undefined | Better HN

0 pointsbandrami3y ago0 comments

How many different versions of OpenSSL are running on my laptop right now? Who can say? That's the beauty of flatpak: if you sweep the problems of software management under a big enough rug, they go away and never bother you again.

0 comments

35 comments · 8 top-level

Gigachad3y ago· 13 in thread

Why would I care? Ok Spotify has an old package with some vulnerabilities in it. But flatpak has it sandboxed so the worst you could do is maybe steal my Spotify session token. That's more a problem for Spotify than it is for me. They will go and fix their package and I will reset my sessions.

Meanwhile we have distros lagging behind for years to provide a new package because they can't break all the things depending on the old version.

Rotareti3y ago

> Meanwhile we have distros lagging behind for years to provide a new package because they can't break all the things depending on the old version.

I'm glad I left this category of problems behind me 5 years ago when I switched both, my personal and my work laptop to arch-linux/i3wm. These two machines have been running for 5 years, almost daily, with almost no issues, with the latest software packages. If the hardware lasts, I will go on like this for another 3 to 5 years and then upgrade hardware and (maybe) switch to wayland. I don't see anything on the horizon which would make me switch away from this setup.

Athas3y ago

My impression is that Arch is not technically unusual among distributions, but is simply well-polished, documented, and very active (and has an easy way to install unvetted community packages). If this impression is correct, you still run the risk of unnoticed outdated software if the amount of volunteers drop, or a particularly critical one no longer has the time.

Which part of Arch's design prevents the issue described in the grandparent post? The issue is "distros lagging behind for years to provide a new package because they can't break all the things depending on the old version", which is solvable either with enough manpower or by sandboxing a la NixOS, where you can keep old versions around indefinitely for the things that need them. Does Arch use such sandboxing now?

3 more replies

andreareina3y ago

My only complaint about arch/i3 so far is that updating Firefox forces a restart of Firefox, and I've got FF windows scattered over a few workspaces so I need to sift them back to their places.

Come to think of it I can probably prune one of the windows...

ETA: and maybe one of the workspaces...

3 more replies

rashkov3y ago

Been running this same setup for eight or nine years now, extremely pleased with it

progval3y ago

> But flatpak has it sandboxed so the worst you could do is maybe steal my Spotify session token.

It has access to X11 <https://github.com/flathub/com.spotify.Client/blob/0856c7641...>, so it could also be running a keylogger.

jhoechtl3y ago

Which is an issue of the X architecture less of flatpack. Wayland is there for a reason

bandramiOP3y ago

Lagging isn't always a bad thing. Users of Debian Stable missed Heartbleed entirely.

But this gets to the mindset that bugs me about Flatpak, the magical thinking that regressions don't happen. It's why Alice can't downgrade a system flatpak because it might introduce a vulnerability she uses to attack Bob, but it's absolutely fine if she upgrades to introduce that vulnerability.

gapan3y ago

While I generally agree with you with respect to the mindset, it is actually possible to downgrade a flatpak [1]. It is rather involved, but possible. I have done it to downgrade cheese (the webcam app) since newer versions don't have the filters that older ones did, at least not for me.

[1]: https://itsfoss.com/downgrade-flatpak-packages/

2 more replies

goodpoint3y ago

> But flatpak has it sandboxed so the worst you could do is maybe steal my Spotify session token

You are cherry-picking the spotify session token while many other applications have valuable personal data.

Also sandboxing is also implemented by the OS. It is not an advantage of flatpak.

littlestymaar3y ago

> But flatpak has it sandboxed

With an open sandbox by default for many apps…

AnIdiotOnTheNet3y ago

You are thinking of Snap probably. Some flatpaks have $HOME wide-open, but Flatpak itself has no mechanism to completely bypass the sandboxing, as evidenced by things like Wireshark being unable to actually capture packets and many IDEs being unable to actually call build tools.

1 more reply

yjftsjthsd-h3y ago

If every application is properly sandboxed, and the sandbox has zero holes, then it's fine. I don't believe either.

Nasreddin_Hodja3y ago

> But flatpak has it sandboxed so

Sandboxing should be a separate tool independent of packaging systems and anything else .

klooney3y ago· 5 in thread

Flatpak has a concept of shared base layers, so if you update frequently you might notice 'org.gnome.Sdk' or whatever getting updated. This is a way to handle lots of the most popular shared dependencies.

Besides, sufficiently quality minded projects always wind up vendoring all of their dependencies anyway. There's a reason Chrome has their own fork of everything down to the compiler.

IncRnd3y ago

> Besides, sufficiently quality minded projects always wind up vendoring all of their dependencies anyway. There's a reason Chrome has their own fork of everything down to the compiler.

