Imagine your friend that does not know anything about linux, don’t you think this would make them not install the firefox flatpak and potentially think that linux is unsafe?
I ask this because I believe we must be careful and make small changes to welcome new users in the future, we have to make them as much comfortable as possible when experimenting with a new O.S
I believe this warning could have a less alarming design, saying something like “This app can use elevated permissions. What does this mean?” with the “What does this mean?” text as a clickable URL that shows the user that this may cause security risks. I mean, is kind of a contradiction to have “verified” on the app and a red warning saying “Potentially unsafe”, the user will think “well, should I trust this or not??”
If you use Debian-based linux (Ubuntu, Minut, others), Mozilla recommends getting the package directly from their respository rather than flatpak or other repos.
Personally, I saw a major performance increase on my low-powered laptop when I switched from flatpak to the Mozilla package.
That’s nice, I think I’ll switch from Firefox ESR on Debian!
I’ve tried both on my low powered HTPC and came to the same conclusion - especially noticeable where video acceleration is concerned
To be fair, the fact that browsers are allowed to do so much that this warning has to be shown is more an indictment on the current state of browsers (which at this point are almost like installing VMWare and a virtual machine on your computer!) than on something something Firefox or something something Flatpak.
I mean yes, how exactly would you want the web to work? In order for it to be secure we need website code to run in an isolated environment. Modern web browsers have gotten pretty good at this.
Though we say it’s a JavaScript Virtual Machine it’s not the kind of virtual machine you are thinking of. It just means it’s being interpreted in a certain environment rather than compiles code running natively. It’s not like a whole OS. Running a web browser in a Virtual Machine is unironically a method to improve security; checkout Qubes OS for an example.
Also the permissions it’s asking for aren’t that serious. Basically GPU access and download folder access.
I mean yes, how exactly would you want the web to work?
Text and images and hyperlinks; maybe audio and video if you’re lucky and you can prove you can be trusted. No such thing as scripting, or if it’s allowed, only in a limited manner with no such thing as “eval” and obfuscation and no ability to add or delete nodes from the DOM (or if it’s allowed, those nodes must reflect under View Source / CTRL+U). No such things as loading a javascript audioplayer that tries to mix 123456 weird sources, just link me the .m3u direct to the audio stream’s .mp3 file, or even better an .opus.
Definitively no DRM.
If any such thing as GPU access is provided it should be to deposit data, not to run code.
Text and images and hyperlinks; maybe audio and video if you’re lucky and you can prove you can be trusted.
Those things still require a GPU to render efficiently.
All the other stuff you talk about don’t need a GPU or really any systems permissions at all. So even if the web changes to your twisted view the flatpak would still require the same permissions. All you’ve just proven is that you don’t understand technology.
If any such thing as GPU access is provided it should be to deposit data, not to run code.
You don’t know what a GPU is apparently. Regardless the same access is needed for both.
Also you use Lemmy, which requires scripting. Pretty much every online game, shopping website, calculator, and so on require scripting of some kind. Scripting isn’t just for bad things like tracking. It makes a lot of cool stuff possible, that you doubtlessly use everyday. As a plus it’s generally more secure to use a web app than have a myriad of different programs or applets replace all these different things, as websites are sandboxed. There is a reason JavaScript replaced Flash and Java applets.
You’re confusing a technology problem with a society/capitalism problem.
Yes, but also… It’s true. Browsers are the number one way folks get viruses.
Which is hilarious because desktop apps have always had the capability to spy on all other apps and steal all your data.
On bad operating systems like Linux, yes. ;)
You’re thinking of operating systems that give unrestricted access to all parts of a computer that aren’t memory or the camera. That would everything1, actually.
1 There’s also Linux with properly-configured SELinux, but good luck with that on a distro that isn’t focused on opsec.
Fedora has pretty good SELinux configured out of the box, and isn’t focused on opsec. It’s just sane defaults and proper limitations to access. It also switched to Walyand-by-default this release, completely removing X11 from the default packages, which mitigates many of the “app spying on other app” scenarios that a previous user in the thread was talking about. That’s not to say that Fedora is the pinnacle of Linux security or anything, but it comes with pretty good defaults for the average user. You’d have to get into kernel hardening and deep into SELinux to do better as an end user, which is not something that most users are inclined to spend time or energy on.
