Thread 106474039

Pros:
>Strong sandboxing/isolation improves security.
>Widely supported across major distros (especially Fedora, GNOME-based distros).
>Uses Portals apps can request access to files, devices, etc. in a controlled way.
>Good integration with desktop environments.
>Flathub is a central, well-maintained app store with lots of apps.
>Auto-updates supported.

Cons:
>Flatseal has the potential to change the permissions of other flatpaks at will. Essentially, a flatpak with the ability to change the permissions of other flatpaks. It is rendered to be "Potentially Unsafe" with "Arbitrary Permissions" with access to "User Data" subfolder flatpak/overrides, Can read and write all data in the directory" and "Arbitrary Permissions, Can acquire arbitrary permissions".
>Larger disk space usage (apps bundle runtimes + libraries).
>Slower startup compared to native apps (sandbox overhead).
>Strong desktop focus not ideal for CLI/server software.
>Relies heavily on Flathub (centralization concern).

Essentially, Flatseal is a flatpak with the potential to manage user overrides stored in ~/.local/share/flatpak/overrides. Therefore, it may be safe to assume, out conclude that any flatpak can be coded to behave this way. Why does /g/ recommend flatpaks?

>>106474039 (OP)
The problem with flatpak is it got no software.
It's still to hard to develop a flatpak it should be as easy as an appimage.

There's no centralization concern. Hundreds or thousands of packages maintained by a handful of package maintainers for each distro is way more centralized than flatpaks maintained by individual developers. You also don't need to get them from Flathub, but Flathub adds another layer of vetting. Main advantage to Flatpaks imo is getting software straight from the devs and getting the latest version of software.

>>106474039 (OP)
they're applications, not apps

>>106474039 (OP)
>Essentially, Flatseal is a flatpak with the potential to manage user overrides stored in ~/.local/share/flatpak/overrides. Therefore, it may be safe to assume, out conclude that any flatpak can be coded to behave this way. Why does /g/ recommend flatpaks?
Because other flatpaks don't get permission to change that.

>>106474151
>getting software straight from the devs and getting the latest version of software.
Rarely they're made as one because it's hard to make, that's why it's more common to see appimages. also, does flatpaks support distrobution that isn't a repo? like an file like an msi?

>>106474181
>Rarely
Guess it depends on the software you're using. Firefox flatpak for example comes straight from Mozilla.
>that's why it's more common to see appimages
Flatpak seems more popular but I don't have any hard numbers. AppImages are nice too.
>does flatpaks support distrobution that isn't a repo?
Yeah you can install a flatpak from a .flatpak file.

Bump
Are appimages better than flatpaks in terms is security and privacy?

>>106474254
>Are appimages better than flatpaks in terms is security and privacy?
No. It doesn't have sandboxing, it's better for the developers as it takes just 5 minutes to build an appimage with little to no documentation, this is always something the Linux community doesn't get, people want to wing it.

>>106474039 (OP)
Flatpak exists only to introduce, enforce monetization on Linux ecosystem. They already started procedure and if you think flatpak can be free you are delusional.

>>106474039 (OP)
D U D E
JUST LIKE
RUN A VM INSIDE A VM INSIDE A VM

>>106474290
not me. I'm all into the security and privacy aspects of linuz, so sandboxing is of great interest to me. thanks for clarifying. another question and I'm not. so do flatpaks and flatseal like OP mentioned eliminate the need for firejail and apparmor?

