Security of flatpak runtimes

Simon McVittie smcv at collabora.com
Wed Apr 5 11:55:58 UTC 2017 

On Wed, 05 Apr 2017 at 12:15:03 +0200, Alexander Larsson wrote:
> On Wed, 2017-04-05 at 11:00 +0200, Jiří Janoušek wrote:
> > - Does anyone track security vulnerabilities in the bundled
> > libraries?
> 
> The core of the freedesktop runtime is based on yocto, which does get
> security updates. When there are updates to the yocto layer we
> generally rebase it and rebuild the dependencies.
> 
> However, there is currently no real structure to this. For instance
> there is no mailing list announcement, or really anyone who is
> primarily responsible for this.

Something I have thought about, but not had time to implement yet,
is using a long-term-supported distribution as a base for runtimes.
It seems a little wasteful to be (essentially) inventing a small Linux
distribution for the freedesktop.org and GNOME runtimes, and building
them from first principles, when that's what distributions already do :-)

I think Debian stable would be an excellent choice: it's a community
distribution, not controlled by a single commercial vendor (unlike
RHEL, Ubuntu LTS, SLED etc.), but has a large enough community that it
isn't going away any time soon (with indirect corporate backing via
paying people to contribute).

stable gets backported security updates for several years and is a popular
choice as a base for e.g. Docker images, and Debian is the distribution
where the "reproducible builds" effort originated. I realise I could be
accused of being biased towards Debian because I'm a Debian developer,
but the causality is really the other way round: I'm a Debian developer
because I like those properties of the distribution.

Debian stable's 2ish year release cycle will often leave it somewhat
outdated when compared with the current runtimes, but in a way that's
a strength: a slower release cycle means fewer versions to support
simultaneously.

A hybrid approach that might work well would be to have some
stable-based runtimes that are recommended for vendors with no special
requirements (games and other ISVs) - the same sort of environment where
Valve's Steam Runtime (basically Ubuntu 12.04) is considered acceptable.
For packages that really need the latest GNOME/KDE/etc. libraries, one
possibility would be to base the runtime on a small Debian system and
toolchain (essentially replacing the current use of Yocto), and use
flatpak-builder to build a newer GNOME stack from source on top of that.

    S

More information about the xdg-app mailing list