So in other words, I’m thinking of Linux
If you’re willing to admit that you’re denigrating an operating system for having the same flaws as the one you prefer and are being a massive hypocrite in doing so, sure.
You’ve lost me on this one. No idea what you mean. But either way, I think you should take my comment just a bit less seriously.
Actually, Windows has implemented quite a few tricks to make this very difficult without setting off antivirus engines at least. X11’s security model is absolute trash compared to Windows Vista and above. Linux is getting safer with Wayland, but Linux on the desktop hasn’t had the XP SP1 security humiliation that Windows had so almost all of it is opt-in.
Solving the issues Windows has already solved with things like integrity levels will break compatibility with many applications (it also did on Windows, which is why Vista made you run everything as admin) but simply enabling the Flatpak sandbox can solve many problems already.
I wonder if there’s a desktop distro out there that enforces sandboxed applications by default. It would make running Linux a lot less risky.
Windows has implemented quite a few tricks to make this very difficult without setting off antivirus engines
That’s funny because we have been shipping a commercial Windows app since XP that is keylogger-based using SetWindowsHookEx, and it has only tripped users’ antivirus maybe 1 or 2 times in 20 years.
I wonder if there’s a desktop distro out there that enforces sandboxed applications by default.
EasyOS is the first distro I’ve seen that at least runs every app as its own user by default, similar to Android.
It’s not specific to browsers, but to every flatpak that is verified and has the potentially unsafe warning.
“Verified” doesn’t mean too much to privacy advocates. There have been incidents. I indeed want to check what my app is going to access before installing it.
I think it’s okay to check what the app is going to access in your system. I’m just talking about the warning design, this comment suggests a different approach for a less alarming design.
Ah, very good point! If we all had the dedication for UX like you do, Linux would be so so so perfect.
They should be worried. We don’t want them comfortable.
So many negative things have entered our culture bc people don’t care about dangers. Nearly every app should have a warning
Nearly every app should have a warning
No. If you put a warning on every app (except for the most trivial ones that don’t actually do anything useful) then the warnings mean nothing. The become something more than ass-covering legal(ish) BS.
Apps could start improving to remove the warnings…
What do you mean by “improving”? This alarming warning appears because Firefox requires permissions. Let us look at the permissions listed there:
- “User device access”. From the docs, I’d say the browser needs it for rendering?
- “Download folder read/write access”. This one is obvious - the files you download with your browser go there.
- “Can access some specific files”. This one, I’ll admit, is a bit cryptic - what files does it need to access? But this one is on Flatpak for making the permission so general.
App permissions should not be about “this app cannot be trusted because it asks for scary scary permissions”. They should be about “take a look at the list of permissions the app requests and determine whether or not it make sense for such an app to need such permissions”.
To 1.:
driinstead ofallwould handle hardware-accelerated rendering. Then some webcams or controllers won’t be accessible though. This one’s a bit complicated, since the necessary portals for e.g. generic USB device access aren’t yet there.To 2.: portals should be used instead of that. Using them doesn’t require these permissions.
To 3.: click on details and see. This is Flathub making it easy to understand for users.
Permissions should make clear whatever dangerous things an app can do. If not, why do all this effort of isolation? Firefox could delete everything in downloads, either by accident on Mozilla’s side, or a privilege escalation. If the app used portals instead, it couldn’t, at least without user interaction. Or a browser security vulnerability could open up any USB devices to webpages. It’s all about what could happen with granted permissions. And these can 100 % be fixed in at least some way.
If “nearly every app” that people already use suddenly has a big warning on it, people will quickly decide the warnings are meaningless and start ignoring them, like Prop 65 warnings. Congratulations, we’ve moved the needle backwards.
You have to meet people where they’re at. I finally switched to Linux when MS introduced a feature I wanted no part in (Recall AI), but I would have given up within a day or two if the transition hadn’t been basically seamless. I was able to pick up right where I left off, using all the same apps I did on Windows
except MusicBee RIP, but now I’m in a better position than before, on an open-source OS instead of closed-source. Now there’s a little less friction between me and better, freer software.prop 65 warnings are indeed useless
They should not be worried, they should be educated.
If you worry a new user enough they’ll go back to Windows or Apple because there’s less scary warnings there.
We need to make the transition as pain free as possible. Learning about the joys of kernel compilation and SELinux can come later.
