10 Jul
2016
10 Jul
'16
3:36 p.m.
On 07/10/2016 04:45 PM, Levente Polyak wrote:
We, as the Security Team, are strongly against any move to officially ship bundles that manage their dependency versions itself instead of regular software builds. […]
With pacpak, it will be the user’s responsibility to update the bundles just like it is the user’s responsibility to update their Arch system. I do *not* want Arch to ship official bundles. Users of Flatpak bundles from elsewhere are of course on their own as well. Yes, a kernel vulnerability may allow malware to escape the container. I should not have said that Flatpaks can be run without any fear at all. pacpak users should be made aware of this. Regards, Florian Pelz