>Cons:
>>Flatseal has the potential to change the permissions of other flatpaks at will. Essentially, a flatpak with the ability to change the permissions of other flatpaks. It is rendered to be "Potentially Unsafe" with "Arbitrary Permissions" with access to "User Data" subfolder flatpak/overrides, Can read and write all data in the directory" and "Arbitrary Permissions, Can acquire arbitrary permissions".
That doesn't make it any more unsafe compared to native packages from distro repos which lack the concept of sandboxing completely. At least Flatpak **can** be sandboxed.
This is a nothingburger. You're a concern troll.
>>Larger disk space usage (apps bundle runtimes + libraries).
Disk space is cheap. Slighly more disk space usage is nothing compared to the advantages of a truly universal application packaging format. No one cares if Flatpak takes 1 or 2 more GB of disk space. Why does this even matter so much to you, huh? Afraid that you will run out of disk space to store all your pedophilic porn?
This is a nothingburger. You're a concern troll.
>>Slower startup compared to native apps (sandbox overhead).
This doesn't happen. Werks on my machine. You're a concern troll.
>>Strong desktop focus not ideal for CLI/server software.
Use Toolbox for CLI/server stuff.
This is a nothingburger. You're a concern troll.
>>Relies heavily on Flathub (centralization concern).
Flathub is not controlled by any company or any single entity unlike the Snap Store which is closed source and under the control of the evil company known as Canonical. Flatpak and Flathub belongs to the community.
This is a nothingburger. You're a concern troll.

>>106474359
>No one cares if Flatpak takes 1 or 2 more GB of disk space. Why does this even matter so much to you, huh?
you're on a website where people flip their shit if the OS uses their unused RAM for caching.

>>106474348
>flatpaks and flatseal like OP mentioned eliminate the need for firejail and apparmor?
>apparmor
No, apparmor is similar to SELinux it has a completely different purpose to the one that flatpak permissions have.
>Firejail
I don't know, i don't use it, but is typically mentioned with appimages.

>>106474359
Holy TRVTH nuke batman. Why do retards like this react to sandboxing this way? Same with GrapheneOS.

>>106474039 (OP)
>Strong sandboxing/isolation improves security.
meaningless empty words, marketing slop for clueless investors and thinkertrannies
>Widely supported across major distros (especially Fedora, GNOME-based distros).
Only GNOME-based or bending to GNOME Mafia crowd, unportable garbage and doesn't play nice with WMs.
>Uses Portals apps can request access to files, devices, etc. in a controlled way.
Reinventing the wheel again award. Selinux/Apparmor already exists since at least two decades now. OpenBSD's unveil did it with 100 times less code.
>Good integration with desktop environments.
...that do not go against the GNOME Mafia
>Flathub is a central, well-maintained app store with lots of apps.
Fake and meaningless words once again. It takes me seconds to find examples of unofficial packages even lead devs advice against (e.g. Librewolf & anki, last time I cheeked those apps that i wanted, ended up installing them following main devs advice.)
>Auto-updates supported.
Unimpressive but ok.

Flatpak sandbox seems to interfere with browser's native sandboxing

https://discuss.privacyguides.net/t/does-flatpak-weaken-chromium-firefoxs-sandbox/13373

I want you be and to sandbox all applications and programs in my Linux Mint OS, and dictate what applications use specific network devices. For example I have qbittorrent that can do this easily, by determining which network interface to use. I have 2 nic cards and a WiFi card and all of them are connected to 3 different routers with 2 connected to routers with access to different Internets. How do I get, for example, librewolf to run using the 2.5Gb connection and prevent one interface from overriding the other? How do I allow Freetube to use 1Gb/s connection and Jellyfin server to run on the WiFi LAN connection?

>>106474762
I want to be able to tell an application which network interface to use. How can I do this in Linux Mint?

Generally speaking, the advantages of Flatpaks are:
>The developers only need to maintain and release one version
>It's sandboxed, for each app you can decide which parts of your filesystem are exposed, which env variables, which types of inter-process communications, etc
>You kinda avoid dependency hell. You can use old unmaintained packages because Flatpak will provide old versions of their dependency if they're needed, while at the same time avoiding unnecessarily duplicated packages
>All installed apps are in your .var folder instead of being system-wide. Every app has its own folder with its own .config and .local/share inside, with their respective config files and data
>It supports partial updates
>It doesn't require root permissions to use
>It lets you use the most recent software even in really old LTS systems like Debian, and the Flatpaks updates are usually as quick as rolling release distros
>You don't need to abuse PPAs or the AUR
>It makes your system updates actually faster since you'll have less system packages, and you'll be able to update your big apps separately

I may be missing some, but those are the most important to me

>>106474800
Flatpak apps apps do write to the proper XDG paths (it's an allowed path outside their sandbox*). Only apps that abuse the XDG file system get their files yeeted away to /var.

