Flatpak and security


Flatpak and security: you may have read some criticism. However, 2021 it’s a great way to get access to a lot of software on any distro. Since I’ve stopped using Ubuntu, I’ve noticed that for getting especially non FLOSS tools Flathub is a godsend.

The critique of Flatpaks security is that while it allows packagers to sandbox their software, nobody does. The weird thing is, even when packagers try, they’re very much doing it wrong. Take the file chooser dialog, which can be used to grant a sandboxed app access to a file or directory at the specific request of a user. After all, using such a dialog very precisely conveys the user’s intention, right? Let me give you just two examples of packagers not knowing or understanding this: Signal and QOwnNotes. Both are sandboxed, but do not use the dialogs provided by Flatpak. Here’s how this goes wrong:

  1. Signal. The app is sandboxed, and comes with a default permission to write to ~/Downloads. Sounds like a good idea, but the save-file action still gives you a dialog. This dialog is broken! It looks like a system dialog, let’s you navigate anywhere on your filesystem, even let’s you click save and then closes. Nothing gets saved however, unless you guessed correctly that you should navigate to ~/Downloads, where it does not even open by default. There is no feedback of any kind. And two acceptable solutions are right there, the Flatpak dialog or just save to ~/Downloads without showing any dialog.

  2. QOwnNotes operates on a directory, and comes with ~/notes whitelisted. Setting this directory to anything else quietly does not work (the Open button does nothing/is disabled), but you can still open up the dialog and navigate your filesystem. This is not good. Either remove the ability to change the directory, because you can’t, or use Flatpaks dialog to grant permission.

These are major UI failures not communicated in any way, and for no good reason that I can see. Pity!