On 07/10/2016 11:05 AM, pelzflorian (Florian Pelz) wrote:
[...] Bundles ship with the version of their dependencies which they need. Dependencies are not force-upgraded with the operating system, but easily upgradable by the bundle creator.
We, as the Security Team, are strongly against any move to officially ship bundles that manage their dependency versions itself instead of regular software builds. In our opinion this will (sooner or later) lead to a security nightmare with vulnerable dependencies and slow upstream to fix such bundles. This approach multiplies the effort of tracking vulnerabilities in libraries from one entity to an "infinite" amount of upstream bundle creators. This whole concept makes our security work either highly inefficient or not possible at all. We have no interest in investigating all pinned versions of all bundles to ensure every shipped software is indeed properly fixed.
Flatpak allows you to run, say, a sandboxed and containerized copy of LibreOffice where opening an infected file can only cause harm to what the sandbox has access to, but not compromise the integrity of the system as a whole. Untrustworthy games can be isolated and run without fear of a system compromise. More generally, most GUI applications should probably be installed to and run from a Flatpak sandbox.
This is simply not true and in fact just an illusion. The whole security of containers entirely depend on kernel namespacing (and maybe cgroups against system-wide denial-of-service). All containers are sharing the very same kernel, any vulnerability and exploit against such will ultimately lead to a whole system compromise. The general trend of evangelizing that all fear should entirely be abandoned because containers can't possibly compromise the integrity of the whole system is wrong, self-defeating and dangerous.
This has major implications for traditional package managers. Pacman would be demoted to providing the base system on top of which Flatpak bundles downloaded from elsewhere are run (e.g. from gnome.org or from reallytheofficialwebsiteoflibreofficeipromise.com).
Just to make our (Security Team) opinion clear: We are strictly against such move (on a distribution level of scale) and strongly advise against it. We are very aware of the whole arguments and reasons of the advocator, however, this is our point of view. Also to be clear: We don't want to speak out against your project or discredit it in any means! Feel free to create and use whatever you like and makes you happy. We are just strongly against officially shipping bundles instead of regular software builds. sincerely, Levente