* Not by default but pretty much always

>>106474704
ENTER
https://github.com/refi64/zypak
My nigga Refi64 solved that shit ages ago boi

>>106475167
https://discuss.privacyguides.net/t/dont-link-to-braves-flatpak-desktop-browsers/27064

>>106474039 (OP)
>Strong sandboxing/isolation improves security.
Potentially strong sandboxing, if you lock almost everything down ... and that includes a ton of stuff which is designated as "safe" by flathub.

https://github.com/flathub-infra/website/issues/4730

Nothing should be designated safe without an exhaustive audit ... that's not what's happening. Making a sandbox actually strong while still allowing good desktop integration using existing KDE/GNOME APIs is a billion dollar project, it's just too much work.

>>106475290
PS. all those dbus APIs for desktop integration are also fragile as hell and shit will break. Dependency hell is still unavoidable.

>>106474181
yeah, you can do that. very unpopular though

>>106475420
>very unpopular though
Who the fuck cares, that's how developers want to publish software, this is the "sideloading" argument again.

>>106475441
I thought you wanted to be on the receiving end and I just pointed out that this is a thing so uncommon that I never saw it in the wild.
If you want to publish your own app as a standalone flatpak, ofc you can do whatever

>>106474039 (OP)
Snaps are better.

>>106475538
said no one

>>106474039 (OP)
Luv me Flatpak. Means a basic working linux system is as set-and-forget as you can get.

>>106474039 (OP)
>Pros
Lets me install Discord on my distro.
>Cons
Discord is on my computer computer.

Fr though I only use it for proprietary software and stuff with massive amounts of dependencies. It’s good for that but everything in that list is something I wish I had an alternative to.

>>106475187
>privacyguides
lol
lmao even
next ya will tell me that you watch techlore
top kek

>>106476080
https://brave.com/linux/#flatpak

what is the point of any of this? i'm just going to keep using snaps in ubuntu.

>>106476109
>brave
lololol

>>106476109
That's just them covering their ass. Flatpak is safer than distro packages. It's proven. It's a fact. Flatpak won. Flathub won. GNOME won. GNOME gang won. Simple as.

>>106476184
https://bugzilla.mozilla.org/show_bug.cgi?id=1756236

>>106475861
Why not just use vesktop

>>106476195
So work is being done but instead of helping them you are bitching about it? Classic FOSS entitlement.

I'm surprised with how Linuxfags entirely failed with AppImages, which are basically portable executables. All you had to do is to make something like Scoop on Windows to distribute them, but somehow Flatpaks took ever.

>>106474359
>You're a concern troll.
stop using newspeak you fucking faggot
>At least Flatpak **can** be sandboxed
flatpak is always sandboxed, it seems both you and OP are fucking faggots and don't realize flatseal is not in any way special than any other app, it just has permission to access ~/.local/share/flatpak by default. if you reject that permission it won't work. there's nothing special about flatseal.
>Larger disk space usage (apps bundle runtimes + libraries).
this is a real issue. it's not 1 or 2 GB but more like 5 or 10 if you have a decent (5+) number of apps. why would i install flatpak when the same distro package is 20 MB instead of 1 GB of app runtime + all the libraries it needs in retarded container format.
and since all that shit needs to be updated, flatpak rapes your drive with write amplification for shit you already have from your distro packages, not to mention updates take 10x as long
>Toolbox
gayest shit i've ever seen. im not using fucking containers for every CLI
>Flathub
the main problem i have with flathub is if it ever goes offline you're fucked, gotta wait until it's back up. it's impossible to mirror because of its faggot ostree protocol. whereas any other distro, lets you easily mirror their packages (and they ARE mirrored to hundreds of places) so it's never down
another problem is good fucking luck patching a package or modifying its resources in some way. if you need to use a fork or add some patch yourself, you have to set up their whole fucking retarded build pipeline and keep that shit in sync. with distro package managers you just use a .patch file. that's all you have to maintain.
if you really need sandboxing just use normal bubblewrap faggot. you don't need sandboxing for every single fucking thing you use, only for your browser and maybe steam. the former is already heavily sandboxed even without flatpak. you're retarded for using sandboxing on your text or image editor, or music player. that's the real truth nuke.

