undefined | Better HN

0 pointsalkonaut4y ago0 comments

Is there any difference in trust between package maintainers and flatpack packagers?

If anything, isn't the flatpack situation better in that regard because the end user is more likely to have a sandbox?

0 comments

Maintainers are not developers, they are users, so the developer cannot push unwelcome changes, such as ads, trackers, trojans, backdoors, keyloggers, etc. directly to users because the maintainer will refuse to accept that.

AnIdiotOnTheNet4y ago

On the other hand, maintainers can and have inserted (accidentally or not) vulnerabilities in software, and ignore developer wishes (like "please stop distributing this ancient unmaintained software without this warning that says it is ancient and unmaintained"), which reflects poorly on the developer in the mind of the user.

I personally see no upside to shoving an unpaid third party between user and developer.

southerntofu4y ago

> I personally see no upside to shoving an unpaid third party between user and developer.

I think F-Droid is a good example of striking a balance between those two extreme models. Their existence enforces community vetting of apps as well as somewhat-reproducible thanks to their standardized build infra, which are two major wins.

I personally have much more trust in such schemes (such as guix/nix) because i don't necessarily trust all of the developers of apps i use not to get hacked, and i believe enabling one-click updates to every user of an app without review is a dangerous pattern for security.

goohle4y ago

> On the other hand, maintainers can and have inserted (accidentally or not) vulnerabilities in software,

Such maintainer will be kicked off from distribution.

> and ignore developer wishes (like "please stop distributing this ancient unmaintained software without this warning that says it is ancient and unmaintained")

Developer wishes are developer wishes. User wishes are more important. If package has a maintainer, then it IS maintained.

You can use any distribution developed by developers (do you know any?) if you dislike maintained distributions and share experience with us.

2 more replies

enriquto4y ago

> Is there any difference in trust between package maintainers and flatpack packagers?

You shouldn't need to trust either. Just the sandboxing system of your OS.

gizdan4y ago

This is an inherent limitation of the way OSs are built. Linux, Windows, macOS are all like this. macOS is currently the furthest ahead in this since they're sharing code with iOS, but it's still not where it should be.

The Linux kernel is not at a point of allowing this kind of fine grained sandboxing or mocking of APIs. I'm guessing because it's a significant undertaking. I'm sure as more features become available in the Kernel w.r.t. sandboxing Snap and Flatpak will definitely utilise them.

drran4y ago

Yeah, proper use of Flatpack requires antivirus, reverse firewall, hardware isolation (separate CPU core per application), user education, etc.

simiones4y ago

That's only true for the simplest of apps. The whole point of desktop OSs is that programs can integrate with each other, but that necessarily discards the notion of a sandbox almost entirely.

iggldiggl4y ago

Yeah, e.g. file sandboxing approaches that work along the lines of "don't let the program access any files outside of its private directory except for those explicitly and lovingly hand-picked by the user" commonly ignore the existence of multi-file file formats.

goodpoint4y ago

> Is there any difference in trust between package maintainers and flatpack packagers?

Yes, and very big: Debian maintainers need to build a reputation for years to gain upload rights, meet in person, sign keys, and the packages are peer reviewed my multiple persons.

Plus, packages spend time in release freeze being tested by a large userbase before a distro is released.

j / k navigate · click thread line to collapse

0 comments

drran4y ago

AnIdiotOnTheNet4y ago

I personally see no upside to shoving an unpaid third party between user and developer.

southerntofu4y ago

> I personally see no upside to shoving an unpaid third party between user and developer.

goohle4y ago

> On the other hand, maintainers can and have inserted (accidentally or not) vulnerabilities in software,

Such maintainer will be kicked off from distribution.

> and ignore developer wishes (like "please stop distributing this ancient unmaintained software without this warning that says it is ancient and unmaintained")

Developer wishes are developer wishes. User wishes are more important. If package has a maintainer, then it IS maintained.

You can use any distribution developed by developers (do you know any?) if you dislike maintained distributions and share experience with us.

2 more replies

enriquto4y ago

> Is there any difference in trust between package maintainers and flatpack packagers?

You shouldn't need to trust either. Just the sandboxing system of your OS.

gizdan4y ago

drran4y ago

Yeah, proper use of Flatpack requires antivirus, reverse firewall, hardware isolation (separate CPU core per application), user education, etc.

simiones4y ago

That's only true for the simplest of apps. The whole point of desktop OSs is that programs can integrate with each other, but that necessarily discards the notion of a sandbox almost entirely.

iggldiggl4y ago

goodpoint4y ago

> Is there any difference in trust between package maintainers and flatpack packagers?

Yes, and very big: Debian maintainers need to build a reputation for years to gain upload rights, meet in person, sign keys, and the packages are peer reviewed my multiple persons.

Plus, packages spend time in release freeze being tested by a large userbase before a distro is released.

j / k navigate · click thread line to collapse