• linuxisfun@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Eh, I don’t at flatpak or snap unless I have no other choice

    I thought the same until I discovered that Flatpak gives me the power to restrict apps in their permissions, similar to firejail, but less cumbersome. Since then I actually prefer Flatpak over traditional packages (I even switched to Fedora Silverblue), as I have a global override that, for example, revokes permission to access the root of my home directory or to use the X11 display server.

    This allows me to keep a clean home directory, as applications are prevented from writing into my home directory (configuration files then automatically get stored in the Flatpak directory ~/.var instead) or, even worse, into executable files, such as ~/.bashrc. I can also be confident that applications use Wayland, if they support it, and not a less secure display server (X11). Applications that don’t support Wayland yet can either be made to run under Wayland (Chromium / Electron) or I have to grant those applications permission to actually use an X11 server (Bottles / WINE, Steam).

    On the other hand you can also opt into punching as many holes as possible into the sandbox, for example by granting applications the permission to access a local shell. That might be necessary for development tools, such as VSCodium. The thing I like about Flatpak is that it offers this kind of flexibility and you can decide on a per-application basis which system resources the application can or can not access.

    Sure, the permission model isn’t perfect (e. g. D-Bus access), but for my use-case it is a huge improvement and it gives me more flexibility with selecting my distribution, as I can get the very same up-to-date applications anywhere via Flatpak.