>>106476193
>https://forum.vivaldi.net/topic/33411/flatpak-support/191
>"ah yes, let me replace my browser's sandbox from userns developed by an entire team to some random ass github project by 1 guy on the internet"
fucking retard
>Flatpak won. Flathub won. GNOME won. GNOME gang won. Simple as.
and a faggot as well
>Flatpak is safer than distro packages.
the packages are not safer in any way, it's only "safer" because the runtime uses bubblewrap which, guess what, you can use on any binary and not just flatpak

>>106476195
>trannyfox
holy kekola

>>106476397
kek look at this retard everyone
look at him laugh
lmao

>>106476505
I'm not bubblewrapping my native distro packages you fucking retard. Go and shove your precious Gentoo up your anus if you want to tinker that much. I use Flatpak because the GNOME slaves do everything for me. And it is literally free. They are my slaves. I'm going to make use of their free services. Simple as. Oh, and Refi64 mindraped ya! He is my nigga. He knows his shit. A monkey like ya wouldn't understand.

Flathub motherfuckin' won. This is a fuckin' war. We are the GNOME gang and we are not playing around here. This ain't a joke to us, this is our life. Flathub is ours. Wayland? Ours. Got a protocol we don't like? We will NACK ya!

>>106476264
Blame Probono. He killed his own reputation and killed Appimages in the process.

>>106476201
>>106475861
or at least discord in your flatpak'd browser

>>106474222
>from a .flatpak file
You still need a repo to get the runtime.

>>106475538
Same

>>106474151
>Main advantage to Flatpaks imo is getting software straight from the devs
1. Downloading source code and building yourself is also "straight from the devs"
2. Devs can and often do use old runtimes to not break stability, which leads to out of date and duplicate libraries
>>106474359
>This doesn't happen. Werks on my machine. You're a concern troll.
Sandboxing necessarily adds overhead and makes programs slower
Just because you're a Boomer who's brain works too slowly to notice, doesn't mean it isn't real
>>106474222
>Firefox flatpak for example comes straight from Mozilla.
Mozilla also provides tarballs with portable binaries

>>106474039 (OP)
Flatpak sounds like a homosexual sex position or some weird shit like that.

Useless bloat for script kiddies

>>106479792
>1. Downloading source code and building yourself is also "straight from the devs"
Sure but that's inconvenient and doesn't autoupdate.
>Mozilla also provides tarballs with portable binaries
They don't autoupdtae.

I'm not installing flatpak.

>>106479792
>UH HUUURR JUST BUILD FROM SOURCERINO
No. Fuck off. Flatpak is better. Go use Gentoo and keep waste your life like the tinkertranny you are. Flatpak is for high IQ chads.
>SANDBOXING ADDS OVERHEAD!!!
It's not my fault you are a poorfag who is still running a two decade old Thinkpad. I am rich. I have a modern PC. I don't notice any "overhead".

>>106481443
Why not? It's completely sandboxed

>>106479941
>Flatpak sounds like a homosexual sex position or some weird shit like that.
It's a swedish word.
https://www.ikea.com/ph/en/this-is-ikea/about-us/the-story-of-ikea-flatpacks-puba710ccb0/

>>106474039 (OP)
I posted the reply for this when you asked a couple days ago the red pill on Flatpak

I used AI (artificial intelligence) to generate it because I'm a lazy fuck

Why are you, an AI (actual Indian), now reposting it and still asking about this shit?

>>106474039 (OP)
I posted the reply for this when you asked a couple days ago the red pill on Flatpak

I used AI (artificial intelligence) to generate it because I'm a lazy fuck

Why are you, an AI (actual Indian), now reposting it and still asking about this shit?

>>106474039 (OP)
>>106481677
Like what's your angle and end goal here, actually?

