new | show | ask | jobs Github

symaxian 3 hours ago

Sand-boxing such as in Snap and Flatpak?

▲

troad 3 hours ago | parent | next [-]

Notoriously not actually secure, at least in the case of Flatpak. (Can't speak to Snap)

Not sure how something can be called a sandbox without the actual box part. As Siri is to AI, Flatpak is to sandboxes.

▲

FergusArgyll 2 hours ago | parent | next [-]

Doesn't it use bwrap under the hood? what's wrong with that?

	▲	okanat an hour ago \| parent [-]
		Many apps require unnecessarily broad permissions with Flatpak. Unlike Android and iOS apps they weren't designed for environments with limited permissions.

▲

jacobgkau 3 hours ago | parent | prev [-]

The XDG portal standards being developed to provide permissions to apps (and allow users to manage them), including those installed via Flatpak, will continue to be useful if and when the sandboxing security of Flatpaks are improved. (In fact, having the frontend management part in place is kind of a prerequisite to really enforcing a lot of restrictions on apps, lest they just stop working suddenly.)

▲

nextos 3 hours ago | parent | prev [-]

Snap and Flatpak do both sandboxing and package management.

You can use the underlying sandboxing with bwrap. A good alternative is firejail. They are quite easy to use.

I prefer to centralize package management to my distro, but I value their sandboxing efforts.

Personally, I think it's time to take sandboxing seriously. Supply chain attacks keep happening. Defense is depth is the way.