this post was submitted on 21 Jan 2024
30 points (76.8% liked)

Linux

48040 readers
1300 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

The title says it all. I would like to know what software you have in a flatpak. If you want to include your reasoning, go ahead.

all 32 comments
sorted by: hot top controversial new old
[–] beta_tester@lemmy.ml 19 points 9 months ago (1 children)

What's the reasoning behind your question?

Every graphical app of course unless there's an issue with packaging or any other problem.

[–] CuttingBoard@sopuli.xyz 6 points 9 months ago (2 children)

I just wanted to know. For example: tumbleweed comes with firefox, do people uninstall it and reinstall it in a flatpak? The question comes from curiosity.

[–] henfredemars@infosec.pub 4 points 9 months ago* (last edited 9 months ago) (2 children)

Yes. I removed Firefox and installed the flatpak version because it's a little more secure.

EDIT: it might not actually be more secure, but it doesn't appear to be less secure based on how I read the information in the replies.

[–] million@lemmy.world 2 points 9 months ago* (last edited 9 months ago) (3 children)

Is that due to flatpak sandboxing?

Edit: it’s interesting, this repo is saying the opposite, https://github.com/trytomakeyouprivate/Recommended-Flatpak-Apps/blob/main/Apps/Browsers.md

The Flatpak Sandbox restricts the Browsers abilities to isolate the processes from another, and also valuable internal data like your history or passwords.

Edit 2: since folks are asking further details are linked in the article. Keep in mind I am not personally making these claims, I am in learn mode just like a lot of other folks.

From https://seirdy.one/notes/2022/06/12/flatpak-and-web-browsers/:

When distributing browsers through Flatpak, things get a bit…weird. Nesting sandboxes in Flatpak doesn’t really work, since Flatpak forbids access to user namespaces

[–] henfredemars@infosec.pub 2 points 9 months ago* (last edited 9 months ago) (1 children)

I am not so sure this really establishes that Firefox in a Flatpak is less secure. From the linked bug:

You lose the namespace isolation, and by extension the chroot, but that's it. It's definitely nice to have, but to say it's "most" of the sandboxing seems a misrepresentation. Note that some distros disable the kernel support for them by default, so that's what they currently get regardless of Flatpak.

It might be more accurate to say that some per process isolation features don't work because flatpak uses them to isolate Firefox from the rest of the system. This could make it easier to smuggle data between processes in Firefox. It reads like a trade off to me and the impact depends on your security model -- whether you value interprocess isolation more than isolation between the app and the system.

Either way, interesting find! I didn't know some of Firefox's sandboxing is precluded by the Flatpak sandboxing. I edited my comment to dispell the claim that it's more secure.

[–] million@lemmy.world 2 points 9 months ago (1 children)

Yeah as they said it’s complicated, but in an unintuitive way more sandbox of apps can lead to apps being less effective at sandboxing themselves. Which, like you said, can be good bad or neutral depending on your threat model.

Personally I am leaning towards not using browser in Flatpaks since I trust the browser to sandbox itself. Not the position I started from initially where I would have assumed more sandboxing is a uniformly good thing.

[–] henfredemars@infosec.pub 2 points 9 months ago

Much respect for the discussion. I learned things.

[–] milicent_bystandr@lemm.ee 2 points 9 months ago

Huh, that is very interesting

[–] henfredemars@infosec.pub 1 points 9 months ago* (last edited 9 months ago) (1 children)

This resource makes a claim but presents nothing to back it up. I would like to learn more.

[–] dino@discuss.tchncs.de 2 points 9 months ago (2 children)

This is not true. Also this is shepherding to a false definition of security.

[–] million@lemmy.world 2 points 9 months ago (1 children)

You should probably read the included details if you haven’t and address those points directly. I’d love to know what is wrong about the problems they have described.

[–] dino@discuss.tchncs.de 1 points 9 months ago

Did you think I was referring to your post? Because otherwise I don't understand what you are aiming at.

[–] henfredemars@infosec.pub 1 points 9 months ago
[–] the_postminimalist@sh.itjust.works 18 points 9 months ago

proprietary software that I don't trust, or programs that aren't on zypper

[–] henfredemars@infosec.pub 16 points 9 months ago (1 children)

I use flatpak for virtually everything because sandboxing your applications from each other and from your private data is a great idea to improve your system security. This helps prevent one compromised app from taking actions that affect the rest of your system.

For example, I have the VLC flatpak and used flatseal to revoke internet access because I only use it to play files. If a file tries to exploit VLC, it will not be able to upload any data or communicate with the attacker's servers. I revoke any permissions my apps don't actually need.

There are a few exceptions though. I run development and administrative tools directly because I do actually want unrestricted access to the system for these apps.

[–] banazir@lemmy.ml 14 points 9 months ago

I like Bottles. Makes Wine less of a hassle.

[–] Lojcs@lemm.ee 11 points 9 months ago

The one that causes dependency version conflicts when installed normally

[–] Pantherina@feddit.de 11 points 9 months ago (1 children)
[–] Akip@feddit.de 1 points 9 months ago (1 children)

I would say the comment for mullvad browser just to use librefox is dangerous and wrong, the no script from mullvad browser served me well by exporting it to other browsers even to mobile.

[–] Pantherina@feddit.de 1 points 9 months ago* (last edited 9 months ago)

There is no Librefox, its Librewolf ;D

Noscript is an extension that can be installed on all Firefox Desktop Variants, Chromium Desktop, Brave Desktop (and many more Desktop Chromium browsers) as well as all versions of Firefox for Android. Possibly also Kiwix, which is some hacky Desktop Chromium for Android.

[–] jokro@feddit.de 7 points 9 months ago

Element(Matrix Chat Client) because it's not in the repos.

[–] MyNameIsRichard@lemmy.ml 5 points 9 months ago

DBeaver because it's not in the repos or obs

[–] zingo@lemmy.ca 1 points 9 months ago

"Core apps" are better on baremetal for seamless system integration.

Just use flatpaks for everything else.

[–] dino@discuss.tchncs.de 0 points 9 months ago (1 children)

Never use flatpaks for stuff available in your packet manager...

[–] Jonnsy 10 points 9 months ago (2 children)

Why not aren't flatpaks safer. I removed firefox on tumbleweed and installed the flatpak because its updated faster.

[–] RageAgainstTheRich@lemmy.world 1 points 9 months ago

You're right. Don't listen to the dumbdumb.