>>106474039 (OP)
>>106481677
Like what's your angle and end goal here, actually?

>>106481690
>>106481677
fucking bot

The problem with Flatpak is 2GB installs for 60MB applications.

>>106481730
Yeah but how do you sandbox distro applications?

>>106481741
Why would I sandbox them?

>>106481715
Not a bot gay boy, but I suspect OP definitely is for regurgitating my LLM regurgitated slop reply

>>106475538
People keep telling me snaps are good now, including people that used to hate them. I need to look into it

>>106481785
The only criticisms people are able to muster up are:
>slow to open
has been fixed
>closed source backend
fair enough. Most people just don't care tho, me included
>Ubuntu forcing them down my throat reee
So is Fedora with flatpak, but nobody whines about that. The whole firefox thing was prompted by Mozilla, not Canonical. It is a giant pain in the ass to keep a browser in LTS repos, so Mozilla wanted a containerized format on Ubuntu.

In summary: Snaps had a few pain points which have been addressed. Now they are very good (better than Flatpak; stuff like drag and drop works seamlessly unlike Flatpak).Ideologues will still hate it because of muh corporation and muh closed source backend.

>>106482040
You may be right with all you said. But...here is the thing though. You have to understand this. Now listen up.

Flatpak won. Get it? Do you understand? Flatpak won. This was a war and Flatpak simply won. No, seriously. This is very important. No, no, really. Listen to me. Flatpak won. Nobody uses Snap. Meanwhile Flathub has passed over 3 billion downloads. Proof? Here https://flathub.org/statistics.

Even Jordan Petridis says that Flathub won.
https://youtu.be/NxOH4wJkfLY

Nobody likes a sore loser. Nobody. And that is what Canonical is. Snap lost. Canonical will eventually kill it and have it join the grave of their other failed projects like Mir, Unity and whatever the fuck. And then Canonical will jump on the Flatpak bandwagon too. That's not a prediction. That's a spoiler. I can see the future.

Stop packaging GUI applications in distro repositories. Stop distributing GUI applications as Snaps and AppImages. Flatpak and Flathub are the winners.

Sure, you can go on and use your little hipster thingy along with a protest distro that stray away from the norm. I mean after all, people still cry about systemd to this day, haha. But systemd won the war. It's a fact. If you are a Linux user in 2025 and you start ranting against systemd, nobody will take you seriously. That's how it is with Flatpak now. Flatpak won. It's that simple. It's really that fucking simple. Flatpak won the packaging wars.

>>106482140
>Nobody uses Snap
ubuntu

>>106482140
Nope, the war isn't over, all it takes is for Ubuntu to convince people like Microsoft to port office or something to it and they killed flatpaks just like that.

>>106481767
Yeah you're a bot alright. Programmed with buzz words

>>106474039 (OP)
>sandboxing
STOP LYING https://archive.vn/Ng7OE

>>106482140
>Nobody uses Snap
You really underestimate the adoption of Ubuntu vs anything else on the desktop

I implore you to support AppImage

>>106474039 (OP)
I don't give a fuck about anything other than the fact that it's a universal and stable platform for Linux which completely avoids dependency-hell and completely avoids the shithead distro maintainers from being the only software publisher on a given distribution.

>>106482040
>So is Fedora with flatpak, but nobody whines about that.
That's because fedora's package manager doesn't hijack the user and use flatpak behind the scenes. "apt install firefox" is silently rewritten into "snap install firefox".
Also, snapd (last time I used it) was always auto-updating in background with no ability to stop it.
These are the reasons people claim "Ubuntu forces snaps".

And last time I used snaps they were quite outdated compared to flatpaks and homebrew. For example, the k9s snap package is even today severely outdated compared to brew. A version from 2023? Jesus fuck, the whole point of these universal formats is to keep your software updated and avoid the usability-hell caused by LTS distros.
The only reason why a person should ever use Snaps is if they don't know how to uninstall and disable snapd.

I will not support RedHat
I will not support Fedora
I will not support IBM

>>106482963
By using their OS and not contributing anything back you're doing the opposite of supporting them because you're constantly leeching their bandwidth when installing/updating.

