Security repercussions of allowing ~/.local/share/flatpak
TheEvilSkeleton
theevilskeleton at riseup.net
Mon Feb 21 21:52:19 UTC 2022
Hello,
I have recently opened a merge request (MR) in the appstream-glib
<https://github.com/flathub/org.freedesktop.appstream-glib/pull/14>
repository to allow read-write access to *~/.local/share/flatpak*,
where all Flatpak applications are installed as a user. This is because
I wanted to check whether an application had a valid appstream file
after install.
The reason of submitting this MR, as pointed out in the MR, I couldn't
run appstream-glib in said directory because *filesystem=host* excludes
the install directory, so I went ahead and explicitly added this
directory so I can run this application inside that directory. However,
the maintainer of the application, hughsie, is unsure about this MR and
would like to know about the security repercussions of allowing this
directory explicitly. In my opinion, for an application like
appstream-glib, there shouldn't be much of an issue, but I'll see what
the members have to say.
Thanks,
TheEvilSkeleton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20220221/48874392/attachment.htm>
More information about the Flatpak
mailing list