> On Jul 14, 2017, at 12:54 PM, Florian Weimer <fweimer@xxxxxxxxxx> wrote: > The app store model also assumes that the app store operator acts as > some sort of gate keeper, so there has to be some policy enforcement at > this level, too. It is not sufficient to pass through just what the > application developer asked for. This is only a problem because Flatpak is currently following the IMO rather busted old Android model. With very few, if any, exceptions, I think a much better model would be for an application to start with basically no permissions and to have to ask for fine-grained permissions as needed. Think iOS but tighter. By default, an app shouldn't be able to use the network, see what other applications are installed, or get your unique advertising ID without explicit consent, let alone access your dotfiles. I would like to see a situation in which running random Flatpaks is as safe or safer than visitng random webpages, at least insofar as the *intentional* surface by which it can damage you should be as small or smaller than that of a webpage. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
