@strypey A lot of these vulns require already gaining access, which isn't exactly a trivial matter on many systems so assuming you can get in, then there is a lot of really bad stuff you can do... It's a big if and I think the risk for most users is blown out of proportion. With good sandboxing a lot of the damage an attacker could do could be mitigated significantly. Also things like tripwire help a lot, but there are ways out of sandboxes and you can alias tripwire.

@curufuin @strypey one of the main points was about installing user apps (flatpak) which aren't sufficiently security restrained. There's your local access right there.

@tomosaigon if Flatpak is packaged by Debian, then by Ubuntu, then checked for nonfree bits by Trisquel, I'm pretty confident the version of Flatpak distributed through the Trisquel repos has had more independent auditing than any part of Windows, or any nonfree part of MacOS. Now, if the sandboxing Flatpak applies to apps installed using it is flawed, it's still better than none (eg AppImage).


@strypey That's interesting but I don't see anything about Debian (nor Ubuntu) conducting any sort of security audit on all Flatpaks. Is there really such an initiative? @curufuin


@tomosaigon of course not ;) The whole point of tools like Flatpak, AppImage, and Snappy, is to route around the auditing done by distros, so desktop (and maybe now mobile) GNU/Linux users can have the latest versions of apps, right now. If they built in sandboxing that's effective in protecting users' systems from the devs of app (and especially the devs of app dependencies), and if that sandboxing is audited by distro package maintainers, that would be a good compro.

Sign in to participate in the conversation
Mastodon - NZOSS

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!