this post was submitted on 06 Dec 2023
8 points (59.1% liked)
Privacy
31949 readers
502 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Thanks for the additional reading and information. Maybe it's just me, but I feel like I hear about a security vulnerability in "processor microcode" or packages or other software basically every day. As a relatively non-technical user, it's always very difficult to tell how much these things actually matter for normal users. Flatpaks are incredibly convenient because they "just work" and are easily compatible with immutable distributions. For better or worse, I suspect many people are not going to be dissuaded from using them by hypothetical/abstract security risks.
Flatpaks are more and less secure. Their Sandbox improves 99% of apps security as other sandboxes are hard to setup and thus nearly nonexistent.
Browsers have their own, so just dont use Flatpaks there.
I am not sure about microcode, but processes running as root are maybe more critical, but it sounds like any process could have exploits if microcode is a problem. Also, RiscV or even ARM will be waaay better here, as their instruction set is not dozens of years old and extremely bloated.
As we get our apps from secure repos, with projects keeping track of every Git commit etc, we just had no malware really.
The only problem is that Flatpaks, like appimages, "just work" and dont have to evolve like the rest of the OS will. Their main goal is to work everywhere, and Devs always choose convenience over security.
For example Portals are not implemented in most old big projects like Libreoffice, Gimp, Inkscape etc. Scribus is even X11 only. But developers will not remove the
filesystem=host
permission and replace it with "just all the media locations". This will still be a problem, but at least apps could not read Kernel logs etc anymore.Also as they "just work" its easy to abandon them and dont update. The "outdated Runtime" Warning is a veeery good indicator of a project using old and probably insecure libraries. But afaik there is no automatic CVE patching in flatpak-builder which is a huge problem.