On Wed, Jun 30 2021 at 12:41:17 PM +0200, Vitaly Zaitsev via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
They
bundle lots of libraries,
Well that's required for anything not present in the runtime.
don't use C/C++ build hardening flags, etc.
I believe hardening flags are added in by flatpak-builder. I think they
somehow come from the runtime, though I'm not sure exactly how.
(Anybody know?)
For freedesktop-sdk and the GNOME SDK, the hardening flags are actually
copied straight from Fedora with only minor adjustments. E.g. GCC is
built with --enable-default-pie --enable-default-ssp so the runtime
doesn't need to use GCC specs in the default flags like Fedora does.
Again, since applications do get these flags (somehow), they have to go
out of their way to screw this up.
(Seriously, how do the applications inherit the hardening flags? It
can't be via magic. We should confirm that this actually works.)
A lot of applications from Flathub uses --filesystem=host or
--filesystem=home, which means they don't use Flatpak isolation at all.
This is true. However, for most Fedora editions, it's also irrelevant,
because RPMs are entirely unsandboxed and banning poorly-sandboxed
flatpak applications doesn't make sense when you can just install
completely unsandboxed RPM applications.
For Silverblue, it would make sense IMO to be stricter and filter
poorly-sandboxed applications out of GNOME Software.
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
