Security of flatpak runtimes
Jiří Janoušek
janousek.jiri at gmail.com
Wed Apr 5 14:38:20 UTC 2017
So the base of the Freedesktop runtime receives security updates, but
how about extra modules built directly from source? For example, there
have recently been a few security vulnerabilities in GStreamer (fixed
in 1.10.3). Is GStreamer 1.8.3 in the GNOME SDK 3.22 still vulnerable?
On Wed, Apr 5, 2017 at 12:15 PM, Alexander Larsson <alexl at redhat.com> wrote:
> On Wed, 2017-04-05 at 11:00 +0200, Jiří Janoušek wrote:
>> Hello everybody,
>>
>> Since I announced the intention to distribute my app only as flatpak
>> builds, a few users have raised a question about the security of the
>> official Flatpak runtimes (Freedesktop and GNOME). I think it is
>> important because we still cannot rely on the sandbox completely
>> (e.g.
>> because of the insecure design of X11 or other metadata options to
>> make the sandbox weaker). However, I haven't found any information on
>> that topic.
>>
>> - Does anyone track security vulnerabilities in the bundled
>> libraries?
>> - Are security advisories published? Where can my security-conscious
>> users find them? Is there a mailing list or a web page for that?
>> - How are security vulnerabilities in the bundled libraries
>> addressed?
>> Are they addressed in a timely manner?
>
> The core of the freedesktop runtime is based on yocto, which does get
> security updates. When there are updates to the yocto layer we
> generally rebase it and rebuild the dependencies.
>
> However, there is currently no real structure to this. For instance
> there is no mailing list announcement, or really anyone who is
> primarily responsible for this.
>
> I think this is an area where we clearly need some improvement.
>
> --
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Alexander Larsson Red Hat, Inc
> alexl at redhat.com alexander.larsson at gmail.com
> He's a bookish umbrella-wielding photographer fleeing from a secret
> government programme. She's a strong-willed bisexual museum curator
> married to the Mob. They fight crime!
More information about the xdg-app
mailing list