this post was submitted on 02 Jun 2025
149 points (96.9% liked)

Linux

7632 readers
226 users here now

A community for everything relating to the GNU/Linux operating system

Also check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
149
Flatpak is not perfect, but it's getting better (thelibre.news)
submitted 4 days ago by Pro@programming.dev to c/linux@programming.dev
42 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] HayadSont@discuss.online 3 points 2 days ago (1 children)

But how is it a security nightmare? Or did you mean "distraction", but chose to use "nightmare" for -I suppose- exaggeration (or similar/related reasons)?

doesn’t matter if you downloaded malicious code

Hmm..., please help me understand: say, I installed a flatpak that included malicious code. But, it required some permission to enact upon its maliciousness. Which, it never received. And thus, if my understanding is correct, it couldn't enact upon its maliciousness. How didn't Flatpak's security model not matter in this case? Apologies if I sound obnoxious (or whatsoever)*, but I'm genuinely trying to understand your case.

[–] jagged_circle@feddit.nl 0 points 2 days ago (1 children)

Flatpak doesn't verify signatures like normal package managers do

So the issue isn't that you downloaded a flatpak that included malicious code. The issue is that you downloaded a legit flatpak and ended up downloading malicious code because flatpak doesn't verify what it downloads

[–] HayadSont@discuss.online 0 points 2 days ago (1 children)

Ah okay, thanks for the clarification! I haven't delved deep into that aspect yet. But I've recently become aware of this unaddressed attack vector. And it is definitely something to worry about.

Unsure if it's solved anytime soon. But, if it is properly addressed and solved at some point in the future, would that (completely) redeem Flatpak's security model? Or, at least make it superior to what's found elsewhere?

[–] jagged_circle@feddit.nl 1 points 2 days ago (1 children)

They don't seem to give a shit about security. I think the well is poisoned. Best to just use apt

[–] HayadSont@discuss.online 1 points 1 day ago (1 children)

They don’t seem to give a shit about security. I think the well is poisoned.

Nah, I wouldn't go that far. That's like way too dramatic.

Best to just use apt

I will whenever apt doesn't (majorly) rely on backports for its security updates AND actually sandboxes its own packages. Zero Trust, FTW!

[–] jagged_circle@feddit.nl 1 points 1 day ago* (last edited 1 day ago)

When a critical security bug is open for years on a project with plenty of funding to fix it..