On 07/10/2016 04:45 PM, Levente Polyak wrote: > We, as the Security Team, are strongly against any move to officially > ship bundles that manage their dependency versions itself instead of > regular software builds. > […] With pacpak, it will be the user’s responsibility to update the bundles just like it is the user’s responsibility to update their Arch system. I do *not* want Arch to ship official bundles. Users of Flatpak bundles from elsewhere are of course on their own as well. Yes, a kernel vulnerability may allow malware to escape the container. I should not have said that Flatpaks can be run without any fear at all. pacpak users should be made aware of this. Regards, Florian Pelz
