Announcement

Collapse
No announcement yet.

How safe are flatpaks that are un-affiliated with the original application developer?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    How safe are flatpaks that are un-affiliated with the original application developer?

    How safe are flatpaks that are un-affiliated with the original application developer?

    I am concerned about them having access to logins and maybe even root privileges on my system.

    Many of the flatpaks on Flathub are not affiliated with the developers of the program they install on your system. For example the Jetbrains Webstorm flatpak​] has Jetbrains listed as the publisher, but below expressly states "NOTE: This wrapper is not verified by, affiliated with, or supported by JetBrains s.r.o.". Some others appear to not be connected at all but don't say so expressly such as the Chromium flatpak while still others are "verified" such as the Firefox flatpak. The "verified" ones are often cross linked with the official website. I've even found a non-"verified" flatpak DIY Layout Creator which I was able to determine is "official" because the original author worked on the flatpak itself but didn't bother to get the "verified" checkmark.


    ( I asked the exact same question on superuser and nobody answered, but I got a couple people voted it down )



    #2
    Not totally current but https://flatkill.org

    Please Read Me

    Comment


      #3
      Much like distro packaging, which also are not affiliated with the developer in most cases, flatpaks are created in an open fashion, so the creation process is inspectable, and reproduceable.
      They are signed and verified in a similar fashion as well, which helps eliminate man-in-the-middle swaps, unlike a direct download from a developer in many cases.

      Trusting that things are properly vetted in the end is no different than trusting that a developer's or distro's packages are not compromised or anything of that nature.
      Which is hard enough for most of us to do on our own, for sure.

      Comment


        #4
        Originally posted by oshunluvr View Post
        Not totally current but https://flatkill.org
        And a not totally current response to this.

        My original take on flatkill at the time was that the author was a bit of a FUD-ster much like the rabid anti-systemd folks could be. Being an anonymous author doesn't help much.


        Flatpak sandboxing...meh, imo. There used to be a fair amount of discussion on how this wasn't the main feature at the time, but if you have this, shouldn't you....properly make use of it, then?

        But in terms of the integrity of the code, or proprietary software applications put inside a wrapper, you can see what is being used, and where it comes from, etc. Much like distro packaging.
        Last edited by claydoh; Jul 31, 2023, 03:07 PM.

        Comment


          #5
          Any site that hides its identity should be avoided. https://www.godaddy.com/whois/result...n=Flatkill.org
          Windows no longer obstructs my view.
          Using Kubuntu Linux since March 23, 2007.
          "It is a capital mistake to theorize before one has data." - Sherlock Holmes

          Comment


            #6
            They are probably safe. They can take up more space than a distro-based version of the same software app due to the fact that library dependencies are built into the flatpak and are not referenced from the host distro. Flatpak seems to have a feature that ensures that library file duplications in multiple flatpaks are not brought into the host platform. This does not eliminate library file duplications that might exist between the host system and any/all flatpaks; only between flatpak apps.

            I'm sure there are valid reasons to bring flatpak apps into a Linux platform, but unless you must have some feature that may be found in a flatpak that is not in your current distro's version of the same app, it's not necessary. I avoid them like I avoid SNAPs, as both are unnecessary.

            You do what you want
            The next brick house on the left
            Intel i7 11th Gen | 16GB | 1TB | KDE Plasma 5.27.11​| Kubuntu 24.04 | 6.8.0-31-generic



            Comment


              #7
              From Flatkill:
              "Almost all popular apps on Flathub still come with filesystem=host or filesystem=home permissions, in other words, write access to the user home directory (and more) so all it takes to escape the sandbox is trivial echo download_and_execute_evil >> ~/.bashrc. That's it."


              All of the apps listed on Flatkill as unsafe are also unaffiliated with the original developers. So there may be something to what they say.

              If I can find where that declaration lives, it might be a good starting point in determining that a package is not safe.

              Does anyone know where I would look for filesystem=host?