>>106474039 (OP)
>Pros:
>>Strong sandboxing/isolation improves security.
devs must opt-in
>>Uses Portals apps can request access to files, devices, etc. in a controlled way.
devs must opt-in
>>Good integration with desktop environments.
afaik, it downloads org.gnome/kde.Platform to resolve ui toolkit deps. I wouldn't call that integration.
>>Flathub is a central, well-maintained app store with lots of apps.
Repackaged snaps and "community" maintained packages isn't exactly something to brag about.
>>Widely supported across major distros (especially Fedora, GNOME-based distros).
>>Auto-updates supported.
and? that's bare minimum
>>Flatseal has the potential to change the permissions of other flatpaks at will.
the concept of the user altering/revoking permissions is nice.
>>Slower startup compared to native apps (sandbox overhead).
Flatpak is close to native. Much better than loop device trash like AppImage and Snap
>>Strong desktop focus not ideal for CLI/server software.
>>Larger disk space usage (apps bundle runtimes + libraries).
true
>Relies heavily on Flathub (centralization concern).
this is utter bs since you can add your own repo. I even have to add flathub manually.
this argument is against Snaps, not flatpak

>>106482991
Not really fedora users are just beta testers for RHEL, the moment you say something about a bug or whatever you're contributing to redhat

>>106483046
So just don't say anything about any bugs

>>106479792
>1.
No, because it wasn't compiled in the same environment and you'll not be using the exact same library versions the dev used, leading to unstable software.
>2.
That's a good thing.

>>106482140
holy based trvke kino
jordan petridis is a gigachad

>>106482140
Snaps are better for apps that don't work well sandboxed, like VSCode.

>>106484676
That sounds like a problem with those apps like VSCode then. This is not a Flatpak issue. Simple as.

>>106482140
I think Flatpaks and AppImages can coexist peacefully. Snap can die though

>>106484737
Holy cope.

>>106484676
>>106484774
VSCode flatpak runs fine. The VSCode devs are just retarded and so are people who are packaging it.
You have to tinker with it for 15 minutes before it can actually fully integrate with your system like the native or appimage versions do. Pretty much everything you have to do to make it work is something that the flatpak version could do by default.
>cope
The fact is that it can be configured to work. VSCode devs and whoever is packaging the flatpak version just don't give a shit. It's not a priority.

>>106474039 (OP)
>Strong sandboxing/isolation improves security
Bullshit that makes things less convenient and poses no real defense against malicious software (Which wouldn't be on your machine in the first place you retard)

>>106484812
>needing to tinker with it just to get the integrated terminal working
>still can't access system files with it
Yeah, I would rather use the snap, thanks.

>>106484907
>still can't access system files with it
you're retarded

>>106484919
>noooo it's unsafe to use vscode to access root files because...... it just is ok???

>>106474348
You can sandbox appimages too with firejail.

>>106484941
Read >>106484812 again. You can give it access to anything you want.

I wanted to release my organization's applications as a flatpak but it was insanely confusing and involved so I gave up.

>>106474359
>At least Flatpak **can** be sandboxed.
stop lying, kike >>106482511

>>106482991
You are promoting their software for free, useful idiot, fucking cattle.

>>106484973
I'm pretty sure filesystem=host still doesn't give you access to literally everything in the system, as you would want your text editor to have.

>>106485010
What can't it access specifically that you really need?
>as you would want your text editor to have.
In 99% of cases you don't want a text editor, or almost any app, have access to your system unless you specifically enable/allow it.

>>106485030
What I'm saying is that Flatpaks can't have it even if you allow it.
The VSCode snap will be able to access anything (as long as you have the root password ofc).

Take the immutable pill

>>106485049
Well, I'm saying you're wrong because my dev machine uses the flatpak version of VSCode and I have access to my system libraries and binaries.

>>106474039 (OP)
Flatpak is gay because it can't install programs offline. If you download a .flatpak file you won't be able to do anything with it without connecting to their servers.

>>106485177
>libraries and binaries
I'm talking about text files.
Also, you shouldn't need to do any modifications to get those in the first place. Just use the Snap.

