The sandbox is actually a lie. All popular apps on flathub come with filesystem=host, filesystem=home, or device=all permissions. You don't get security updates for months. How can it call itself the future of application distribution if the Red Hat developers working on flatpak do not care about security?
That's not true. Flatpak is safe and autistoc as fuck, just read the pull requests, they habe 100 demans when packaging something.
>>109002566All it's missing is better visibility over those things like on android
>Excessive permissions are real but a packaging choice, not a Flatpak flaw. Many apps request filesystem=host for compatibility.>The sandbox works—you can audit and restrict permissions using Flatseal. Portals are gradually replacing raw filesystem access.>Security updates happen via shared runtimes. When a runtime is patched, all apps using it get the fix automatically on restart.>Delays are usually due to your software center not refreshing, not developer neglect.>Trade-offs exist: strict sandboxing breaks file managers, themes, and plugins, forcing pragmatic choices.>Bottom line: Flatpak improves on traditional packages (zero sandboxing), but isn’t perfect. You have the tools to lock it down today.
Flatpak 2 will solve this.
>>109002566Red Hat has their own flatpak repos and don't give a shit about flathub. The flathub button is only in fedora by popular demand.
>>109002566>How can it call itself the future of application distribution if the Red Hat developers working on flatpak do not care about security?Red Hat uses its own flatpak repo. Do the fedora flatpak builds also have this issue?
>>109002694Is this a real thing?
>>109003487They're planning on making a new version from scratch in Rust.
>>109002566>flatseals in your pathheh nothing personnel
>>109003505kek
>>109002566my flatpak apps get updated all of the time. I run flatpak update probably twice a week and there are usually 8-12 updates every time. I probably only have 15 or so flatpaks.
Okay maybe tune the permissions then? I don't see the problem
Flatpak makes browsers less secure.
>>109002566You're talking about flathub security, not flatpak
>>109006097Flatpak = Flathub
>>109002566AI said it's safe therefore it is you silly luddite snailcat
>>109006097No, flathub is just a website/repository of flatpaks. The flatpak manifest specifies the permissions and it also applies if you dont use flathub.
>>109007262The permissions are from flathub. If there was a repository of flatpaks with stricter permission rules for publishing then OP's point would be moot
>>109002566No,lets talk about appimage instead. Thats a bigger issue.
>>109002566If you want true sandboxing you should explore qubesos, or something like silverblue where schizomaxxing with a container for every application is an acceptable way to function
>>109002566Flatpak is kinda jewish to me I don't know why.
>>109002566Okay? ALL apps you install through dnf, pacman or apt have ALL permissions without any way of disabling almost any of them. Flatpak is better than anything else we have. Everything else is either shit or unpopular.Also this >>109007336The reason why Firefox and Brave have all the permissions you've listed is because Firefox and Brave developers have decided they're required by default. And those permissions are toggled on by default by the flatpaks coming from flathub. Anyone can host their own flatpak repo with apps which have all permissions turned off.
>>109005898>>109004083>needing to manually go to the settings to unlock permissions>while android, ios and even snaps have promptsFlatpak LOST.
>>109009750Must be the cube/saturnian logo.
>>109010260Death by prompts is not a good UX. This is why you see people click "Accept" to everything on Android and iOS without even thinking.Its better for apps to have static permissions that are configured well out of the box. If an app needs full access then it needs full access. Just don't use that app if it makes you uncomfortable.
>>109011356>out of the boxThat's the problem: most flathacks don't.
>>109011366File a Github issue:https://github.com/flathub/
>>109011375>just do workNo, thanks.
>>109002566>security nightmare They actively maintain and fix problems and it's objectively better than nothing. Post a real solution or fuck off.
>>109011381Ask an LLM to file Github issues on your behalf for all projects with a Flatpak manifest that contains host or home permissions.Shouldn't cost you too many tokens and zero time wasted.
>>109003487They had expressed interests in moving to OCI containers because people are hard-filtered making flatpaks currently.
>>109011397OCI is objectively a good thing and they're finally getting rid of the shitty flatpak-builder yaml crap.
>>109011401I have mixed feelings. OCI is kind of slop and a lot of the security is based on some things being the way they are. Only good thing with a potential v2 is I could potentially use NixOS instead, but we'll see.
>>109011390No, thanks. I'm here to talk with other anons, not to take this problem upon myself.
>>109011366If you aren't using flatseal, you're a moron. If you don't know how to use flatseal, you're a moron. Your whole thread is shit and you're just flailing around in your skill issue. You as a user should know what you want to share or not.
>>109011422I know how to use Flatshitteril, but I shouldn't need to and normal users won't understand why they can't drop a file from /x/y/z into the app in the first place.If you want to gatekeep, just use LFS or something.
>>109011438You just want to complain and bitch and moan. You could solve this problem for everyone by taking 5 minutes out of your day to file a Github issue, or even better submit a pull-request fixing it.You need to put up or shut up.
>>109011438Why shouldn't you need to? Eventually you'll have an app that may want to read your pictures, another that may want to read your documents, but there is no clear xdg defined path for every kinds of "files" you would work with. On top of that, giving something access to everything under ~/Documents may not be ideal anyway. Eventually (You) as the user have to make executive decisions, either using the xdg-portals apis or by sharing very specific paths. There is literally no way to work around this.
>>109011458This.Flatpak is framework that has everything in its kit to solve this (App developers should USE THE PORTAL) but sometimes the only solution for these apps that aren't doing that is to allow everything because it's the path that breaks things the least.
>>109011485Another problem is when you, for example, don't allow access to Downloads then the app will store Downloads in some random app-specific directory in ~/.var/app which is a very confusing UX for people that don't know or expect that.The Tor Browser Flatpak, for example, does that and its very weird if you don't know where to look to find your Downloads.I think on that occasion, it's the right decision but the UX is very weird.What we need is per-app directories for Documents, Downloads, Pictures, etc, that get merged automatically in the file-browser.
>>109011455Or maybe Linux could just work?>>109011458That's the point: a permission prompt would solve this issue. Or just give up on the whole "sandboxing" thing and just keep the containerization of dependencies around.
>>109011535It does "just work", that's the thing you're complaining about. You're saying the chastity cage isn't locked tightly enough to prohibit your penis from working properly meanwhile it just works for Mr Big Dick.
>>109011541
>>109006097>Excuse me, but what you're referring to as Flatpak is actually Flatpak + Security, or as I've taken to calling it, Flathub.
>>109002566Why do you seem to think you should be able to run malicious software on your system without consequences? That's what VMs and separate test computers are for. Flatpak is for installing a program to run near natively but without fussing with library and version requirements.
>>109011381You're getting this software for free. Nobody owes you anything.
>>109002566Nobody is going to pop your box via a flatpak of the dolphin emulator. You're running a hobbyist OS and posting about it on an anime website. You're not doing anything important. Stop it.
>>109011422This is why linux will never have any real presence in home computing.>wahh wahh muh gaykeeping I don't want normies fucking me in the ass if they can't configure flatpaks properly :((((
>>109007336I see what you mean, but the truth is that those application need those permissions to function. So its not just a matter of hosting with higher permission restriction, since then you wont be able to use the most popular applications. Things like device=all is also a flatpak limitation since thats the only way to get access to controllers for example. They are missing more specific options for permissions.
>>109013099>going to your system settings to manage app permissions is gatekeeping and difficultMan, I can't imagine how much people must be struggling with iOS and Android. Holy shit, I bet Windows mobile is the most used smartphone OS because of how unusable iOS and Android must be.