              Comment


                #8
                TwoFistedJustice Take a look at https://www.lesbonscomptes.com/recol...ex-recoll.html

                A very capable search utility. One of the best I’ve come across.
                Windows no longer obstructs my view.
                Using Kubuntu Linux since March 23, 2007.
                "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                Comment


                  #9
                  Originally posted by TwoFistedJustice View Post
                  If I can find where that declaration lives, it might be a good starting point in determining that a package is not safe.
                  Discover will show this info, at the bottom.
                  Flatseal can show and change these settings via a GUI

                  On the command line: flatpak permissions​ <app-ID> or flatpak permission-show <app-ID> (these don't seem to work for me, or I am doing it wrong, lol)





                  Click image for larger version  Name:	Screenshot_20230801_101512.png Views:	0 Size:	50.5 KB ID:	673023

                  Originally posted by TwoFistedJustice View Post
                  From Flatkill:
                  "Almost all popular apps on Flathub still come with filesystem=host or filesystem=home permissions, in other words, write access to the user home directory (and more) so all it takes to escape the sandbox is trivial echo download_and_execute_evil >> ~/.bashrc. That's it."
                  Using the above LO flatpak as an example, I am unable to actually save a file using this to someplace such as my /etc/ directory. The program *thinks* I have saved it there, but it didn't actually do so.
                  So, it seems "full file system access" isn't exactly as described.
                  So, looking at the docs:

                  As mentioned above the host option does not actually provide complete access to the host filesystem. The main rules are:
                  • These directories are blacklisted: /lib, /lib32, /lib64, /bin, /sbin, /usr, /boot, /root, /tmp, /etc, /app, /run, /proc, /sys, /dev, /var
                  • Exceptions from the blacklist: /run/media
                  • These directories are mounted under /var/run/host: /etc, /usr

                  The reason many of the directories are blacklisted is because they already exist in the sandbox such as /usr or are not usable in the sandbox.

                  The home permission also has exceptions as it does not grant access to the subdirectories for other applications in ~/.var/app/.
                  Last edited by claydoh; Aug 01, 2023, 09:21 AM.

                  Comment


                    #10
                    Originally posted by TwoFistedJustice View Post
                    From Flatkill:
                    "Almost all popular apps on Flathub still come with filesystem=host or filesystem=home permissions, in other words, write access to the user home directory (and more) so all it takes to escape the sandbox is trivial echo download_and_execute_evil >> ~/.bashrc. That's it."


                    All of the apps listed on Flatkill as unsafe are also unaffiliated with the original developers. So there may be something to what they say.

                    If I can find where that declaration lives, it might be a good starting point in determining that a package is not safe.

                    Does anyone know where I would look for filesystem=host?

                    In the application's source code manifest.

                    The responder to the flatkill website looked at 50 of the most popular apps on Flathub and of those, in 2021, 27 out of 50 did NOT have the filesystem=host or home. So, the "almost all" claim is certainly bogus. Two years later I'd wager the count is between 27 and 50, if not 50.

                    As oshunluvr wrote, any website that hides the identity of its owners/creators has mischief in mind. Flatkill's identity info is redacted.

                    Having moved to Debian a couple weeks ago I do most of my package installations from the flatpak side of Discover, or, I use Muon


                    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                    – John F. Kennedy, February 26, 1962.

                    Comment


                      #11
                      Originally posted by GreyGeek View Post
                      In the application's source code manifest.

                      The responder to the flatkill website looked at 50 of the most popular apps on Flathub and of those, in 2021, 27 out of 50 did NOT have the filesystem=host or home. So, the "almost all" claim is certainly bogus. Two years later I'd wager the count is between 27 and 50, if not 50.

                      As oshunluvr wrote, any website that hides the identity of its owners/creators has mischief in mind. Flatkill's identity info is redacted.

                      Having moved to Debian a couple weeks ago I do most of my package installations from the flatpak side of Discover, or, I use Muon



                      I looked some up

                      the manifest for WebStorm has filesystem=host

                      the manifest for Firefox is a 404

                      the manfiest for Chromium has filesystem=home

                      the manifest for DIY Layout Creator has filesystem=xdg-documents

                      the manifest for Gimp has --filesystem=host"

                      the manifiest for Inkscape has "--filesystem=host",

                      Comment

                      Working...
                      X