this post was submitted on 04 Jun 2024
281 points (98.6% liked)

Linux

48200 readers
1277 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] boredsquirrel@slrpnk.net 6 points 5 months ago* (last edited 5 months ago) (1 children)

The Flathub security rating is useful but too cautious (so many "false alarms" that people ignore it). It is completely independent from the verification though.

Mixing these up makes no sense.

But for sure, officially supported Libreoffice may be more secure than distro-packaged Libreoffice.

Is any of these applications dangerous or a security risk to the system / user?

Likely not more than Distro packages. They pull in dependencies, and code, just like any other app.

Flatpaks are too pain tolerant regarding EOL runtimes. These may have security risks, and many badly maintained apps are using them, and at least KDE Discover doesnt show a warning here.

Create a fork of an app and verify your website with the fork in Flatpak. The system is already broken

True

By doing so, it undermines a reason why we use GPL and Open Source.

Very good points. It is a good security practice to stay close to a trusted upstream though. Browsers for example may have delayed security patches.

And what about apps where the original author does not care, but was brought to Flatpak by a community member?

Same here, if the upstream tests the Flatpak BEFORE shipping the release, it will work and be fast. If they dont, they ship the update, the flatpak is updated some time after that, it may have an issue, the packagers may need to patch something, solve the issue upstream etc.

The thing is that packagers should join upstream, as only integrated packaging gives this inherent stability and speed.

This is not relevant in many scenarios though. Flatpaks allow to securely sandbox random apps, so they are very often more secure.

[–] thingsiplay@beehaw.org 1 points 5 months ago (1 children)

The Flathub security rating is useful but too cautious (so many “false alarms” that people ignore it). It is completely independent from the verification though.

Mixing these up makes no sense.

That's right, but I had a point there. My point is, that even verified applications can be marked as insecure on Flathub. That means, unverified applications can be secure based on the standards the Flathub sets. This was my point that its independent and why the verification of source has nothing to do with security. If Linux Mint does hide unverified apps, because it thinks these are unsecure, then it should hide all the applications that are marked as a potential unsecure app; just like the unverified apps are potentially unsecure (just like any other verified app).

Hopefully this was not too confusing to read.

[–] boredsquirrel@slrpnk.net 1 points 5 months ago

Yes, verification is very different from the security rating.

Poorly you can sort by subsets but not by the security rating.

There are legacy apps that are always insecure with huge static filesystem permissions AND they are sometimes not well maintained i.e. they dont support the Flatpak.