It's not about quality. It's about reproducibility of the exact versions of all dependencies. It's about communications with repos not being subverted to load malicious packages. It's build security not app quality, though app quality is a part.

redeeman3y ago

i gotta say, if chrome stands out to you as a shining beacon of quality, i'd hate to hear about what software you consider bad

afavour3y ago

I know “Chrome bad” is a meme-level comment at this point but it’s a hugely impressive piece of software, basically an operating system unto itself at this point. Not to mention the V8 engine etc.

Plenty to criticise about it from a product perspective but from an engineering one it is kind of a marvel.

2 more replies

fijiaarone3y ago

Chrome doesn’t have to be a beacon of quality for Firefox to look bad in comparison.

bandramiOP3y ago

The SDK is different from the platform itself, but more or less. So I have three versions of Gnome, two of KDE, and three of Freedesktop.org, just based on the apps I run on Silverblue and what version they're at in Flathub. Since I asked specifically about SSL, that's shipped with FDO, meaning I potentially have three versions running right now. Also I have this annoying situation where an app a client uses is using a deprecated FDo runtime and nobody wants to pay to rebuild it.

Volundr3y ago· 3 in thread

Until openssl has another vulnerability.

yamtaddle3y ago

It's a problem of the many-distros model for Linux—or, if you prefer, it's a problem of Linux just being a kernel. You can't just target "Desktop Linux 15" and expect to have all the stuff that Desktop Linux 15 has, including a robust set of basic libraries and a unified GUI stack and standard same-on-every-copy-of-Linux-15 multimedia libraries and services and all that good stuff, and let the OS worry about keeping that secure without breaking your program. Programs end up having to be a lot more fiddly about their dependencies, and it causes problems.

Now, maybe the Linux approach is so good and useful in other ways that it's worth putting up with that, but it is a big problem and people are going to solve it, one way or another. If the model can't be changed, then the only solutions available may be bad, but they'll be used, and widely.

goodpoint3y ago

> It's a problem of the many-distros model for Linux

No, it is not. If you want security you need dependency management and software lifecycle management on all OSes and platforms.

fijiaarone3y ago

Freedom bad.

serf3y ago· 2 in thread

>How many different versions of OpenSSL are running on my laptop right now? Who can say?

but that's a problem, too.

i'd rather all things on a system be bottleneck-forced into using the latest version of security libraries that my system is actively updating; yes, this causes issues, but not issues like "There was a huge vulnerability found in X version Y, does it affect me?".

in other words, i'd rather have system breakage than insecurity. That's a personal taste, I admit.

that said, the sandboxing aspect behind 'the new ways' is fantastic.

bandramiOP3y ago

I do love the sandboxing, granted. But "let's just hope the app maintainers keep up with our rolling platform deprecations" is a horrible idea.

AnIdiotOnTheNet3y ago

Why don't you just turny our computer off then? It can't be exploited if it isn't actually running.

Which is to say most people use a computer to run software, so if the software doesn't run the security is pointless anyway.

Sure, if only some software breaks and you can wait for fixes that's a tradeoff, but given that in package maintainer land those fixes could be months or years away...

1 more reply

littlestymaar3y ago· 2 in thread

> How many different versions of OpenSSL are running on my laptop right now? Who can say? That's the beauty of flatpak

And how many of them are critically out of date because the software maintainer didn't update? Who can say? That's the beauty of flatpack (not).

With flatpack you have all the downside of static linking with none of its advantages, how exciting. (and there's nothing as cool as having 7 full linux distros installed on your computer at once, just because software can't agree on which base image to use)

bandramiOP3y ago

I suppose it shouldn't surprise me that the sarcasm of my comment wasn't apparent to everyone.

littlestymaar3y ago

Poe's law strikes again.

goodpoint3y ago· 2 in thread

> if you sweep the problems of software management under a big enough rug, they go away and never bother you again.

...until attackers find a vulnerability in some library, then you are really in trouble.

Just like docker, the bundling of tons of software into opaque blobs is terrible for security.

bandramiOP3y ago

Yeah I didn't realize people would take the joke there seriously. It's basically looking at package management and saying "this is hard so we won't try".

goodpoint3y ago

FWIW personally I detected your sarcasm but I replied knowing that the security risk would fly over people's heads here.

api3y ago

That’s what the whole container revolution was about: “fuck it, we’ll just tar up entire Linux file system images to distribute stuff.”

IncRnd3y ago

Multiple copies of openssl is an problem that updates will hopefully solve.

Multiple versions of openssl is a security problem that merely updating cannot solve.

j / k navigate · click thread line to collapse

0 comments

35 comments · 8 top-level

Gigachad3y ago· 13 in thread

Meanwhile we have distros lagging behind for years to provide a new package because they can't break all the things depending on the old version.

Rotareti3y ago

> Meanwhile we have distros lagging behind for years to provide a new package because they can't break all the things depending on the old version.

