@strypey A lot of these vulns require already gaining access, which isn't exactly a trivial matter on many systems so assuming you can get in, then there is a lot of really bad stuff you can do... It's a big if and I think the risk for most users is blown out of proportion. With good sandboxing a lot of the damage an attacker could do could be mitigated significantly. Also things like tripwire help a lot, but there are ways out of sandboxes and you can alias tripwire.

@curufuin @strypey one of the main points was about installing user apps (flatpak) which aren't sufficiently security restrained. There's your local access right there.

@tomosaigon if Flatpak is packaged by Debian, then by Ubuntu, then checked for nonfree bits by Trisquel, I'm pretty confident the version of Flatpak distributed through the Trisquel repos has had more independent auditing than any part of Windows, or any nonfree part of MacOS. Now, if the sandboxing Flatpak applies to apps installed using it is flawed, it's still better than none (eg AppImage).



@tomosaigon there are all sorts of security concepts (Object Capabilities, Reproducible Builds etc) that will improve the whole situation as devs learn to apply them. But security is and will always be about managing risks, with different levels of predictability. The most vulnerable component in a computer system is usually the human user. It's never a purely technical discussion.


Sign in to participate in the conversation
Mastodon - NZOSS

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!