How is it any better than flatpaks having full access to your home directory? Yet, one of the points of criticism against flatpak is that it doesn't protect the users home directory.
Now, it's certainly debatable if flatpak could or should push more in that direction, like apple did when they introduced the sandbox for app store applications, but flatpak certainly does not have leverage to the same extend as apple has. So it's up to the app to opt in to a suitable sandbox set. It's a sad state of affairs, but I don't see a viable path for the flatpak folks to change that.
Package managers do not claim sandbox. No claim - no false claim - no accusation.
And it is easy to fix - publish capabilities in the gallery. Apple iOS "request location" shows that people care if they know. Sandbox certainly is a good thing. Without it Flatpak is just another package manager.
> One of Flatpak’s main goals is to increase the security of desktop systems by isolating applications from one another. This is achieved using sandboxing and means that, by default, applications that are run with Flatpak have extremely limited access to the host environment.
It’s better by not depending on yet another component or layer of abstraction. If you had a distribution which would use flatpaks for everything (ie no other packaging system involved), then sure, usual packages probably wouldn’t be any better than flatpaks.
But that’s not the point that is made against flatpaks - the point made in the article is “it allows access to the home directory, so it’s worse.”
Whether flatpaks is better or worse than packages depends on many other factors. Flatpaks allow software providers to package for multiple operating systems in one package, for example. This makes software available that otherwise wouldn’t be. Whether that’s worth it or not is debatable, but raising clearly invalid points to attack flatpaks is disingenuous.
Let’s count the various Linux flavors as different operating systems for this purpose, because they use wildly different package formats. And yes, I’ve installed software for fedora via flatpak that did not have packages for fedora at all or depended on versions of dependencies that the host system did not provide. (Specific python versions and dependencies IIRC)
Indeed. If you're an ISV packaging an application that uses OpenSSL, $DISTRO version N and $DISTRO version N+1 can easily be different OSes because they ship different incompatible OpenSSL versions, so what you do is provide a .deb/.rpm/.tar.gz that bundles a statically linked OpenSSL.
Now, it's certainly debatable if flatpak could or should push more in that direction, like apple did when they introduced the sandbox for app store applications, but flatpak certainly does not have leverage to the same extend as apple has. So it's up to the app to opt in to a suitable sandbox set. It's a sad state of affairs, but I don't see a viable path for the flatpak folks to change that.