A question regarding installation of flatpak runtimes/apps in general:
Assuming that the source and the packager are trustworthy,
will installing per user (using --user) be more secure than installing system-wide since nothing will be written to system directories?
Also, it seems to be possible to install flatpaks on external mediums as well?
I wonder if doing so and giving the flatpak the minimum permissions necessary for it to run would add to its being more secure?
I don’t know if it’s more secure to install it for one user. It should not matter, if you ask me. But I’m no expert in that. I always have one user and install it inside my home dir.
You can mount an external drive to /var/lib/flatpak if I’m not mistaken. That will install all system wide packages on the external drive.
Giving less permissions will always be better. But in the end it depends on the program if it still runs after removing permissions
I was thinking more like what is described in the link below.
If I am not mistaken, it “bypasses” /var/lib/flatpak altogether and install everything to that defined path.
https://docs.flatpak.org/en/latest/tips-and-tricks.html#adding-a-custom-installation
Thank you for this convenient list!
Well, how do you know what is actually in that steam flatpak? How do you know there isn’t malware tucked inside it along with the steam client? Do you know and trust the person who packages it since it is a non-official flatpak?
No, I mean the packaging source.
The multiple security risks involved with using flatpaks outweigh it’s weak sandboxing for my risk model.
There are too many potential problems:
If sandboxing is something I want for an application, I would much rather sandbox it myself than use the flatpak sandboxing which is not granular enough for my needs anyway. This is usually pretty easy to do and only needs to be configured once.
To be clear, I am not saying flatpaks are bad. I use them sometimes myself. I do think the added “security” the offer is fairly questionable from a practical perspective.
Also, I am only sharing how I handle my threat model, you may have different risks than you manage that require different decisions than I would make.
Most developers are not the people you want to trust with the security of your system. It is almost disturbing how little understanding of security many developers have.
Also, they often do things for their convenience instead of yours.
Of course, that isn’t always true. Some are very security conscious. However, I think that is the exception rather than the rule.
This can’t be stated enough. The developer of some application is typically the last person I want to package that application or manage my security. Not only they are so often incompetent or just don’t care, sometimes they are downright malicious and just want your data.
Well, how do you know what is actually in that steam flatpak?
I dont. And I dont know for AUR packages as well. But I know that flatpak is used by a lot of users outside of the arch universe. Fedora, SuSE, debian users all use the same flatpaks. Isnt that a kind of quality assurance beyond what the AUR provides?
How do you know there isn’t malware tucked inside it along with the steam client?
I dont. And I dont for AUR packages as well. I understand that the steam client is in the official repos and not in the AUR. So that is a bad example for a comparison AUR vs. flatpak.
Do you know and trust the person who packages it since it is a non-official flatpak?
I trust the flatpak guy as much as the AUR guy. Where is the difference?
I get where you are coming from, I am just trying to answer the above question which in my opinion it multiple options exist is to follow what is Reccended. For me when installing new software I often first look it up before deciding how to install
You could know exactly what goes in the AUR package, if you cared to know.
With AUR you don’t need to trust anyone, except your judgement.
This is true. Also as a related point, flatpaks are developed solely and exclusively for the convenience of developers. Using flatpak apps often means downloading and installing multiple different sandboxed versions of the same libraries as each app can use a slightly different version. This raises security concerns (outdated/insecure libraries), but more immediately means that flatpaks use far more disk space than native applications.
I know it’s a meme but it’s also true - Flatpaks are bloat. Now, if there’s a choice between not having a linux version of an application I really want and having a flatpak, give me a flatpak any day of the week. But let’s be clear that sandboxing is not a security feature, it’s a feature to convenience the developer and reduce compatibility issues potentially at the expense of security. So don’t expect me to cheer when an application I have been using for years and runs perfectly well natively is suddenly available only as a flatpak.
I guess my next laptop better have a 1 TB SSD at least.
Bloat seems to be overused these days and bloat seems to be personal now days because everyone has a different definition of what bloat is to them, what is “bloat” for one person might not be “bloat” for another person. Some people find desktop environments bloat, another person finds tiling window managers bloat and says that to be truly bloat free you should always be using the tty and nothing else.
You could. At the very least you would know that it is installing nothing more than the official steam client.
In my case, every time the AUR package updates, I see a diff that shows me clearly and easily what has been changed since I last reviewed it prior to any updates being installed. Given the nature of a PKGBUILD, this is quick and easy to do.
I want to be clear, I wasn’t trying to criticize your decision. I was just interested in your choice in this case since we have had similar conversations in the past where you were on the other side and choosing the AUR package.
“Bloat” makes perfect sense here because flatpaks tax up a lot more disk space than native apps to accomplish the exact same result. Now if there is no version of the app that runs natively, but a flatpak is available - fine I will happily use the flatpak without complaint. However, if a native application is available and has worked well for years, then forcing me to switch to using the Flatpak (as fedora is doing now) is definitely adding bloat.
It depends on the user’s storage situation, if I have 2TB or more of total disk space available I could care less about a few GB’s of extra space used, if I have only have 100G of total disk space available to me then yes those extra GB’s of space used are bloat to me.
Tell me the AUR is so reliable we can’t find outdated or insecure PKGBUILDs.
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=smtube-qt4
The most recent version with checksum :
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=smtube
Because with flatpak you put your brain in the locker ?
I have a 500 gb sdd and from experience flatpaks take up a lot more space. Like I said, my next computer will have more disk space for this exact reason. But for now, I do all I can to avoid flatpaks.
The point is that with AUR, if you follow a sane process, you review every PKGBUILD before installing and you quickly see every change when updating.
It isn’t that the AUR is perfect, it is that it is 100% in your view and control.
Because with flatpak it is much harder to see. Your visibility is much less because it is a prebuilt binary package and reviewing the entire manifest is a difficult and time consuming process. Additionally, there is no in-line process for reviewing changes.
I always use AUR first. I actually only have two flatpak install: steam and joplin. And both are purely for stability reasons.
I use Aur, Flatpaks and appimages. Did I win? 