[arch-general] Announcing pacpak

pelzflorian (Florian Pelz) pelzflorian at pelzflorian.de
Sun Jul 10 15:36:22 UTC 2016

On 07/10/2016 04:45 PM, Levente Polyak wrote:
> We, as the Security Team, are strongly against any move to officially
> ship bundles that manage their dependency versions itself instead of
> regular software builds.
> […]

With pacpak, it will be the user’s responsibility to update the bundles
just like it is the user’s responsibility to update their Arch system. I
do *not* want Arch to ship official bundles. Users of Flatpak bundles
from elsewhere are of course on their own as well.

Yes, a kernel vulnerability may allow malware to escape the container. I
should not have said that Flatpaks can be run without any fear at all.
pacpak users should be made aware of this.

Florian Pelz

More information about the arch-general mailing list