, and need careful integration. Nobody says that F/OSS doesn't need sandboxing. Nobody says that F/OSS is so secure that it can deviate from better-secured models. Quite the opposite.

Android and iOS are clean starts, mostly; didn't need to be backwards compatible, so they're tuned to the latest threat models of adversarial computing as you describe. But every single app you install on Linux could be a malware, too. I have no idea what "trusted security" or "untrusted security" are, but they aren't real terms of art in Cybersecurity, and they do nothing to describe the provenance or evolution of Linux security (which often has a lot of unused mitigations such as AppArmor or SELinux that get turned off right quick.)

replies(1): >>44070565 #

realusername ◴[23 May 25 06:59 UTC] No.44070565[source]▶

>>44070165 #

This is kind of a sophism, of course it's not perfect (nothing is) but I'll still trust this model over Android or iOS which have a built-in advertising id, manufacturer modifications I can't even look at and shady processes which have more power than I do.

Security is also a social contract.

replies(1): >>44073290 #

1. skydhash ◴[23 May 25 14:34 UTC] No.44073290[source]▶

>>44070565 #

Yep, most house doors locks won’t survive a well placed kick, but in a safer community, that’s all people have. But in less trusting neighborhoods, everyone use steel bars on windows and have an additional steel door for every wooden one.

So you still can have bad actors in the package manager model, but something like Adobe who treat user agency with contempt is less likely to happen.

So I trust my distros and its maintainers more than I trust Apple. And Apple already have most of my data via iOS.

↑