On 30/06/2021 14:30, Michael Catanzaro wrote:
Well that's required for anything not present in the runtime.
That's why I prefer classic RPM packages over Flatpaks.
I use Flatpaks only for proprietary software like Steam (with a lot of
permission hardening overrides).
I believe hardening flags are added in by flatpak-builder. I think they somehow come from the runtime, though I'm not sure exactly how. (Anybody know?)
Yes, but some developers think they are smarter than runtime maintainers
and explicitly explicitly ignore them. I've previously reported such
incidents.
However, for most Fedora editions, it's also irrelevant, because RPMs are entirely unsandboxed and banning poorly-sandboxed flatpak applications doesn't make sense when you can just install completely unsandboxed RPM applications.
Flatpak is being advertised as a safe and secure environment for running
desktop applications.
Flatpak with access to user's home directory can do everything: change
Flatpak policies, add/remove Flatpak repositories, override security
permissions, etc.
I think Flatpaks with --filesystem=host or --filesystem=home should be
banned too. Flathub admins don't consider this a security breach.
--
Sincerely,
Vitaly Zaitsev (vitaly@xxxxxxxxxxxxxx)
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
