I don’t doubt it, but this is a good place to start.
This claim has interesting phrasing:
Adding X11 sandboxing via a nested X11 server, such as Xpra, would not be difficult, but Flatpak developers refuse to acknowledge this and continue to claim, “X11 is impossible to secure”.
If you look at the GNOME post, you’ll see they haven’t argued against including a nested X server at all:
Now that the basics are working it’s time to start looking at how to create a real sandbox. This is going to require a lot of changes to the Linux stack. For instance, we have to use Wayland instead of X11, because X11 is impossible to secure.
I’m not saying they haven’t refused to acknowledge this elsewhere, but it’s strange to point to this blog post which acknowledges that the sandbox is very much a work-in-progress and agrees with Madaidan that X11 is hard to secure.
Does Xpra provide better sandboxing than XWayland? If not, I think the Flatpak developer’s solution to this is: just use Wayland. And obviously, there’s plenty of room to improve with the permissions Flatpak does offer.
I did some searching on the Flatpak Github for issues and found that you can actually use Xpra with Flatpak, and the answer is “just use Wayland”:
As odd as this may sound, you should not enable (blind) unattended updates of Flatpak packages. If you or a Flatpak frontend (app store) simply executes flatpak update -y, Flatpaks will be automatically granted any new permissions declared upstream without notifying you. Using automatic update with GNOME Software is fine, as it does not automatically update Flatpaks with permission changes and notifies the user instead.
It’s great that GNOME Software notifies you when permissions change! I don’t use Flatpak enough to know, but I hope flatpak update notifies you too if you don’t use the -y option.
Users of other Linux distros feel free to chime in with updates. I'm about to check #Manjaro and #rockylinux (edit: Rocky and the RHEL family appear to use the extended support release like Debian; Manjaro currently has 117.0-1 in stable)
Since there are a bunch of misconceptions around Flatpak, I decided to make a guide to dispel these, and explain how to do a few things, like theming all applications, using the command line interface to manage them, installing them from your web browser, and more:
Ich habe schon viele Browser durch und viele haben ihre Vor- und Nachteile. Zur Zeit benutze ich Edge mit dem verbesserten Bing, weil ich ChatGPT4 + Internetanbindung testen wollte ohne 20 Dollar im Monat für einen kleinen Spaß auszugeben. Mittlerweile hat Microsoft die KI auch hart gestutzt. Zumindest kommt es mir so vor....
@ulfi@Tionisla@b0tch Paketmanager zu mischen macht nur Ärger und macht das System instabiler, musste ich leider selber erfahren. Ich lasse daher die Finger von #snap und #flatpak.
If only more Linux programs followed sandboxing best practices... (i.imgur.com)
Welchen Browser nutzt ihr? German
Ich habe schon viele Browser durch und viele haben ihre Vor- und Nachteile. Zur Zeit benutze ich Edge mit dem verbesserten Bing, weil ich ChatGPT4 + Internetanbindung testen wollte ohne 20 Dollar im Monat für einen kleinen Spaß auszugeben. Mittlerweile hat Microsoft die KI auch hart gestutzt. Zumindest kommt es mir so vor....