Dedicated accounts, sandboxing, jails, Docker, and VMs exist.
The old thinking was that software was a user agent, serving the user's needs and interests. Some OSes (Debian comes to mind) explicitly acknowledge this.
Increasingly it's simply a naive and unjustified belief. Applications must be considered as untrusted necessary evils. Allocating them a minimum level of access is prudent.
Flatpak promises this, but fails to deliver.
Package managers offer this by convention, but rely on users (and security researchers) discovering and reporting malicious behaviour. Mitigation is retroactive: fixed behaviours or packages removed from the distro's repository, but the damage is done and existing deployments remain.
The underlying issue is one of packaging, updating, and distributing sandboxed apps.
And in recognising that packaging systems serve users, not developers.
It is not that simple [1], one need to earn trust. Distribution maintainers have much better record than browser addons authors.
Maybe we can trust big names, just like on Android — Google, Amazon. We may think that it is safer with paid software — they have something to loose. But free - I'd bet on maintainers.
If a library has a vulnerability, the distro often updates it and then every package that uses it has been patched. With these sandboxes things that include their own versions of dependencies, each one of them needs to be updated.
How is it any better than flatpaks having full access to your home directory? Yet, one of the points of criticism against flatpak is that it doesn't protect the users home directory.
Now, it's certainly debatable if flatpak could or should push more in that direction, like apple did when they introduced the sandbox for app store applications, but flatpak certainly does not have leverage to the same extend as apple has. So it's up to the app to opt in to a suitable sandbox set. It's a sad state of affairs, but I don't see a viable path for the flatpak folks to change that.
Package managers do not claim sandbox. No claim - no false claim - no accusation.
And it is easy to fix - publish capabilities in the gallery. Apple iOS "request location" shows that people care if they know. Sandbox certainly is a good thing. Without it Flatpak is just another package manager.
> One of Flatpak’s main goals is to increase the security of desktop systems by isolating applications from one another. This is achieved using sandboxing and means that, by default, applications that are run with Flatpak have extremely limited access to the host environment.
It’s better by not depending on yet another component or layer of abstraction. If you had a distribution which would use flatpaks for everything (ie no other packaging system involved), then sure, usual packages probably wouldn’t be any better than flatpaks.
But that’s not the point that is made against flatpaks - the point made in the article is “it allows access to the home directory, so it’s worse.”
Whether flatpaks is better or worse than packages depends on many other factors. Flatpaks allow software providers to package for multiple operating systems in one package, for example. This makes software available that otherwise wouldn’t be. Whether that’s worth it or not is debatable, but raising clearly invalid points to attack flatpaks is disingenuous.
Let’s count the various Linux flavors as different operating systems for this purpose, because they use wildly different package formats. And yes, I’ve installed software for fedora via flatpak that did not have packages for fedora at all or depended on versions of dependencies that the host system did not provide. (Specific python versions and dependencies IIRC)
Indeed. If you're an ISV packaging an application that uses OpenSSL, $DISTRO version N and $DISTRO version N+1 can easily be different OSes because they ship different incompatible OpenSSL versions, so what you do is provide a .deb/.rpm/.tar.gz that bundles a statically linked OpenSSL.
You don't understand how something running as root with full access to your entire filesystem is worse than something that has access to your home directory?
And they do? Just because they have some flaws doesn't mean that they're completely unusable. If you need an app that isn't on your distro but is on Flatpak, by all means use it.
> practically most packages on Ubuntu or Debian, for example, are outdated.
Some reasonable level of quality control does take time. There are distros that are much more up to date with upstream versions (Arch Linux, Gentoo, etc), but by living on the bleeding edge, you will eventually get cut.
You still need to distribute the static executables and there's no way to update them besides downloading them again unless the software has some auto-updater built-in. That definitely doesn't solve the issue.
I'm not sure I follow your reasoning here. If you are so concerned about the security of your system that you want to run each program on a sandbox, then you definitely do not want to allow programs to "update" themselves by automatically downloading random binaries from the internet.