The first step is "Hey, this is as usable as Windows, without stupid ads in the start menu.Nearly every app should have a warning
So it would be how in the US half of all products have a warning saying they cause cancer thanks to California proposition 65? No thanks.
What does ‘user device access’ mean?
Clicking the potentially unsafe item lists the exact permissions.
It can access hardware devices, like your webcam or game controller. Likely --device=all in flatpak speak but I haven’t looked.
Maybe access to connected devices (e.g. your computer components or the phone you have plugged in to your computer)
Good.
People need to view out of channel software with a hairy eyeball.
Hell, I run Debian all over and it’s absurd that the main repositories don’t do checksums on downloaded packages!
WAIT THEY DON’T ???
yeah apt just trusts the server if it properly identifies itself
the barrier to entry for attacking that seems pretty high though
if that freaks you out, switch to a rhel derivative, they got a shiny progress bar
Interesting, but switching will be difficult, unfortunately…
Thanks for the info
I think it’s absurd that most distros have no tools whatsoever for doing regular checksums of their own files. Windows certainly got that part right IMO.
I’m double checking this myself now, but there are plenty of tools (debsum) they’re just not part of the default implementation as of last time I looked.
Right, I’m talking about like periodic or real-time scanning and alerting, which DISM/SFC on windows does.
i’m almost 100% that debsums on apt stuff and the --verify flag in rpm distros do what sfc did. (kinda, debsums and --verify check against a list of checksums from the repo, i’m pretty sure sfc cracks open an actual known version of the files and compares em with whats on disk)
idk what dism does.
Users should be afraid of the malware that is default firefox. Why do you think so many people use forks?
Would you mind explaining?
Telemetry you can’t easily disable (requires modifying about:config, can change on update), Glean (nastier than anything in chrome), DoH to cloudflare, pocket (adware), Anonym.
https://www.jwz.org/blog/2024/06/mozillas-original-sin/ mozilla “saving the web”. If you want to save the web, use something like qutebrowser, luakit, or falkon with drm compiled out.
https://www.jwz.org/blog/2024/06/mozilla-is-an-advertising-company-now/
as opposed to chrome?
Chrome being worse than Firefox doesn’t make Firefox’s default telemetry, adware, and DoH to cloudflare good. When the bar is Chrome, essentially any browser passes.
Completely agree. Training normies to click OK on warnings like this is a no-good terrible idea.
They shouldn’t click on on this tho
Training users to click on this shit is the same reason people wipe their desktop by ignoring “Yes I know what I am doing” warnings.
someone is not a fan of LTT
Yesss! It’s too aggressive
Pushing someone new to Linux to use Flatpak? Shame on you.
Huh? Flatpaks are great and there’s no real reason why they’d be unsuitable for a new user.
Many flatpaks are not aware of their sandbox and thus have a bad ux.
E.g. flatpak Steam can’t access SteamLibraries at a non-default location, unless the user manually allows the path through flatseal. The same is true for other similar apps which don’t use the file portal.
Issues like this are unexpected for new users and thus it can be argued that flatpak aren’t a good recommendation for new users. I personally disagree because most flatpak work flawlessly and work everywhere independent of a users distro.
Flatpak is one extra step. If apt or rpm already has what you want, which is true for many new users, why would we push them towards scary click thru action?
isn’t flatpak by definition relying on a second software source, hence 2x as much risk as relying on a single source (your OS repo)?
A distro has thousands of independent sources. No your distro doesn’t audit them all, barely any.
“barely any” is neither entirely accurate, nor does it excuse the use of flatpaks.
deleted by creator
How much sandboxing is your distro generally doing?
beyond root processes, none that I am aware of. Hence I configured all my internet applications and steam to run in a jail :) firejail & bubblewrap come as native packages, unlike the flatpak contents
In short, no
I’m a firm believer that regardless of operating system that a warning message saying that installing something could cause harm to your device definitely makes people think twice about installation if they’re not tech savvy (AKA know more than the bare minimum anymore). It’s definitely intentional that the large companies responsible scare you away from doing the things you want because they want you locked into doing things the way they want.
To be fair, if a naive user is going to get a virus, there’s a very high chance a browser will be involved.
Just reminding folks that just because it’s flatpak’d, doesn’t mean it’s sandboxed. But they probably should add some general click here for more info.
