On 07/10/2016 04:45 PM, Levente Polyak wrote:
We, as the Security Team, are strongly against any move to officially ship bundles that manage their dependency versions itself instead of regular software builds. […]
With pacpak, it will be the user’s responsibility to update the bundles just like it is the user’s responsibility to update their Arch system. I do *not* want Arch to ship official bundles. Users of Flatpak bundles from elsewhere are of course on their own as well.
Yes, a kernel vulnerability may allow malware to escape the container. I should not have said that Flatpaks can be run without any fear at all. pacpak users should be made aware of this.
Regards, Florian Pelz