The Software Manager app in Linux Mint 22 will deliver faster start-up times and introduce a significant security safeguard for search results. As you may
… these would be hidden by default. Is any of these applications dangerous or a security risk to the system / user?
Linux Mint:
Unverified Flatpaks represent a huge security risk.
I personally don’t like this. This is not really true and in worse case even misleading and giving a false sense of security. If an app represents a huge security risk, why in the first place is it allowed in the repository? Unverified does not mean its a security risk, this is their interpretation of it. Unverified simply means, it is not verified by the original author.
Create a fork of an app and verify your website with the fork in Flatpak. The system is already broken. Another point is, that lot of unverified apps are just normal apps, as this is the way applications are handled in Linux. We have the right to create alternative versions of the programs and the verification badge will show that. There is no point in hiding alternatives. By doing so, it undermines a reason why we use GPL and Open Source. And what about apps where the original author does not care, but was brought to Flatpak by a community member?
Flathub:
It’s similar failure to what Flathub does on their site too, but for another thing.
Potentially unsafe: Full file system read/write access; Can access some specific files
Even though LibreOffice is verified, it is marked as potentially unsafe application on Flathub.
The Flathub security rating is useful but too cautious (so many “false alarms” that people ignore it). It is completely independent from the verification though.
Mixing these up makes no sense.
But for sure, officially supported Libreoffice may be more secure than distro-packaged Libreoffice.
Is any of these applications dangerous or a security risk to the system / user?
Likely not more than Distro packages. They pull in dependencies, and code, just like any other app.
Flatpaks are too pain tolerant regarding EOL runtimes. These may have security risks, and many badly maintained apps are using them, and at least KDE Discover doesnt show a warning here.
Create a fork of an app and verify your website with the fork in Flatpak. The system is already broken
True
By doing so, it undermines a reason why we use GPL and Open Source.
Very good points. It is a good security practice to stay close to a trusted upstream though. Browsers for example may have delayed security patches.
And what about apps where the original author does not care, but was brought to Flatpak by a community member?
Same here, if the upstream tests the Flatpak BEFORE shipping the release, it will work and be fast. If they dont, they ship the update, the flatpak is updated some time after that, it may have an issue, the packagers may need to patch something, solve the issue upstream etc.
The thing is that packagers should join upstream, as only integrated packaging gives this inherent stability and speed.
This is not relevant in many scenarios though. Flatpaks allow to securely sandbox random apps, so they are very often more secure.
The Flathub security rating is useful but too cautious (so many “false alarms” that people ignore it). It is completely independent from the verification though.
Mixing these up makes no sense.
That’s right, but I had a point there. My point is, that even verified applications can be marked as insecure on Flathub. That means, unverified applications can be secure based on the standards the Flathub sets. This was my point that its independent and why the verification of source has nothing to do with security. If Linux Mint does hide unverified apps, because it thinks these are unsecure, then it should hide all the applications that are marked as a potential unsecure app; just like the unverified apps are potentially unsecure (just like any other verified app).
There are legacy apps that are always insecure with huge static filesystem permissions AND they are sometimes not well maintained i.e. they dont support the Flatpak.
But that’s a personal decision. It’s not like Steam Flatpak would be a huge security risk, as the Mint devs say. Just because its not officially verified. Even Valve themselves recommended to use the Flatpak version of Steam, as an alternative to Snap package. You think such a package would be good enough if Valve itself sanction it. I would like to provide a link for this, but cannot find it right now.
Examples of unverified apps:
… these would be hidden by default. Is any of these applications dangerous or a security risk to the system / user?
Linux Mint:
I personally don’t like this. This is not really true and in worse case even misleading and giving a false sense of security. If an app represents a huge security risk, why in the first place is it allowed in the repository? Unverified does not mean its a security risk, this is their interpretation of it. Unverified simply means, it is not verified by the original author.
Create a fork of an app and verify your website with the fork in Flatpak. The system is already broken. Another point is, that lot of unverified apps are just normal apps, as this is the way applications are handled in Linux. We have the right to create alternative versions of the programs and the verification badge will show that. There is no point in hiding alternatives. By doing so, it undermines a reason why we use GPL and Open Source. And what about apps where the original author does not care, but was brought to Flatpak by a community member?
Flathub:
It’s similar failure to what Flathub does on their site too, but for another thing.
Even though LibreOffice is verified, it is marked as potentially unsafe application on Flathub.
The Flathub security rating is useful but too cautious (so many “false alarms” that people ignore it). It is completely independent from the verification though.
Mixing these up makes no sense.
But for sure, officially supported Libreoffice may be more secure than distro-packaged Libreoffice.
Likely not more than Distro packages. They pull in dependencies, and code, just like any other app.
Flatpaks are too pain tolerant regarding EOL runtimes. These may have security risks, and many badly maintained apps are using them, and at least KDE Discover doesnt show a warning here.
True
Very good points. It is a good security practice to stay close to a trusted upstream though. Browsers for example may have delayed security patches.
Same here, if the upstream tests the Flatpak BEFORE shipping the release, it will work and be fast. If they dont, they ship the update, the flatpak is updated some time after that, it may have an issue, the packagers may need to patch something, solve the issue upstream etc.
The thing is that packagers should join upstream, as only integrated packaging gives this inherent stability and speed.
This is not relevant in many scenarios though. Flatpaks allow to securely sandbox random apps, so they are very often more secure.
That’s right, but I had a point there. My point is, that even verified applications can be marked as insecure on Flathub. That means, unverified applications can be secure based on the standards the Flathub sets. This was my point that its independent and why the verification of source has nothing to do with security. If Linux Mint does hide unverified apps, because it thinks these are unsecure, then it should hide all the applications that are marked as a potential unsecure app; just like the unverified apps are potentially unsecure (just like any other verified app).
Hopefully this was not too confusing to read.
Yes, verification is very different from the security rating.
Poorly you can sort by subsets but not by the security rating.
There are legacy apps that are always insecure with huge static filesystem permissions AND they are sometimes not well maintained i.e. they dont support the Flatpak.
I’ve heard you don’t want the flat pack Steam, so…
But that’s a personal decision. It’s not like Steam Flatpak would be a huge security risk, as the Mint devs say. Just because its not officially verified. Even Valve themselves recommended to use the Flatpak version of Steam, as an alternative to Snap package. You think such a package would be good enough if Valve itself sanction it. I would like to provide a link for this, but cannot find it right now.