77
I have a question about flatpak
(lemm.ee)
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
Flatpak is supposed to be a sandbox, so if there is a vulnerable dependency then in theory any attack would be limited to the sandbox.
However, it depends on the software - some Flatpak need quite low level access to use, and in that case an attack or mlaware could get into the main system. And unfortunately Flatpak itself has vulnerabilities which cna negate the whole idea of a sandbox.
Flatpaks should be using up to date secure dependencies, but the reality is many do not. I would not rely on Flatpak for security. Even fully up to date Flatpaks can be insecure, and Flatpak itself have vulnerabilities that have needed fixing. And for many Flatpaks it's not even clear who is maintaining them.
Flatpaks are useful for deploying software that's just not available in your distros repos. But when deploying any software outside your repos - including App Image, build from source or 3rd party repos - you are opening your system up to security vulnerabilities. That's the nature of installing 3rd party software. Flatpak offers some reassurance compared to some methods but it's far from perfect.
If security is your prime concern, then Virtual Machines may be more secure route to sandboxing software (if done properly). Building from source would be the other option, as it means you take ont he responsibility for security by using the latest code including for dependencies. But there is no perfect option, it's always about balancing risk vs convenience.
It's also worth noting that software repos are also not perfect. But good distros invest a lot of time and effort in keeping them as up to date and secure as possible, usually via the hard work of volunteers.
I wish I saw this post yesterday before I installed VSCode from flathub, trying to get the terminal to see the same file system as my other shells. I got it fixed and learned a lot about flatpak.