>>106474359
>dude you're a pedophile if you don't want calculator.sh taking up 2GB
Really?

>>106480401
>>Mozilla also provides tarballs with portable binaries
>They don't autoupdtae.
Actually looks like they do? Maybe this is the superior way to use Firefox after all. Straight from firefox, sandbox not gimped by Flatpak, autoupdates. Have to confirm this autoupdate thing though.

>>106485196
>you shouldn't need to do any modifications to get those in the first place.
tell that to VSCode devs, it's their fault you have to do this
>Just use the Snap.
No, it's objectively shittier

>>106485457
The snap is objectively better in every single way, anon.

>>106485474
Aside from these issues >>106482911, snap also can't run on immutable distros. Instantly unusable.

>>106482911
All either fixed or non-issues.
>>106485534
Use normal distros?

>>106486071
>non-issues
Cope.
>Use normal distros
No thanks, they all suck ass.

>>106485430
It does autoupdate. In fact it's so annoying about autoupdating that I use a workaround to make it NOT autoupdate.

>>106474039 (OP)
Bot post

>>106474039 (OP)
Flatpak doesn't have good enough sandboxing. For example it doesn't clear graphics buffers when allocating graphics memory when it has been freed by another program. This allows you to get the frame of other applications or the screen. You can even get the frame that was used by windows if you dual boot and reboot.
Almost all major flatpaks, the ones that are the most popular need user home directory read/write access, which allows them to install LD PRELOAD malware to inject malware into all of your applications, and it can even be used to overwrite sudo to install malware to your root user and run it as root.

>>106487222
Shut the fuck up retard. You copied all that shit from ChatGPT. Your precious distro packages aren't sandboxed either. You are such a fucking moron and you clearly know nothing. Just fuck off you AI-jeet.

>>106486720
Fag post. Kys

>>106487247
>false advertisement gets called out
>REEEEEEE THE ALTERNATIVE THAT DOESN'T EVEN ADVERTISE ITSELF IN SUCH A WAY DOESN'T DO IT EITHER
lmao kys shill

flatpaktards are really the ubuntards of this era
>>106429027

>>106481578
>It's a swedish word.
So it is gay.

>>106487247
A false sense of security is worse. If you want to do security then do it properly. You didn't argue with any of my points.
>W-what about!!
Yes, without flatpak in regular distros you also have security issues, nobody said you don't.

>>106482040
I'm using Kubuntu and I have some snaps installed and I use them
>>slow to open
>has been fixed
not really, they'll never be faster than native apps
>>Ubuntu forcing them down my throat reee
>So is Fedora with flatpak, but nobody whines about that.
It doesn't matter, it's against GNU philosophy. Fuck Canonical and fuck Redhat for doing that. If they're making money from selling services around their operating systems, why can't they at least make an effort to keep stuff libre? We already have a Microshit and Crapple

>>106492482
>they'll never be faster
I meant as fast, not faster

>>106490143
Fuck off faggot

>>106492482
>oh no, the app I am going to have open for hours on end takes 1 sec to open instead of 0.25 sec to open

>>106476195
is flatpak-spawn in use yet?

the firefox sandbox warning that popped up after switching to the the hardened arch kernel led me down this rabbit hole.

was trying to determine if the using the hardened kernel with flatpak and bubblewrap-suid was a more secure option.

I use heroic games launcher flatpak to play pirated games which may or may not be safe. But I only use steamRIP, gog games, fitgirl and rutracker so mostly well known normie sources of direct downloads.

In the rare event there is linux malware that is in the exes, I can rest easy knowing its sandboxed and can't reach out of the container and that I can also disable its internet access.

Also its great for having two steam accounts on the same IP.

>>106493918
>In the rare event there is linux malware that is in the exes, I can rest easy knowing its sandboxed and-
echo my-evil-code >> .bashrc
>ACK

>>106493957
I'm sorry but I don't understand. Are you saying programs can go outside of the sandboxed folders?

Linux malware does exist but its pretty rare considering 95% of people downloading from torrents or elsewhere will be using windows 10.

