On one hand, flathub seems like a great source of software for some cases. flathub’s own sandboxing capabilities even if limited forever could be disregarded for that use case.
On the other hand however, flathub’s own sandboxing capabilities interfere with other sandboxing initiatives, namely sandbox-app-launcher. Reference sandbox-app-launcher:
Could we request a feature from flathub to disable its own sandboxing to make it compatible with other sandboxing mechanisms such as sandbox-app-launcher?
Hello, Bug #977758 in bubblewrap reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: Stop making /usr/bin/bwrap setuid root (245de437) · Commits · Debian / bubblewrap · GitLab ------------------------------------------------------------------------ Stop making /usr/bin/bwrap setuid root With Debian kernels >= 5.10, this is no longer necessary: unprivileged users can now create user namespaces, the same as in upstream kernels and Ubuntu. For smooth upgrades, install a sysctl configuration fragment that will configure older kernels to behave similarly if the recommended procps package is installed. Closes: #977758 Closes: #977841 ------------------------------------------------------------------------ (this message was generated automatically) – Greetings https://bugs.debian.org/977758
Incompatibility of anything by merely installing sandbox-app-launcher without using it seems very unlikely at this point. All that sandbox-app-launcher package does is a few dependencies (at time of writing sudo, bubblewrap, apparmor, libseccomp-dev, helper-scripts, dbus-x11) which by itself don’t do anything. Just extra files on the disk which remain dormant unless used by starting these / configuration of these. sandbox-app-launcher is essentially a wrapper around bubblewrap.
Yes. Ideally we could start a flatpak application through sandbox-app-launcher. I.e.
sandbox-app-launcher flatpak run org.org.Applicationname
Quote from this ticket:
No, the sandbox isn’t optional. You can only poke holes in it.
Extrepo may be a better alternative here. They have all the major browser repos in their curated list including the Chromium privacy fork Iridium and also a Torproject repo - which I haven’t checked yet but may be a more direct way to obtain newer TBB releases.
I am not sure it’s worth rehashing the years old Gentoo stuff. Ideally any security argument against FlatPak could stay on itself without needing to refer to Gentoo anything.
Yeah so this is not suitable to be taken as a source of software until they fix this issue (Thats why i linked it to gentoo because of the similar issue in the package manager).
Indefinite freeze attacks. An attacker continues to present files to a software update system files that the client has already seen. As a result, the client is kept unaware of new files.
This attack is difficult to pull-off for many adversaries since it requires breaking TLS. While flatpak package version information are not protected by a valid-until field[archive] these are fetched over TLS. Even if an adversary could break TLS, this would be lesser of an issue torified connections (such as by Whonix ™) since the adversary could not mount a targeted indefinite freeze attack against a specific user. Only against all Tor users, which would likely be caught, unless the adversary also has the ability to break Tor. The attack chain would be very complex. Break Tor → target specific user(s) → break TLS → mount indefinite freeze attack → exploit vulnerability due to indefinite freeze attack caused outdated software version.
To work around this issue, users would have to manually check if their version numbers of their flatpak installed applications match the version numbers available from the flathub repository. Every application available from flathub has a corresponding website has a chapter Additional information with entries Updated and Version. For example for Chromium there is the org.chromium.Chromium flathub website[archive] which at the time of writing this wiki chapter showed. UpdatedDecember 23, 2020, Version87.0.4280.88-1. Since researching version information on the flathub website is equally vulnerable to indefinite freeze attacks as the flathub package manager itself (both rely on TLS), it is recommended to use Whonix ™ or Tor Browser for this purpose. [35]
Sometimes versions available through APT are too old, even have known vulnerabilities being exploited in the wild, for a long time. (example) On the other hand, flatpak most of the time, offers more recent software versions and/or deploys security fixes in a more timely manner.
Due to the complex attack chain, the advantages of flatpak outweigh the severity of potential indefinite freeze attacks since flatpak is sometimes the only trustworthy, easy to use source of software (or never versions) than what Debian stable (with Frozen Packages) (or newer) is offering.
Should flatpak be installed by default on Whonix-Gateway? Usefulness? Some future hypothetical situation where flatpak might be useful to get a newer Tor version?
flatpak has quite some more dependencies than extrepo.
sudo apt install flatpak
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
The following additional packages will be installed:
fuse gnome-desktop3-data libappstream-glib8 libavahi-glib1 libgnome-desktop-3-19 libmalcontent-0-0 libostree-1-1 libpipewire-0.3-0 libpipewire-0.3-modules libspa-0.2-modules libstemmer0d
libxkbregistry0 p11-kit p11-kit-modules pipewire pipewire-bin xdg-desktop-portal xdg-desktop-portal-gtk
Suggested packages:
avahi-daemon malcontent-gui accountsservice evince
The following NEW packages will be installed:
flatpak fuse gnome-desktop3-data libappstream-glib8 libavahi-glib1 libgnome-desktop-3-19 libmalcontent-0-0 libostree-1-1 libpipewire-0.3-0 libpipewire-0.3-modules libspa-0.2-modules
libstemmer0d libxkbregistry0 p11-kit p11-kit-modules pipewire pipewire-bin xdg-desktop-portal xdg-desktop-portal-gtk
0 upgraded, 19 newly installed, 0 to remove and 1 not upgraded.
Need to get 3,438 kB/4,721 kB of archives.
After this operation, 23.5 MB of additional disk space will be used.
Do you want to continue? [Y/n]
sudo apt install –no-install-recommends flatpak
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
The following additional packages will be installed:
libappstream-glib8 libavahi-glib1 libmalcontent-0-0 libostree-1-1 libstemmer0d
Suggested packages:
avahi-daemon malcontent-gui
Recommended packages:
p11-kit xdg-desktop-portal xdg-desktop-portal-gtk | xdg-desktop-portal-backend
The following NEW packages will be installed:
flatpak libappstream-glib8 libavahi-glib1 libmalcontent-0-0 libostree-1-1 libstemmer0d
0 upgraded, 6 newly installed, 0 to remove and 1 not upgraded.
Need to get 642 kB/1,925 kB of archives.
After this operation, 9,062 kB of additional disk space will be used.
Do you want to continue? [Y/n]
I didn’t check yet which of the Recommends: would be actually be useful but useful for me without already.