This article is more propaganda and less technical explanation

Universal “snap” packages launch on multiple Linux distros

ubuntu.com/blog/universal-snap

Show thread

@EdwardTorvalds Kill it with fire. I can't—for the life of me—understand why major distros like elementary and Ubuntu shill this shit so much.

@x @EdwardTorvalds Plus it's not like Ubuntu isn't just straightjacketed Debian, and Debian is still the gold standard for packaging everyone else is trying to imitate.

@EdwardTorvalds thank you!

FUCK flatpak, seven ways to tuesday, absolute garbage worst way to distribute software

@sir @EdwardTorvalds

However, it is this the only way to install propretary software on musl until gcompat works...

@danyspin97 @EdwardTorvalds a better solution is don't install proprietary software for fuck's sake

@sir are you tooting from a browser without DRM? (be honest)

@EdwardTorvalds @sir Sir this is a Pinebook I can only view DRM by running 32bit arm chrome in a container which I will not be doing

@sir @EdwardTorvalds

That's not a solution. My university uses Teams so I need its client. I am lucky that it is only Teams and not something else that requires Windows...

Afaik there are no Free Software alternatives to Steam. Spotify alternative clients aren't good neither. I will be happy to switch (and support) alternatives when there will be.

@danyspin97 @sir @EdwardTorvalds You can use Teams in the browser. Provided the browser is chromium, which still is a Google entangled pest. However, it is (mostly?) free software and receives regular sec updates.

I am not so sure about that so-called native Electron based application they urge you to install.

@realTimo @sir @EdwardTorvalds

Then I need flatpak for Chromium, because I don't want to deal with chromium building.

My system is custom and most software breaks (because who cares for portability?).

I have tried building firefox today, and 2 of its dependencies didn't build/pass the tests.

Software sucks, I want to improve the current stack but it needs a lot of time. In the meanwhile I need something usable. And flatpak helps a lot.

@danyspin97 @sir @EdwardTorvalds ...the obvious Steam replacement is itch.io, or am I missing something in their model that makes then objectionable?

@eryn @ignaloidas

itch.io is not a replacement for Steam, it has different market and scope.

GOG is a replacement for Steam but its client isn't FOSS nor it has a Linux version.

@danyspin97 @eryn I don't see why big game developers couldn't use itch.io. It is marketed towards small game creators, because that is what marketing would actually work for. I would enjoy seeing bigger developers publishing on itch.io, as well as other people I'm sure.

@EdwardTorvalds I read this a while ago, but now it's quote updated (it refers to flatpak 0.8.7).

@EdwardTorvalds Why exactly does snap and flatpak exist? What problem are they trying to fix?

Why must "The way we package and distribute desktop applications on Linux surely needs to be rethinked"?

I really didn't understand, why having dependancys system wide available and only a single time is considered bad.

@The_Observer6955 for answers to those, you need to read their official websites.

@EdwardTorvalds
I did that, but I don't like the reason they name. However, I am not a developer so it may be because oft that…

@The_Observer6955 @EdwardTorvalds they want to create a universal packaging format that works across distros. One reason some people want this is, in theory, it's easier to got companies who make proprietary software to release that software on Linux if they only have to package it one way and release it in one place.

@EdwardTorvalds
Okay so the site lists 3 issues total, out of which the author said himself one was fixed.

Out of the two issues left, one is that it might give a false sense of security if perms are not checked and the other is about some apps in one repo aren't updateded as often as the author wants them to be?

There are much bigger issues with the format and a 5 min scroll through the issues page of the project shows them. This whole article just had that cheap 4chan-greentext vibe

@wuwei few good reasons are enough to invalidate something.
The website also serves as cynical start point to begin your own research.
They are fixing problems that are already fixed by others systems like NixOS, Apparmor, etc

@EdwardTorvalds
I agree. I just commented that the specific website is pretty bad at being a "start point"

More like being fixed. Guix is still in heavy development and Apparmor still lacks a trace of ease-of-use
But I agree with your "reinventing-the-wheel" vibe you tried to portray(I think you did at least)

@EdwardTorvalds I mean yes, this was true when the page was created. But these days flatpak is way further developed. More apps get automated security updates, sandboxing is improved due to better portal support for KDE and Gnome, (mainly Electron apps still have huge problems with sandboxing due to implementing their own thing for file selection)

And when it comes to the SUID bug, well, it was a bug, it was fixed, so what are we talking about?

