fsebugoutzone.org:9999

       Post AWMVSVXv3SoEMRF0XA by ali1234@mastodon.social
 (DIR) More posts by ali1234@mastodon.social
 (DIR) Post #AWMTtF2YKcnZ4yBoTA by ali1234@mastodon.social
       2023-06-04T22:27:06Z
       
       0 likes, 0 repeats
       
       The problem with #flatpak is that the developers can&#39;t decide if they are making a compatibility sandbox that allows running any and all software on any distro or a security sandbox that completely isolates applications from the host and also each other. These goals are mutually exclusive because a large amount of software cannot function when confined.
       
 (DIR) Post #AWMTtHCYIPz9mYspKi by penguin42@mastodon.org.uk
       2023-06-04T22:28:32Z
       
       0 likes, 0 repeats
       
       @ali1234 Is that something that can be changed/set when installing - i.e. exposing extra directories to the running application?
       
 (DIR) Post #AWMUMYVn12oZroqJns by ali1234@mastodon.social
       2023-06-04T22:33:49Z
       
       0 likes, 0 repeats
       
       @penguin42 Sort of but not really. For example you can mount host /usr at /var/run/host/usr inside the flatpak container, but your toochain won&#39;t know to look there for headers and libraries, so it doesn&#39;t actually help. It will be easier to adapt malware for the new path than to fix every build system, so this weird compromise means flatpak fails at both compatibility *and* security.
       
 (DIR) Post #AWMVSVXv3SoEMRF0XA by ali1234@mastodon.social
       2023-06-04T22:43:33Z
       
       0 likes, 0 repeats
       
       And even if your toolchain *did* know to look there, the resulting executable wouldn&#39;t be able to run outside the sandbox anyway, because now all libraries are in a different place.It has to be this way because flatpak containers already have a /usr where all the libraries of the software are located. Mounting host /usr would shadow it. Snap doesn&#39;t have this problem - all software is installed to /snap and all host directories can be mounted in their original locations aka classic mode.
       
 (DIR) Post #AWMVSWE6WcYMTGyhHs by penguin42@mastodon.org.uk
       2023-06-04T22:46:07Z
       
       0 likes, 0 repeats
       
       @ali1234 Is that fixable with rpath?
       
 (DIR) Post #AWMVZnrNMYwXBfovc8 by ali1234@mastodon.social
       2023-06-04T22:47:26Z
       
       0 likes, 0 repeats
       
       @penguin42 Sure, as long as whatever you;re trying to build doesn&#39;t already abuse the hell out of rpath just to be able to build in a normal environment. So effectively no.