this post was submitted on 01 Aug 2024
476 points (97.0% liked)
Technology
59612 readers
2774 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
We-ell, this thread kinda started with saying that we'll see glaring security holes with the same desktop popularity as that of Windows.
Well, then it doesn't require flatpaks and snaps to solve this huge problem, right?
You might have a path where only a certain user has 'w' rights, that's readable by everyone, and software is installed there.
You might use Nix or Guix, which are, while not traditional, still pretty normal package managers without things like bundling dependencies.
So NixOS and GuixSD would be such distributions. Admittedly I've never used them, only Guix in another distribution.
Well, since you've mentioned accessibility, some of us have AuDHD, and while each person is different, for me specifically this means that I can set up CWM or FVWM for X11, but I just can't set up Hikari for Wayland. That is, I had it kinda working, but the anxiety from setting up that and some terminal emulator with hipster XML config and DPI being wrong just made me say "fsck that" and go back. I could have tried Gnome with Wayland, but my X11 setup is more subjectively usable.
OK, I'm not sure, but I think OpenBSD and NetBSD don't run any scripts contained inside packages. They are not Linux ofc.
Yes, you can do that. You can set aliases which will look like whatever at all. How do you solve that "problem"?
OK, I'll make a shortcut here and say that if you think this is a problem, the only real fundamentally sane way to solve it is to disallow privilege elevation, say, after single mode, and boot to that in case you need to do some maintenance.
Any program that you run. Well, or one can forbid aliasing 'sudo' in the shell, of course. But you won't run out of things which can be aliased to something nasty. It will be the same as
rm -rf /
advice evolving torm -rf /*
Yeah, like windows did, for a long time, and from time to time still does.
It pretty much does, yes.
Ok. Not to do with security. Let's not get sidetracked.
I'm not sure about the BSDs, but I'm talking about Linux. And as it stands, the package installation step is a risky process in any distro I've ever seen. You just have to rely that no mistake will ever be made by packagers, nothing will slip past them, and that they manually and thoroughly look through every installation process of every package (which they don't).
It's an unnecessary risk that gets solved by Flatpak (plus a bunch of other security advantages)
I don't know, I'm not a security expert. But it is a problem, and a massive one.
... Or Nix/Guix, or any per-user approach to package installation, or AppImages.
Anyway, I'm not against them completely. For distributing some user applications, and maybe proprietary stuff, they are fine.
We-ell, in basic Unix-like terms you can just do a chroot while unpacking, check that no nasty places are being touched, and then rsync to root. I think some PMs already do just that.
This problem seems inherent to anything Turing-complete.
Nix is not simple, and it always seems to fuck up. AppImages have zero security advantages, they're awful. It doesn't even have sandboxing.
Lmao. Not only would that not even be effective, but that's also a ludicrous suggestion for the average user to do for every app they install. What an absurd suggestion.
Why are you so against having a secure system?
I dunno what you're on, I'm talking about the PM doing this.
I'm against believing in the concept of actually having a secure system.