Reco (12020-04-06): > It's simple, and security is just a part of a bigger problem here. > The very purpose of flatpak is to enable the user running untrusted > software (i.e. not obtained by usual OS means). > So, for instance, if the author of the software wants their software to > perform "telemetry" - they just do it and their users will "enjoy" it. > A good software maintainer will just patch the offensive functions out > because such privacy violation is a legitimate cause for a bug report in > Debian (and yes, those *did* happen). > Likewise, flatpak by itself cannot do anything against a cryptominer > "helpfully" "bundled" with a software. This is true, but I don't think it's the bigger security problem with this and similar software bundle systems. If the program we want does something harmful in secret, it will do it whether we install a whole bundle or we build from source. A distribution packager may notice it, but we can't rely on it. We need to trust the people who make the programs we use. But bundles come with an extra security issue: libraries. The point of a bundle is that it comes with all its libraries. That means if there is a security issue in that library, it needs to be upgraded. It will not benefit from the security upgrades of the system. Therefore, you have to rely the people who made the bundle to follow carefully on all security alerts for all bundled libraries. This trust is sadly often unwarranted. Regards, -- Nicolas George
Attachment:
signature.asc
Description: PGP signature