>>106493984
I mean, if we assume there is some sort of Linux-specific code in the exe that specifically targets wine / Linux and that can access the Linux file system and that can access any file or folder Heroic has access to, then if Heroic has access to bashrc or other files that are used to run commands outside the sandbox, the malware could easily add malicious code there.

>>106494018
Pretty sure flatpak apps can't access outside of .var unless you give them access. Thats why Flatpak Firefox cant open local files without first copying them to a directory it has permission to access

>>106494018
It has access to these folders. Dunno if that would be bad

>>106494039
Devs can give apps access to anything they want by default.

>>106494049
What does it say above "other files"? If it doesn't enable filesystem=host or filesystem=home enabled, it shouldn't be able to do that specific thing I mentioned.
However, there might be other attack vectors. For example, since in your image it seems to have access to .local/share/applications, it might be able to override one of your system desktop files with a desktop file with a malicious command.

>>106493984
By default all wine environments link directly to your root (mounted as z:\ drive) and to your home directory. Not only can your whole user directory be accessed (where 99.9% of your files, configs, etc. are stored), but your whole system as well. Sure, stuff like Bottles (and I assume Lutris/Heroic/etc.) don't have access to these directories by default, but people could create specialized exploits to escape flatpak sandbox.

So, you'd only have to worry if you do this >>106494049 . Here the flatpak has access to the desktop and documents directories and media/ (all external drives). Any file in those places can be hit by ransomware, even if it's created for Windows (assuming this is your Wine/Proton launcher). People demonstrated that wannacry can affect Linux users if they execute it through wine.

>>106479792
i think the only time i got stuck with an old runtime was with the am2r launcher

also i don't know why flatpak maintainers almost never patch software to fix the config paths. it's fucking annoying.

>>106495242
wdym

>>106495242
>~/.var/app/config/.config
it's stupid. some programs DO fix this though.

all this chatter back and forth but none of you can come up with a plausible recommendation for security on Linux.

>>106496286
The same as on Windows: not being a retard.

>>106474359
>Flathub is not controlled by any company or any single entity unlike the Snap Store which is closed source and under the control of the evil company known as Canonical. Flatpak and Flathub belongs to the community.

You must be joking.

so is it worth using for the sandboxing or not

>>106494149
>>106494583
oh fugg. Well I disabled all these directories and only left these because I think they are essential to heroic launcher and games still work. Hopefully I dont get pwned but I'm just a simpleton I don't know the difference.

>>106496697
NTA but what's the problem? You need an LLC to handle money either from payment to proprietary software (and get your share) or donations to OSS (probably also get your share). You can't do that using the name of a non-profit and this doesn't affect flatpak (just use another repo).
>devs getting paid is bad
Fuck off jeet. You were never gonna pay anyways.

>>106498170
Read the thread. Devs must opt-in to sandbox their programs.

>>106499900
KyS retarded shill, you cant even read and you call me jeet, nice joke.

>>106492555
aah, flatpacktards are touchy-feely too.
there, there.

>>106500315
Everything you posted confirms exactly what he just said though. Are you retarded?

>>106499954
what if i use flatseal

>>106475538
lsblk
oh thirty random volumes in there, thanks

>>106502245
I have no idea if it overrides package demands. Try it out and tell us.

>>106474133
>>106474181
>appimage
Very based. Also, Guix + AppImage is very nice.
https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix-pack.html#index-AppImage_002c-create-an-AppImage-file-with-guix-pack-1

>>106504972
meds

>>106504845
i used guix pack for the deck early on. was pretty nice but the repos are in a sorry state.

>>106506222
Yeah, but since the migration to Codeberg, there's been a lot of improvement.

>>106498170
>sandboxing
Yep
Bubblewrap is actually good

>>106504845
yeah but how secure are they and can cab that security top flatseal

>>106508619
Why are you pretending like this is some big secret? Flathub literally shows you a list of warnings per app.
Most people don't care about security, they just prefer flatpaks over the packages provided by their distro maintainers.

>>106490143
stop noticing, goy