/cc @amolith

@sheogorath @amolith lookup NixOS.

What's the use of sandbox when the app has read and write perms to your home dir? When it can add malicious script at the end of .bashrc? When it can read your keyboard entries from X11?

@EdwardTorvalds @amolith While there are apps that have read-write permissions on your home directory, yes, that a problem and basically disables the sandbox for them. But not all have and a growing number of apps does not have this.

X11 -> When you run flatpak and the app does have wayland + x11-fallback permissions, it'll work on both, but if wayland is available, it can only use wayland.

Both cases where the sandbox is working. Not perfect, but I don't think anyone claimed that.

@sheogorath @amolith you need to look pragmatically. In theory every app you install should be trusted. One small zero day big in snapd or flatpak negates everything

The biggest selling point is easier packing. If you work at corporate you will learn that those people are ready to sacrifice anything to get things done easy. Which is why, for example, the snap packages I installed get whole home directory read and write instead of one folder. etc, etc

@EdwardTorvalds @amolith Looking at it pragmatically: Flatpak provides portals. No need to provide any permissions, and users can select whatever file they need.

Also: Making restrictions accessible. Look at flatseal. Someone who wants to restrict an app, can simply do that.

We could just go as we knew and push everything unsandboxed to the desktop. But that doesn't sound like progress to me.

Note: I'm not here to convince you about flatpaks, but I also think it's wrong to burn them.

@EdwardTorvalds @amolith And about the zero day: Sadly the same is true for rpm and dpkg. A malicious package, is a malicious package, is a malicious package.

But when a library for your calculated got compromised and tries to read your .ssh/ directory and send it off somewhere else, you might be better of with it running in flatpak than with it running installed as .rpm or .dep.

@sheogorath
(regarding SSH directories, this is why certificates with expiration dates, passwords, and MFA are useful 😉)
@EdwardTorvalds

@amolith @EdwardTorvalds yes, replace .ssh with your .mozilla directory when you use Thunderbird or Firefox with session cookies that survive a browser restart. Let's just try to keep them out. And while we tried that for a while now with SELinux and Apparmor it didn't really find the needed adoption. Flatpak on the other hand, seems to get there. And allows users to modify those permissions a lot easier than apparmor or SELinux.

@EdwardTorvalds @sheogorath @amolith

At least with flatpaks you have the option of installing them with user (non-root) permissions.

With regards to the 'flatkill' article, I don't like that it doesn't list its author and it doesn't list when it was written.

And as for the sandboxing permission issues ... those are things that can be tightened down / improved over time. To dismiss it out of hand because it's not perfect right now is being a bit short-sighted.

@sheogorath @amolith you need to lookup how Apple does hardware and software engineering, those guys have total control over both and mostly know what they are doing (at least up until Steve Jobs was alive)
In case of Linux, it is total bullshit if you cant control your hardware. A buggy hardware can bypass most secure software, and since Linux runs proprietary drivers, security is an illusion

@EdwardTorvalds @sheogorath @amolith

I would ask two questions here: is it more secure than the existing solutions (deb, rpm) and is it more secure than other alternatives (e.g. snap).

From the description, there's a whole range of apps that by definition are intended to access the whole filesystem (like file managers) and they simply cannot be confined in one dir. In Snaps this is called "classic confinement".

But most security-critical app Snaps come fully confined.

@kravietz @sheogorath @amolith depends on your use case, dude. You need to define what is secure for you.

@EdwardTorvalds While snap is worse overall, flatpak is bad enough.

@EdwardTorvalds I disagree. I do think that flatpaks should ask the user for permission to access the home folder or something but some apps simply require it. How are you supposed to save something like a project when it would be blocked? Flatpak has some bugs but it's a thousand times better than the alternatives. More people should work on it and fix issues that it has.

@cyndn
> More people should work on it and fix issues that it has.

who will pay for their bills? :-)

@EdwardTorvalds I'd also like to point out that there is a Flatpaks app called Flatseal which lets you manage Flatpak permissions.

@cyndn I am aware of that. And my concern is much bigger than 'permissions', which I have discussed on replies to main toot, you might wanna checkout them out.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!