Announcement

**oshunluvr** · Jul 31, 2023, 02:40 PM

Not totally current but https://flatkill.org

**claydoh** · Jul 31, 2023, 02:44 PM

Much like distro packaging, which also are not affiliated with the developer in most cases, flatpaks are created in an open fashion, so the creation process is inspectable, and reproduceable.
They are signed and verified in a similar fashion as well, which helps eliminate man-in-the-middle swaps, unlike a direct download from a developer in many cases.

Trusting that things are properly vetted in the end is no different than trusting that a developer's or distro's packages are not compromised or anything of that nature.
Which is hard enough for most of us to do on our own, for sure.

**claydoh** · Jul 31, 2023, 02:51 PM

Originally posted by oshunluvr View Post

Not totally current but https://flatkill.org

And a not totally current response to this.

My original take on flatkill at the time was that the author was a bit of a FUD-ster much like the rabid anti-systemd folks could be. Being an anonymous author doesn't help much.

Flatpak sandboxing...meh, imo. There used to be a fair amount of discussion on how this wasn't the main feature at the time, but if you have this, shouldn't you....properly make use of it, then?

But in terms of the integrity of the code, or proprietary software applications put inside a wrapper, you can see what is being used, and where it comes from, etc. Much like distro packaging.

**Snowhog** · Jul 31, 2023, 02:57 PM

Any site that hides its identity should be avoided. https://www.godaddy.com/whois/result...n=Flatkill.org

**jglen490** · Jul 31, 2023, 05:51 PM

They are probably safe. They can take up more space than a distro-based version of the same software app due to the fact that library dependencies are built into the flatpak and are not referenced from the host distro. Flatpak seems to have a feature that ensures that library file duplications in multiple flatpaks are not brought into the host platform. This does not eliminate library file duplications that might exist between the host system and any/all flatpaks; only between flatpak apps.

I'm sure there are valid reasons to bring flatpak apps into a Linux platform, but unless you must have some feature that may be found in a flatpak that is not in your current distro's version of the same app, it's not necessary. I avoid them like I avoid SNAPs, as both are unnecessary.

You do what you want

**TwoFistedJustice** · Jul 31, 2023, 08:31 PM

From Flatkill:
"Almost all popular apps on Flathub still come with filesystem=host or filesystem=home permissions, in other words, write access to the user home directory (and more) so all it takes to escape the sandbox is trivial echo download_and_execute_evil >> ~/.bashrc. That's it."

All of the apps listed on Flatkill as unsafe are also unaffiliated with the original developers. So there may be something to what they say.

If I can find where that declaration lives, it might be a good starting point in determining that a package is not safe.

Does anyone know where I would look for filesystem=host?

**Snowhog** · Aug 01, 2023, 07:16 AM

TwoFistedJustice Take a look at https://www.lesbonscomptes.com/recol...ex-recoll.html

A very capable search utility. One of the best I’ve come across.

**claydoh** · Aug 01, 2023, 08:36 AM

Originally posted by TwoFistedJustice View Post

If I can find where that declaration lives, it might be a good starting point in determining that a package is not safe.

Discover will show this info, at the bottom.
Flatseal can show and change these settings via a GUI

On the command line: flatpak permissions <app-ID> or flatpak permission-show <app-ID> (these don't seem to work for me, or I am doing it wrong, lol)

Originally posted by TwoFistedJustice View Post

From Flatkill:
"Almost all popular apps on Flathub still come with filesystem=host or filesystem=home permissions, in other words, write access to the user home directory (and more) so all it takes to escape the sandbox is trivial echo download_and_execute_evil >> ~/.bashrc. That's it."

Using the above LO flatpak as an example, I am unable to actually save a file using this to someplace such as my /etc/ directory. The program *thinks* I have saved it there, but it didn't actually do so.
So, it seems "full file system access" isn't exactly as described.
So, looking at the docs:

As mentioned above the host option does not actually provide complete access to the host filesystem. The main rules are:

These directories are blacklisted: /lib, /lib32, /lib64, /bin, /sbin, /usr, /boot, /root, /tmp, /etc, /app, /run, /proc, /sys, /dev, /var
Exceptions from the blacklist: /run/media
These directories are mounted under /var/run/host: /etc, /usr

The reason many of the directories are blacklisted is because they already exist in the sandbox such as /usr or are not usable in the sandbox.

The home permission also has exceptions as it does not grant access to the subdirectories for other applications in ~/.var/app/.

**GreyGeek** · Aug 01, 2023, 09:07 PM

Originally posted by TwoFistedJustice View Post

From Flatkill:
"Almost all popular apps on Flathub still come with filesystem=host or filesystem=home permissions, in other words, write access to the user home directory (and more) so all it takes to escape the sandbox is trivial echo download_and_execute_evil >> ~/.bashrc. That's it."

All of the apps listed on Flatkill as unsafe are also unaffiliated with the original developers. So there may be something to what they say.

If I can find where that declaration lives, it might be a good starting point in determining that a package is not safe.

Does anyone know where I would look for filesystem=host?

In the application's source code manifest.

The responder to the flatkill website looked at 50 of the most popular apps on Flathub and of those, in 2021, 27 out of 50 did NOT have the filesystem=host or home. So, the "almost all" claim is certainly bogus. Two years later I'd wager the count is between 27 and 50, if not 50.

As oshunluvr wrote, any website that hides the identity of its owners/creators has mischief in mind. Flatkill's identity info is redacted.

Having moved to Debian a couple weeks ago I do most of my package installations from the flatpak side of Discover, or, I use Muon

**TwoFistedJustice** · Aug 02, 2023, 09:48 AM

Originally posted by GreyGeek View Post

In the application's source code manifest.

The responder to the flatkill website looked at 50 of the most popular apps on Flathub and of those, in 2021, 27 out of 50 did NOT have the filesystem=host or home. So, the "almost all" claim is certainly bogus. Two years later I'd wager the count is between 27 and 50, if not 50.

As oshunluvr wrote, any website that hides the identity of its owners/creators has mischief in mind. Flatkill's identity info is redacted.

Having moved to Debian a couple weeks ago I do most of my package installations from the flatpak side of Discover, or, I use Muon

I looked some up

the manifest for WebStorm has filesystem=host

the manifest for Firefox is a 404

the manfiest for Chromium has filesystem=home

the manifest for DIY Layout Creator has filesystem=xdg-documents

the manifest for Gimp has --filesystem=host"

the manifiest for Inkscape has "--filesystem=host",

Announcement

How safe are flatpaks that are un-affiliated with the original application developer?

How safe are flatpaks that are un-affiliated with the original application developer?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment