Security of flatpak runtimes
Alexander Larsson
alexl at redhat.com
Wed Apr 5 10:15:03 UTC 2017
On Wed, 2017-04-05 at 11:00 +0200, Jiří Janoušek wrote:
> Hello everybody,
>
> Since I announced the intention to distribute my app only as flatpak
> builds, a few users have raised a question about the security of the
> official Flatpak runtimes (Freedesktop and GNOME). I think it is
> important because we still cannot rely on the sandbox completely
> (e.g.
> because of the insecure design of X11 or other metadata options to
> make the sandbox weaker). However, I haven't found any information on
> that topic.
>
> - Does anyone track security vulnerabilities in the bundled
> libraries?
> - Are security advisories published? Where can my security-conscious
> users find them? Is there a mailing list or a web page for that?
> - How are security vulnerabilities in the bundled libraries
> addressed?
> Are they addressed in a timely manner?
The core of the freedesktop runtime is based on yocto, which does get
security updates. When there are updates to the yocto layer we
generally rebase it and rebuild the dependencies.
However, there is currently no real structure to this. For instance
there is no mailing list announcement, or really anyone who is
primarily responsible for this.
I think this is an area where we clearly need some improvement.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl at redhat.com alexander.larsson at gmail.com
He's a bookish umbrella-wielding photographer fleeing from a secret
government programme. She's a strong-willed bisexual museum curator
married to the Mob. They fight crime!
More information about the xdg-app
mailing list