Yeah, you can lock down Flatpaks quite tightly, but you’ll often need to do it manually, and there’s a good chance something breaks. It’s a bit unfortunate that applications don’t come with stricter permissions (and that you can install Flatpaks through any GUI but need to download an external tool to manage their permissions through the GUI…).
If you apply sensible restrictions and the application doesn’t crash, there’s a definite security benefit. Out of the box, though, most applications can touch your ~/.profile because they ask permission for your home directory, and 30 years of Linux tooling isn’t prepared to move from dotfiles in the home directory to a more manageable alternative.
On my Steam Deck Flatpaks have proven to work very reliably. I don’t understand why distros don’t come with a “user mode apt/pacman/dnf” that can install applications from a nornal repository without root access (I guess Nix, maybe?) but Flatpak solves this problem very well.
Yeah, you can lock down Flatpaks quite tightly, but you’ll often need to do it manually, and there’s a good chance something breaks. It’s a bit unfortunate that applications don’t come with stricter permissions (and that you can install Flatpaks through any GUI but need to download an external tool to manage their permissions through the GUI…).
If you apply sensible restrictions and the application doesn’t crash, there’s a definite security benefit. Out of the box, though, most applications can touch your ~/.profile because they ask permission for your home directory, and 30 years of Linux tooling isn’t prepared to move from dotfiles in the home directory to a more manageable alternative.
On my Steam Deck Flatpaks have proven to work very reliably. I don’t understand why distros don’t come with a “user mode apt/pacman/dnf” that can install applications from a nornal repository without root access (I guess Nix, maybe?) but Flatpak solves this problem very well.