Imagine your friend that does not know anything about linux, don’t you think this would make them not install the firefox flatpak and potentially think that linux is unsafe?
I ask this because I believe we must be careful and make small changes to welcome new users in the future, we have to make them as much comfortable as possible when experimenting with a new O.S
I believe this warning could have a less alarming design, saying something like “This app can use elevated permissions. What does this mean?” with the “What does this mean?” text as a clickable URL that shows the user that this may cause security risks. I mean, is kind of a contradiction to have “verified” on the app and a red warning saying “Potentially unsafe”, the user will think “well, should I trust this or not??”
Good.
People need to view out of channel software with a hairy eyeball.
Hell, I run Debian all over and it’s absurd that the main repositories don’t do checksums on downloaded packages!
I think it’s absurd that most distros have no tools whatsoever for doing checksums of their own files. Windows certainly got that part right IMO.
I’m double checking this myself now, but there are plenty of tools (debsum) they’re just not part of the default implementation as of last time I looked.
Right, I’m talking about like periodic or real-time scanning and alerting, which DISM/SFC on windows does.
i’m almost 100% that debsums on apt stuff and the --verify flag in rpm distros do what sfc did. (kinda, debsums and --verify check against a list of checksums from the repo, i’m pretty sure sfc cracks open an actual known version of the files and compares em with whats on disk)
idk what dism does.
WAIT THEY DON’T ???
yeah apt just trusts the server if it properly identifies itself
the barrier to entry for attacking that seems pretty high though
if that freaks you out, switch to a rhel derivative, they got a shiny progress bar
Interesting, but switching will be difficult, unfortunately…
Thanks for the info
Yes, but also… It’s true. Browsers are the number one way folks get viruses.
It’s not specific to browsers, but to every flatpak that is verified and has the potentially unsafe warning.
“Verified” doesn’t mean too much to privacy advocates. There have been incidents. I indeed want to check what my app is going to access before installing it.
I think it’s okay to check what the app is going to access in your system. I’m just talking about the warning design, this comment suggests a different approach for a less alarming design.
Ah, very good point! If we all had the dedication for UX like you do, Linux would be so so so perfect.
Which is hilarious because desktop apps have always had the capability to spy on all other apps and steal all your data.
Actually, Windows has implemented quite a few tricks to make this very difficult without setting off antivirus engines at least. X11’s security model is absolute trash compared to Windows Vista and above. Linux is getting safer with Wayland, but Linux on the desktop hasn’t had the XP SP1 security humiliation that Windows had so almost all of it is opt-in.
Solving the issues Windows has already solved with things like integrity levels will break compatibility with many applications (it also did on Windows, which is why Vista made you run everything as admin) but simply enabling the Flatpak sandbox can solve many problems already.
I wonder if there’s a desktop distro out there that enforces sandboxed applications by default. It would make running Linux a lot less risky.
Windows has implemented quite a few tricks to make this very difficult without setting off antivirus engines
That’s funny because we have been shipping a commercial Windows app since XP that is keylogger-based using SetWindowsHookEx, and it has only tripped users’ antivirus maybe 1 or 2 times in 20 years.
I wonder if there’s a desktop distro out there that enforces sandboxed applications by default.
EasyOS is the first distro I’ve seen that at least runs every app as its own user by default, similar to Android.
On bad operating systems like Linux, yes. ;)
You’re thinking of operating systems that give unrestricted access to all parts of a computer that aren’t memory or the camera. That would everything1, actually.
1 There’s also Linux with properly-configured SELinux, but good luck with that on a distro that isn’t focused on opsec.
Fedora has pretty good SELinux configured out of the box, and isn’t focused on opsec. It’s just sane defaults and proper limitations to access. It also switched to Walyand-by-default this release, completely removing X11 from the default packages, which mitigates many of the “app spying on other app” scenarios that a previous user in the thread was talking about. That’s not to say that Fedora is the pinnacle of Linux security or anything, but it comes with pretty good defaults for the average user. You’d have to get into kernel hardening and deep into SELinux to do better as an end user, which is not something that most users are inclined to spend time or energy on.
So in other words, I’m thinking of Linux
If you’re willing to admit that you’re denigrating an operating system for having the same flaws as the one you prefer and are being a massive hypocrite in doing so, sure.
You’ve lost me on this one. No idea what you mean. But either way, I think you should take my comment just a bit less seriously.
I like flatpaks and flathub, but this is just something they do badly. I think as well they also have “probably safe” which is just as unhelpful… And what does “access certain files and folders” even mean!?
I think they should just follow the example of every other app store; list the permissions in an easily understandable list and let the user decide whether or not they are comfortable with it.
That is a clickable menu that explains exactly what the permissions are.
