@whitequark which one is the latter?
Uncategorized
61
Posts
14
Posters
0
Views
-
@navi @SRAZKVT if all distros do is ship vanilla software i'd much rather save the collective effort and invest in something like flatpak
flatpak is (sigh) kind of terrible, as i've been studying it in detail just yesterday night, but it's the direction i care about here more so than the exact implementation. it could be a nix flake for all i know. though nix is also kind of terrible (i use it a lot, i would know)
@whitequark @navi @SRAZKVT Main problems with Flatpak are:
- Some upstreams (you almost certainly not included) don’t update dependencies when there are major security vulnerabilities. For instance, OBS Studio shipped an old CEF that had a Chromium version riddled with exploitable holes.
- It only works (well) for graphical applications. CLI tools need hand-written wrappers, and it doesn’t work for daemons, libraries, or embedded devices.
- It blocks user namespaces, breaking browser sandboxes. I believe WebKit and Gecko (Firefox) have alternative sandboxing options, but they have more overhead. Chromium doesn’t have an upstream alternative at all, which is unfortunate because it is the most secure browser engine.
-
R relay@relay.infosec.exchange shared this topic
