Hi. On Mon, Apr 06, 2020 at 12:00:18PM -0500, Anil F Duggirala wrote: > hello, > I know there have been some security concerns with flatpak, which are > too high level for me to understand,
It's simple, and security is just a part of a bigger problem here. The very purpose of flatpak is to enable the user running untrusted software (i.e. not obtained by usual OS means). So, for instance, if the author of the software wants their software to perform "telemetry" - they just do it and their users will "enjoy" it. A good software maintainer will just patch the offensive functions out because such privacy violation is a legitimate cause for a bug report in Debian (and yes, those *did* happen). Likewise, flatpak by itself cannot do anything against a cryptominer "helpfully" "bundled" with a software. > but I want to ask, is it normal > for flatpak to ask for the root password when installing a new package? For so-called "system install" - yes, it's normal. The reason for this being that "system" installed flatpaks expose their binaries in /var/lib/flatpak/exports/bin, which is not user-writable. For so-called "user install" - i.e. inside your $HOME, no it's not. > Are these packages not supposed to be sandboxed? It's rather you have a different definition of "sandboxing" than flatpak authors. For them it's important to restrict an access to the $HOME files for anything that's running via flatpak (along the other things). Whatever collateral damage they do to the filesystem usually limited to /var/lib/flatpak. Reco
