Expand security information section.
|Deletions are marked like this.||Additions are marked like this.|
|Line 39:||Line 39:|
|that no longer be address by updating the operating system's copy of that||that no longer be addressed by updating the operating system's copy of that|
|Line 48:||Line 48:|
|literature referred to as [[https://www.cisa.gov/sbom|Software Bill of Materials]],
with an introduction to the topic offered by the Linux Foundation:
|literature referred to as [[https://www.cisa.gov/sbom|Software Bill of Materials]], with an [[https://www.linuxfoundation.org/blog/blog/what-is-an-sbom|introduction]] to the topic offered by the Linux Foundation.|
|Line 166:||Line 162:|
- What is Flatpak?
- Security Warning Note
- Installing Flatpak
- External Links
What is Flatpak?
Flatpak makes it possible for users to install sandboxed applications on Linux distributions, in a way that is decoupled from the underlying operating system. It gives application developers the control of their agenda and the opportunity to publish new versions and updates without having to depend on a distribution's lifecycle.
The Flatpak system (previously known as xdg-app) uses a set of sandboxing technologies like OSTree and Linux cgroups to distribute software in a cross-distribution manner. These technologies isolate the Flatpak applications from each other and from the rest of the system, giving the user security benefits compared to downloading and installing unrestricted packages on their machine.
It has a concept of runtimes that applications can target to get a reliable and stable platform, independent of the underlying distribution. With runtimes, application developers can focus on their core work without needing to package lower level components and libraries while still having the control on their packaging and release cycle.
Security Warning Note
Installing third-party applications can be a security risk. It may be useful to use a central source like Flathub to get your applications of interest, and it may be useful to run such applications under a Wayland session that provides isolation between graphical applications, unlike X.
What are the risks and how does using something like Flatpak compare with software packaged and shipped by Debian directly? The primary difference is that in Debian, libraries are individually packaged, and applications that link to those libraries to use the functionality they provide express a package dependency on the libraries they need. This means that if any particular library is found to have a security vulnerability or other critical flaw, that library can generally be corrected without having to repackage the applications using it.
With application container mechanisms like Flatpak or Snap, however, required libraries are included in the archive with the application itself. While this is typically done as a convenience, such that the application can run anywhere regardless of whether or not the host operating system packages the needed versions of the libraries, it means that the included libraries, specific to that application, no longer benefit from the efforts of the operating system's security team. If an included library has a vulnerability, not only will that no longer be addressed by updating the operating system's copy of that library, but you might not know there's a vulnerability given a lack of tooling to inspect and audit applications packaged in this way.
In addition to the inherent issues with inspectability and auditability, there have been specific flaws noted that may be of concern.
With Graphical Interface Support
- In GNOME
- In KDE Plasma
Starting with Debian 10 (buster) Plasma Discover supports Flatpaks through the plasma-discover-backend-flatpak plugin. It can be installed by searching for "discover flatpak" directly in Discover, or via the package manager.
Once this setup is done, you’ll be able to navigate to a software repository such as Flathub and install applications directly from there.
Clicking on the download icon next to the application name will launch the installation. Your web browser should open a pop-up offering to open the file with the program "Install application" or similar.
For the Command Line
Then you'll probably want to add the common Flathub repository:
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
Then you’ll be able to install applications by calling ($APP is the application name):
flatpak install flathub $APP
Users can install Flatpak applications on a per-user basis with the --user option:
flatpak --user install ...
Once installed, an application can be run with:
flatpak run $app_id
where $app_id is the source repository for the application.
Example, install the current stable version of sid/gnome-recipes: (note that sid may contain beta version sometimes)
flatpak install --from https://git.gnome.org/browse/recipes/plain/flatpak/gnome-recipes.flatpakref flatpak run org.gnome.Recipes
In newer versions of flatpak (buster and above), the binaries are also available in a special directory, which can be added to your PATH variable:
echo 'export PATH=$PATH:/var/lib/flatpak/exports/bin' >> ~/.bashrc
The names of the binaries are different from the actual binaries contained in the packages, for instance "org.mozilla.firefox", rather than "firefox"
You can run other command contained in the package by using the --command argument, e.g. to get a shell inside the gnucash flatpak, run
flatpak run --command bash org.gnucash.GnuCash
Having launched this bash instance inside the package, you can run the packaged command line tools such as, in the example of GNUCash aqbanking-cli
See Flatpak/Applications/Command Line for more.
I get a "Not found org.gnome.Platform/x86_64/3.24" error message when trying to install an application
Unlike the flatpak command line interface, the Gnome Software Flatpak plugin currently doesn’t automatically install runtimes. Before installing applications, you’ll have to first install the necessary runtimes manually.
You may need to add the remote repository for installing both gnome SDK and runtime with the following command:
flatpak remote-add --from gnome https://sdk.gnome.org/gnome.flatpakrepo
See runtimes for more available runtimes.
Flatpak applications are not respecting KDE Plasma's system-wide dark theme?
KDE Plasma on Debian 11 provides a dark theme called Breeze Dark. Enabling this will instruct most apt-installed packages to respect the dark theme, but results are inconsistent with flatpak apps utilizing the GTK toolkit. Some apps even provide a dark theme slider, but setting the theme to dark doesn't seem to work.
To fix this, run the following command (not as root or with sudo) and restart your system:
$ flatpak override --user --filesystem=xdg-config/gtk-3.0:ro
Code repository https://github.com/flathub
Developer guide https://docs.flatpak.org/en/latest/
Presentation and Articles https://flatpak.org/presentations/