First let’s make my point of view clear : for me, flatpak is a bad thing for the linux
ecosystem in general. It eases the use of proprietary software and outdated software.
As security and FLOSS is the aim of Purism and so PureOS, I think that PureOS Store
should not use flatpak and encourage user not to use it.
The arguments of the above assertion are provided in this article : http://kmkeen.com/maintainers-matter/.
You really should read this article as this guy explained the problem much better than me.
Firstly, Linux is free for malware for one reason, there are maintainers that add a
solid protection layer against attacks from software providers (in the article ISV). If
you allow with flatpak, millions of developers to push software without any control,
you will go to disaster. Requiring that the app is libre is not sufficient because the user
do not have the competences (or do not have the time) to study the software to be
sure that it does not act as evil. Precisely, Stallman explains us that even if you do not
understand IT, other people do and this people can filtrate good from bad FLOSS software.
If a software does not want to want to implement a feature, another will appear and
implement it. If a software implement a bad feature, another software will appear with
the bad feature removed. Perfect no ! But the truth is how does the user can select
the software with the good functionality and without the bad one, it does not understand IT !
Yes, the response is the maintainer. Moreover, Sandbox will not help neither because
the user is known to ignore permission (in Android, a torch app with phone permission
will get download anyway by users…) and because there is no control over how the
permission is used (once you get gps permission, you can track the user all the time
without his explicit consent using for example a background services). For PureOS
that is a FSF-endorsed distribution, it is a very bad thing and this go against its values
(yes, libre softwares should auto-regulate and without maintainer it cannot which void
all benefits from libre software. You (and I) probably do not know all software that you
use, with the flatpak system, you will probably get exploited without knowing it).
Secondly, flatpak lowers the barrier for obsolete software because one of its major goal
is compatibility (packaging libraries with the software). Without flatpak, maintainers have
power to force an application to use newer libraries and, thus, to do not use outdated
ones with security vulnerabilities. With flatpak, you strip power from the maintainer
and thus encourage this behavior. And no, this is not the fault of the user to use
an outdated software because users are not a security expert and if they buy a librem
device, he will normally think that all software in the approved software center (PureOS Store)
are secured. (And no, sandboxing is not the solution as sandboxing does not protect
against vulnerability exploitation, it only limit the scope of exploitation). Once again,
for PureOS that sell itself as a secure distribution, this is a bad thing.
Now, why maintainers are better than software providers. This is because maintainers
live in an ecosystem that force them to be good. If a maintainer provide bad software,
it get fired. Moreover, maintainers can patch software if the software does not follow the
distribution vision. For example, maintainer will patch Firefox and remove EME because
this thing does not share the FSF vision (and thus the PureOS vision). You should
ask why EME is included and activate by default in Firefox (even if Mozilla is a very
good company that promote freedom in the WEB). This is because Mozilla does
not live in the same ecosystem than maintainers (Mozilla need that the most large
amount of users use firefox to survive and promote WEB freedom in our current
capitalist system but a maintainer need only to follow the distribution vision and
does not play the rules of capitalism. Yes, by playing the capitalism rules, Mozilla
had to infect its own software and shot itself. I do not want to critic Mozilla but if I
understand well, Purism goal is to promote the FSF vision of free software. and
thus, should not allow bad application or feature to infiltrate in his software center).
Finally, to provide an example for outdated package, gnucash was removed from
archlinux repository because it has a outdated dependency full of CVE (webkitgtk).
This force gnucash dev to use newer libraries (GTK3 and WebKit2Gtk) and thus
correct the security vulnerabilities. Without maintainer, gnucash will probably still
use this outdated library. Here are some sources :
2. [see following post]
3. [see following post]
From the last source link :
The headline item for this release is that GnuCash now uses the Gtk±3.0 Toolkit and the WebKit2Gtk API.
This change was forced on us by some major Linux distributions dropping support for the WebKit1 API.
Unfortunately the Webkit project doesn’t support Microsoft Windows so that platform will continue to use
the WebKit1 API, though with Gtk3. We’ve selected Gtk±3.14.0 as the minimum version because it fully
supports CSS theming.
You should note that the second link prove well that Flatpak was used by not-expert people (ignoring IT)
to bypass the restriction from the maintainer. (Even If your absolutely need to use a software, you should
probably use a VM solution like XEN or QEMU/KVM to protect yourself instead of flatpak…).
Note : I am not against sandboxing, I am against sandboxing as the unique layer of protection
against bad software. But yes, sandboxing is a must as an extra layer of protection against
external attack. For example, it is useful to limit the scope of exploitation of a web attack
through a malformed webpage against firefox. With sandboxing, you limit the scope and so
the attack can get your browser history but not all you personal images in your computer (it need
to first evade the sandbox before getting your personal files). Other example, it is useful to
sandbox VLC in order to avoid to get exploited when you see a malformed video file that you just
download through torrent on non-recommended websites. You see, in each of these examples,
the threat is external because and cannot be internal because all software that you run
is trusted and secure. And again, I think that using sandboxed evil-application is worst than
just using a trusted application…