Well, I never said I was concerned with security. I am to some extent but not to the point where I inspect every single update.
What I value most is having every software or library available through some form of package manager. Downloading static binaries off the internet without auto-update just doesn't make it which is why I like having Flatpak as a fallback.
It also makes it easier for the common user to have every piece of software available through one store. They don't need to know whether it's a .deb or a Flatpak underneath, it just needs to be there and work reasonably well.
There's really no other option: either distro maintainers include every single piece of software in the repositories (unlikely), or we need a common format that works on all distros (already the case with Flatpak).
What about packages that isn't provided by your distribution. Or packaged software in your distribution is too old, and you have a reason to use a new version.
Same, I remember I compiled a program like that 3 weeks ago, and it takes me half an hour to figure out how to do so. But I think expecting all the casual Linux to be able to do that is unrealistic. So I think it is necessary to have things like Flatpak, Snap, AppImages to exist.
BTW, I used to think that we can just provide a prebuilt binary to let user download from a website, but finding that isn't easy to achieve unless you use a language like Go, Rust... because I found that many C program are hard to compile with full static linking.
Absolutely the opposite of true. A tiny amount of the code on GitHub say is available in rpm/deb. Largely these package popular C and C++ code, and the majority of other stuff is not packaged. The language package managers are huge as well.
We need easier/more integrated app sandboxing. Last time I tried firejail it was a pain in the ass, but looking at the docs it seems like it may have gotten better. Regardless, distributions could actively promote it (or something like it) as a default way of running apps, with some convenience features.
PPAs are the worst of the worst and absolutely should not be encouraged.
With PPAs, everytime someone runs sudo apt upgrade, they are giving root privileges to their machine to some random person on the internet. No, having users scan the source code every time a package is upgraded is awful.
I reiterate, the most popular PPA is an old 3rd party Java PPA which doesn't even offer Java anymore. That PPA has root access to thousands of machines.
Using an old 3rd party Java PPA is as foolish as it gets, as there is an official OpenJDK PPA that supports all the JDK versions for many Ubuntu releases. I'm also skeptical of the statistic you mention, since Canonical doesn't publish rankings, and download stats need to be retrieved via API on an individual repository basis.
Relying on extremely incompetent users to make a general point is a strawman, not to talk about defining PPAs as "random people", as many software products have official repositories or affiliations (I take you don't use PPAs).
If one likes to scream about administrative privileges to get attention, they're forgetting that any Linux user is giving root access to thousands of packages. So the point is really the web of trust.
If we talk about the past and present, there has been no malicious attacks (or in number so small, that it's hard to find reports). So much for the "worst of the worst".
If we talk about the future, there's no reason why a web of trust can't be built. "To reiterate", lots of PPAs are official, including the OpenJDK one, so if the PPAs approach happened to get traction, it'd be really a matter of software authors to build their own or to appoint somebody to do.
This is really the concept of maintainers and their network, it's applying to the distro you're using, and it's nothing fundamentally different.
>Using an old 3rd party Java PPA is as foolish as it gets, as there is an official OpenJDK PPA that supports all the JDK versions for many Ubuntu releases. I'm also skeptical of the statistic you mention, since Canonical doesn't publish rankings, and download stats need to be retrieved via API on an individual repository basis.
It was from a podcast from Canonical's apopey who described precisely some of the technical decisions behind snap and why they never bothered to open source it after the disaster that was open sourcing launchpad. He knows the statistics because most of these 3rd party PPAs were hosted on Launchpad that was only run by Canonical.
>Relying on extremely incompetent users to make a general point is a strawman, not to talk about defining PPAs as "random people", as many software products have official repositories or affiliations (I take you don't use PPAs).
Systems like this should be designed for 99% of users. PPAs were designed for 0.1% of system admins, and developers, not users. They are absolutely awful UX design, they are inherently unsafe, and unreliable.