I think they should just follow the example of every other app store; list the permissions in an easily understandable list and let the user decide whether or not they are comfortable with it.
Totally agree. The “verified” label will give new users enough comfort, and the ones who wish to know more will read the permissions.
When I look at Firefox in Discover, it only shows the list of permissions the flatpak will be given out of the box, with no warning of it being “potentially unsafe.” This certainly does seem like the better way to handle it.
Also, the warning on the Flathub website is clickable - it expands into the full permissions list. Why it defaults to “no information except maybe dangerous” is beyond me.
isn’t flatpak by definition relying on a second software source, hence 2x as much risk as relying on a single source (your OS repo)?
A distro has thousands of independent sources. No your distro doesn’t audit them all, barely any.
“barely any” is neither entirely accurate, nor does it excuse the use of flatpaks.
How much sandboxing is your distro generally doing?
I just typed “xdg-download:𝗰𝗿𝗲𝗮𝘁𝗲” into flatseal, my browser is safe af now.
In short, no
Yesss! It’s too aggressive
those warnings on mint and flathub are so ridiculous, there’s no difference between those and official ones, somebody could just as easily put something nefarious in any flatpak
Firefox on flathub is an official one, that’s not what this warning is.
In my opinion, those warnings are not used to help users but to shame developpers for not trully sandboxing and verifying their apps. Developpers know that having this warning will decrease the number of users downloading it. The goal in the long run is to improve app sandboxing and security.
By not letting the user import/export addon settings, bookmarks?
Btw, i hate the opinion that the dev must babysit his users. It makes software worse, not better, look at Firefox’s profille folder for an example. If you have to, make an intro to train them.
I’m not 100% confident but I thought you could use portals to access individual files outside of the sandbox
You could but where is fails is when you open one html file that then needs to loads the other files that are needed by the first.
You can not allow chain loading like this, it would bypass the sandbox.
One way of working around this would to allow the option of passing a whole folder and sub folders to the program.
The other and much harder option would be a per program portal filter that can read the html file. then workout what files that html file needs and offer that list of files to the user.
The lazy work around is allow read access to $HOME and deny access to some files and folders like .ssh
You can choose folders in the portal now.
Makes sense, but at least this would generally be out of a normal users usage case (multi-file documents), and so the power user could probably just open flatseal.
For things like bookmarks it’d work fine, and by extension make the sandbox more secure
Makes sense, but at least this would generally be out of a normal users usage case (multi-file documents), and so the power user could probably just open flatseal.
I would not be so sure. Firefox has a “save web page as…” option which saves the html page and all other files needed into a sub folder.
Without better handling of reading and writing files the sandbox will break that builtin function. another way of working around this. would be to change firefox to save the web page into one file. Maybe something a .html+zip file that firefox would know how to open. However that would lock other browsers out without manualy unziping it first.
Getting sandboxing right with powerful programs is very hard and I feel the tooling is still not here yet.
Completely agree. Training normies to click OK on warnings like this is a no-good terrible idea.
They shouldn’t click on on this tho
Training users to click on this shit is the same reason people wipe their desktop by ignoring “Yes I know what I am doing” warnings.
someone is not a fan of LTT
deleted by creator
Huh? Flatpaks are great and there’s no real reason why they’d be unsuitable for a new user.
Many flatpaks are not aware of their sandbox and thus have a bad ux.
E.g. flatpak Steam can’t access SteamLibraries at a non-default location, unless the user manually allows the path through flatseal. The same is true for other similar apps which don’t use the file portal.
Issues like this are unexpected for new users and thus it can be argued that flatpak aren’t a good recommendation for new users. I personally disagree because most flatpak work flawlessly and work everywhere independent of a users distro.
Users should be afraid of the malware that is default firefox. Why do you think so many people use forks?
Would you mind explaining?
Telemetry you can’t easily disable (requires modifying about:config, can change on update), Glean (nastier than anything in chrome), DoH to cloudflare, pocket (adware), Anonym.
https://www.jwz.org/blog/2024/06/mozillas-original-sin/ mozilla “saving the web”. If you want to save the web, use something like qutebrowser, luakit, or falkon with drm compiled out.
https://www.jwz.org/blog/2024/06/mozilla-is-an-advertising-company-now/
as opposed to chrome?
Chrome being worse than Firefox doesn’t make Firefox’s default telemetry, adware, and DoH to cloudflare good. When the bar is Chrome, essentially any browser passes.
To be fair, if a naive user is going to get a virus, there’s a very high chance a browser will be involved.
Considetng flatpak doesn’t verify the authenticity of what it downloads, all flatpak users should just expect that what they download is a virus
Just reminding folks that just because it’s flatpak’d, doesn’t mean it’s sandboxed. But they probably should add some general click here for more info.
