But how is it a security nightmare? Or did you mean “distraction”, but chose to use “nightmare” for -I suppose- exaggeration (or similar/related reasons)?
doesn’t matter if you downloaded malicious code
Hmm…, please help me understand: say, I installed a flatpak that included malicious code. But, it required some permission to enact upon its maliciousness. Which, it never received. And thus, if my understanding is correct, it couldn’t enact upon its maliciousness. How didn’t Flatpak’s security model not matter in this case? Apologies if I sound obnoxious (or whatsoever)*, but I’m genuinely trying to understand your case.
Flatpak doesn’t verify signatures like normal package managers do
So the issue isn’t that you downloaded a flatpak that included malicious code. The issue is that you downloaded a legit flatpak and ended up downloading malicious code because flatpak doesn’t verify what it downloads
Ah okay, thanks for the clarification! I haven’t delved deep into that aspect yet. But I’ve recently become aware of this unaddressed attack vector. And it is definitely something to worry about.
Unsure if it’s solved anytime soon. But, if it is properly addressed and solved at some point in the future, would that (completely) redeem Flatpak’s security model? Or, at least make it superior to what’s found elsewhere?
How so? Doesn’t its sandbox offer superior security (under most circumstances) over most other solutions? Even in its relative infancy*.
The sand boxing is a distraction and doesn’t matter if you downloaded malicious code
But how is it a security nightmare? Or did you mean “distraction”, but chose to use “nightmare” for -I suppose- exaggeration (or similar/related reasons)?
Hmm…, please help me understand: say, I installed a flatpak that included malicious code. But, it required some permission to enact upon its maliciousness. Which, it never received. And thus, if my understanding is correct, it couldn’t enact upon its maliciousness. How didn’t Flatpak’s security model not matter in this case? Apologies if I sound obnoxious (or whatsoever)*, but I’m genuinely trying to understand your case.
Flatpak doesn’t verify signatures like normal package managers do
So the issue isn’t that you downloaded a flatpak that included malicious code. The issue is that you downloaded a legit flatpak and ended up downloading malicious code because flatpak doesn’t verify what it downloads
Ah okay, thanks for the clarification! I haven’t delved deep into that aspect yet. But I’ve recently become aware of this unaddressed attack vector. And it is definitely something to worry about.
Unsure if it’s solved anytime soon. But, if it is properly addressed and solved at some point in the future, would that (completely) redeem Flatpak’s security model? Or, at least make it superior to what’s found elsewhere?
They don’t seem to give a shit about security. I think the well is poisoned. Best to just use apt
Nah, I wouldn’t go that far. That’s like way too dramatic.
I will whenever
aptdoesn’t (majorly) rely on backports for its security updates AND actually sandboxes its own packages. Zero Trust, FTW!When a critical security bug is open for years on a project with plenty of funding to fix it…