Expecting users to vet that software is safe just because the source code is available is flatly a stupid idea. 99% of users for any piece of software will have no idea what they are looking at and are incapable of vetting it. Have you vetted manually chromium, vlc, firefox, vscode etc?
Publishers on PPAs don't test against every distribution, and if they publish a package or dependency that breaks system libs than users are stuffed. Users would have little recourse. I doubt every ppa owner tests 14.04, 16.04, 18.04, 20.04 and 20.10 builds to check their ppa won't break anything.
>If we talk about the past and present, there has been no malicious attacks (or in number so small, that it's hard to find reports). So much for the "worst of the worst".
Which has inspired both RedHat and Canonical to try and move towards flatpaks/snaps instead? The reason malicious attacks aren't there is because ppas aren't that popular because for good reason people tend to main repos.
Already on snap there was evidence of people bundling a cryptominer that was detected by Canonical. You think nobody has ever attempted to build/publish malware through ppas? Please.
>If we talk about the future, there's no reason why a web of trust can't be built. "To reiterate", lots of PPAs are official, including the OpenJDK one, so if the PPAs approach happened to get traction, it'd be really a matter of software authors to build their own or to appoint somebody to do.
My web of trust is purely Canonical. I chose it when I downloaded their OS. I trust their repos and snap store. I don't need to trust random Russian PPA for any reason. If a dev wants to publish something newer, put it on the snap or flatpak store or I won't use it.
PPA (personal package archive) is the Ubuntu name, but other distributions make it possible to do the same. The system is a way to distribute packages through the package manager, and repository metadata is hosted centrally.
Fedora has such repositories (RPM Fusion, Copr). Arch does, too (AUR). Other distributions, including Debian, can use them as well, so long as there exists a community.
I would not really call RPM Fusion a PPA - it's basically a repo with packages that are inherent not open source or patent encumbered and can't thus be in regular Fedora repos (and Copr actually). Otherwise the community maintains it to a very similar standard as the regular Fedora repos.
Compared to that Copr is a real PPA where you can build stuff into personal repo (as long as its built from source, licensing is fine & the thing is not patent encumbered).
It is a completely different approach, instead of sandboxing potentially malicious software, prevent it from getting into your machine, this approach works for open-source only.
Most popular distors provide similar stuff to PPA, the AUR in Arch for example.
This is the perfect and not possible territory. Even with full access to the source, you can't be sure if it's malicious, or if it can be made malicious at runtime.
It's a totally different concern. I don't understand how PPAs and similar distribution approaches (i.e. native packages with hosted build systems) are getting mingled with flatpak and/or snap sandboxing objectives.
You can distribute open source software via flatpak or snap. And you can create a build system that takes open source software as a source and creates a flatpak or snap distribution.
It's totally possible to hide a backdoor in an open source software.
A working sandbox will prevent certain attacks to your system, whether it was built from an open source or not. This already works on most (all?) mobile operating systems.
when was the last time you fully audited a ppa? Like the source, that it builds from the canonical source, all patches it applies, all install scripts it packages and all changes it actually does? The trustworthiness of the ppa author. I know that I at best do cursory checks based on the reputation the author or the source linking to the PPA have, but I'm aware that this is a honor based system, and open source is practically irrelevant to that.
OpenSource doesn't prevent CVEs that allow attackers to take over anyway.
What If you install script has a bug that lets an attacker place arbitrary SUID binaries? Or it has a bug that deletes your entire system (Steam had this bug and the script was open and available, they weren't the only ones either).
PPAs? You get the source and the build and it's all open...
I mean, Launchpad could be modernized and brought to the 21st century but all the functionality is there. I'd love to hear arguments against it though :)
AppImage has a feature that neither Snaps nor Flatpak do: You don't need a repository or special manager for them to work. You can literally just take the AppImage file to (almost) any Linux Desktop on a thumb drive and run it.
Provided that the application inside the AppImage is built in a portable way, for which AppImage provided zero support whatsoever, last time I checked.
FlatPak has Runtimes/SDKs for this, Snap has the one true Canonical-controlled base snap.
