I always check my flatpak settings post install before running the app and adjust permissions according to need. I mean it does offer more security to me since it’s user installed, I can granularly update permissions and control more or less where and what is can touch.
Alternatives to this are SELinux,AppArmour and firejails which are slightly more inconvenient to use.
To me that is mostly secure,or secure enough.
Well and then there’s some immutable distros which might help overall.
Yeah, you can lock down Flatpaks quite tightly, but you’ll often need to do it manually, and there’s a good chance something breaks. It’s a bit unfortunate that applications don’t come with stricter permissions (and that you can install Flatpaks through any GUI but need to download an external tool to manage their permissions through the GUI…).
If you apply sensible restrictions and the application doesn’t crash, there’s a definite security benefit. Out of the box, though, most applications can touch your ~/.profile because they ask permission for your home directory, and 30 years of Linux tooling isn’t prepared to move from dotfiles in the home directory to a more manageable alternative.
On my Steam Deck Flatpaks have proven to work very reliably. I don’t understand why distros don’t come with a “user mode apt/pacman/dnf” that can install applications from a nornal repository without root access (I guess Nix, maybe?) but Flatpak solves this problem very well.
I always check my flatpak settings post install before running the app and adjust permissions according to need. I mean it does offer more security to me since it’s user installed, I can granularly update permissions and control more or less where and what is can touch.
Alternatives to this are SELinux,AppArmour and firejails which are slightly more inconvenient to use.
To me that is mostly secure,or secure enough.
Well and then there’s some immutable distros which might help overall.
Edit: paragraphs
Yeah, you can lock down Flatpaks quite tightly, but you’ll often need to do it manually, and there’s a good chance something breaks. It’s a bit unfortunate that applications don’t come with stricter permissions (and that you can install Flatpaks through any GUI but need to download an external tool to manage their permissions through the GUI…).
If you apply sensible restrictions and the application doesn’t crash, there’s a definite security benefit. Out of the box, though, most applications can touch your ~/.profile because they ask permission for your home directory, and 30 years of Linux tooling isn’t prepared to move from dotfiles in the home directory to a more manageable alternative.
On my Steam Deck Flatpaks have proven to work very reliably. I don’t understand why distros don’t come with a “user mode apt/pacman/dnf” that can install applications from a nornal repository without root access (I guess Nix, maybe?) but Flatpak solves this problem very well.