Athas3y ago

3 more replies

andreareina3y ago

My only complaint about arch/i3 so far is that updating Firefox forces a restart of Firefox, and I've got FF windows scattered over a few workspaces so I need to sift them back to their places.

Come to think of it I can probably prune one of the windows...

ETA: and maybe one of the workspaces...

3 more replies

rashkov3y ago

Been running this same setup for eight or nine years now, extremely pleased with it

progval3y ago

> But flatpak has it sandboxed so the worst you could do is maybe steal my Spotify session token.

It has access to X11 <https://github.com/flathub/com.spotify.Client/blob/0856c7641...>, so it could also be running a keylogger.

jhoechtl3y ago

Which is an issue of the X architecture less of flatpack. Wayland is there for a reason

bandramiOP3y ago

Lagging isn't always a bad thing. Users of Debian Stable missed Heartbleed entirely.

gapan3y ago

[1]: https://itsfoss.com/downgrade-flatpak-packages/

2 more replies

goodpoint3y ago

> But flatpak has it sandboxed so the worst you could do is maybe steal my Spotify session token

You are cherry-picking the spotify session token while many other applications have valuable personal data.

Also sandboxing is also implemented by the OS. It is not an advantage of flatpak.

littlestymaar3y ago

> But flatpak has it sandboxed

With an open sandbox by default for many apps…

AnIdiotOnTheNet3y ago

1 more reply

yjftsjthsd-h3y ago

If every application is properly sandboxed, and the sandbox has zero holes, then it's fine. I don't believe either.

Nasreddin_Hodja3y ago

> But flatpak has it sandboxed so

Sandboxing should be a separate tool independent of packaging systems and anything else .

klooney3y ago· 5 in thread

Besides, sufficiently quality minded projects always wind up vendoring all of their dependencies anyway. There's a reason Chrome has their own fork of everything down to the compiler.

IncRnd3y ago

> Besides, sufficiently quality minded projects always wind up vendoring all of their dependencies anyway. There's a reason Chrome has their own fork of everything down to the compiler.

redeeman3y ago

i gotta say, if chrome stands out to you as a shining beacon of quality, i'd hate to hear about what software you consider bad

afavour3y ago

Plenty to criticise about it from a product perspective but from an engineering one it is kind of a marvel.

2 more replies

fijiaarone3y ago

Chrome doesn’t have to be a beacon of quality for Firefox to look bad in comparison.

bandramiOP3y ago

Volundr3y ago· 3 in thread

Until openssl has another vulnerability.

yamtaddle3y ago

goodpoint3y ago

> It's a problem of the many-distros model for Linux

No, it is not. If you want security you need dependency management and software lifecycle management on all OSes and platforms.

fijiaarone3y ago

Freedom bad.

serf3y ago· 2 in thread

>How many different versions of OpenSSL are running on my laptop right now? Who can say?

but that's a problem, too.

in other words, i'd rather have system breakage than insecurity. That's a personal taste, I admit.

that said, the sandboxing aspect behind 'the new ways' is fantastic.

bandramiOP3y ago

I do love the sandboxing, granted. But "let's just hope the app maintainers keep up with our rolling platform deprecations" is a horrible idea.

AnIdiotOnTheNet3y ago

Why don't you just turny our computer off then? It can't be exploited if it isn't actually running.

Which is to say most people use a computer to run software, so if the software doesn't run the security is pointless anyway.

Sure, if only some software breaks and you can wait for fixes that's a tradeoff, but given that in package maintainer land those fixes could be months or years away...

1 more reply

littlestymaar3y ago· 2 in thread

> How many different versions of OpenSSL are running on my laptop right now? Who can say? That's the beauty of flatpak

And how many of them are critically out of date because the software maintainer didn't update? Who can say? That's the beauty of flatpack (not).

bandramiOP3y ago

I suppose it shouldn't surprise me that the sarcasm of my comment wasn't apparent to everyone.

littlestymaar3y ago

Poe's law strikes again.

goodpoint3y ago· 2 in thread

> if you sweep the problems of software management under a big enough rug, they go away and never bother you again.

...until attackers find a vulnerability in some library, then you are really in trouble.

Just like docker, the bundling of tons of software into opaque blobs is terrible for security.

bandramiOP3y ago

Yeah I didn't realize people would take the joke there seriously. It's basically looking at package management and saying "this is hard so we won't try".

goodpoint3y ago

FWIW personally I detected your sarcasm but I replied knowing that the security risk would fly over people's heads here.

api3y ago

That’s what the whole container revolution was about: “fuck it, we’ll just tar up entire Linux file system images to distribute stuff.”

IncRnd3y ago

Multiple copies of openssl is an problem that updates will hopefully solve.

Multiple versions of openssl is a security problem that merely updating cannot solve.

j / k navigate · click thread line to collapse