Pete Orrall
@peteorrall@mastodon.bsd.cafe  ·  activity timestamp 2 days ago

The state of #Linux packaging seems to be a perpetual mess. There is no standard packaging format among distros (something that I don't think will be resolved any time soon) and I've always viewed third party packaging tools like #snap and #flatpak with skepticism, mainly from a #security perspective.

After reading this, I'd rather deal with the perpetual mess of different package managers than the unraveling security headache that is Flatpak.

https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life-security-issues-beyond-ideal

#tech #technews
Pete Orrall
@peteorrall@mastodon.bsd.cafe  ·  activity timestamp 2 days ago

The state of #Linux packaging seems to be a perpetual mess. There is no standard packaging format among distros (something that I don't think will be resolved any time soon) and I've always viewed third party packaging tools like #snap and #flatpak with skepticism, mainly from a #security perspective.

After reading this, I'd rather deal with the perpetual mess of different package managers than the unraveling security headache that is Flatpak.

https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life-security-issues-beyond-ideal

#tech #technews

jbz
jbz boosted
Grafcube
@grafcube@sakurajima.social  ·  activity timestamp 4 days ago

Considering recent events I'd like to believe that projects will start moving away from github (NixOS and Flatpak come to mind) but I have a hard time believing anything is gonna come of this realistically. Oh well, I should move the last few repos I have on github over to Codeberg or Disroot.

#nixos #flatpak #flathub #codeberg #github
Jordan Petridis
@alatiera@mastodon.social  ·  activity timestamp 2 weeks ago

During guadec someone was asking me how do we get flatpak-builder to work inside containers. I can't remember the handle/nickname of who it was, though I do remember the face, but the answer is that we are using a custom seccomp policy that we pass to podman/docker

Something like this:

--cap-drop all --security-opt seccomp=flatpak.seccomp.json

And the file is here: https://github.com/gnome-infra/ansible/blob/master/roles/gitlab-runner/files/flatpak.seccomp.json

#guadec #guadec2025 #flatpak
Jordan Petridis
@alatiera@mastodon.social  ·  activity timestamp 2 weeks ago

During guadec someone was asking me how do we get flatpak-builder to work inside containers. I can't remember the handle/nickname of who it was, though I do remember the face, but the answer is that we are using a custom seccomp policy that we pass to podman/docker

Something like this:

--cap-drop all --security-opt seccomp=flatpak.seccomp.json

And the file is here: https://github.com/gnome-infra/ansible/blob/master/roles/gitlab-runner/files/flatpak.seccomp.json

#guadec #guadec2025 #flatpak

alcinnz
alcinnz boosted
erebion
@erebion@chaos.social  ·  activity timestamp last month

Why does @flathub not prominently show that a package is severely outdated for an architecture?

Something like "1 month ago" is not helpful if ONLY the ARM64 package has not been updated for four years.

I'll install that on my phone or laptop by accident and immediately have a security risk. Yes, that happened multiple times.

That's why I now read the issue tracker AND build manifest before installing any Flatpak packages.

Also, please cleanup abandonware.

#Flathub#Flatpak #security
erebion
@erebion@chaos.social  ·  activity timestamp last month

Why does @flathub not prominently show that a package is severely outdated for an architecture?

Something like "1 month ago" is not helpful if ONLY the ARM64 package has not been updated for four years.

I'll install that on my phone or laptop by accident and immediately have a security risk. Yes, that happened multiple times.

That's why I now read the issue tracker AND build manifest before installing any Flatpak packages.

Also, please cleanup abandonware.

#Flathub#Flatpak #security