Imagine your friend that does not know anything about linux, don’t you think this would make them not install the firefox flatpak and potentially think that linux is unsafe?

I ask this because I believe we must be careful and make small changes to welcome new users in the future, we have to make them as much comfortable as possible when experimenting with a new O.S

I believe this warning could have a less alarming design, saying something like “This app can use elevated permissions. What does this mean?” with the “What does this mean?” text as a clickable URL that shows the user that this may cause security risks. I mean, is kind of a contradiction to have “verified” on the app and a red warning saying “Potentially unsafe”, the user will think “well, should I trust this or not??”

  • SavvyWolf@pawb.social
    link
    fedilink
    English
    arrow-up
    146
    ·
    5 months ago

    I like flatpaks and flathub, but this is just something they do badly. I think as well they also have “probably safe” which is just as unhelpful… And what does “access certain files and folders” even mean!?

    I think they should just follow the example of every other app store; list the permissions in an easily understandable list and let the user decide whether or not they are comfortable with it.

    • federino@programming.devOP
      link
      fedilink
      arrow-up
      50
      ·
      5 months ago

      I think they should just follow the example of every other app store; list the permissions in an easily understandable list and let the user decide whether or not they are comfortable with it.

      Totally agree. The “verified” label will give new users enough comfort, and the ones who wish to know more will read the permissions.

    • Onihikage@beehaw.org
      link
      fedilink
      English
      arrow-up
      17
      ·
      5 months ago

      When I look at Firefox in Discover, it only shows the list of permissions the flatpak will be given out of the box, with no warning of it being “potentially unsafe.” This certainly does seem like the better way to handle it.

      Also, the warning on the Flathub website is clickable - it expands into the full permissions list. Why it defaults to “no information except maybe dangerous” is beyond me.

  • brochard@lemmy.world
    link
    fedilink
    arrow-up
    44
    arrow-down
    4
    ·
    edit-2
    5 months ago

    In my opinion, those warnings are not used to help users but to shame developpers for not trully sandboxing and verifying their apps. Developpers know that having this warning will decrease the number of users downloading it. The goal in the long run is to improve app sandboxing and security.

    • MonkderDritte@feddit.de
      link
      fedilink
      arrow-up
      18
      arrow-down
      4
      ·
      edit-2
      5 months ago

      By not letting the user import/export addon settings, bookmarks?

      Btw, i hate the opinion that the dev must babysit his users. It makes software worse, not better, look at Firefox’s profille folder for an example. If you have to, make an intro to train them.

      • Sethayy@sh.itjust.works
        link
        fedilink
        arrow-up
        12
        ·
        5 months ago

        I’m not 100% confident but I thought you could use portals to access individual files outside of the sandbox

        • UserMeNever@feddit.nl
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          1
          ·
          5 months ago

          You could but where is fails is when you open one html file that then needs to loads the other files that are needed by the first.

          You can not allow chain loading like this, it would bypass the sandbox.

          One way of working around this would to allow the option of passing a whole folder and sub folders to the program.

          The other and much harder option would be a per program portal filter that can read the html file. then workout what files that html file needs and offer that list of files to the user.

          The lazy work around is allow read access to $HOME and deny access to some files and folders like .ssh

          • Sethayy@sh.itjust.works
            link
            fedilink
            arrow-up
            1
            ·
            5 months ago

            Makes sense, but at least this would generally be out of a normal users usage case (multi-file documents), and so the power user could probably just open flatseal.

            For things like bookmarks it’d work fine, and by extension make the sandbox more secure

            • UserMeNever@feddit.nl
              link
              fedilink
              arrow-up
              4
              ·
              edit-2
              5 months ago

              Makes sense, but at least this would generally be out of a normal users usage case (multi-file documents), and so the power user could probably just open flatseal.

              I would not be so sure. Firefox has a “save web page as…” option which saves the html page and all other files needed into a sub folder.

              Without better handling of reading and writing files the sandbox will break that builtin function. another way of working around this. would be to change firefox to save the web page into one file. Maybe something a .html+zip file that firefox would know how to open. However that would lock other browsers out without manualy unziping it first.

              Getting sandboxing right with powerful programs is very hard and I feel the tooling is still not here yet.

  • Schwim Dandy@lemm.ee
    link
    fedilink
    arrow-up
    41
    arrow-down
    4
    ·
    edit-2
    5 months ago

    Yes but surely you’re aware that even the most new-user-friendly distros and their tools aren’t necessarily aimed at new users.

    That warning is a perfect example of how Linux developers choose which hill to die on. They post a warning for an app that everyone knows can deliver bad times to two camps of users; those that know and don’t care and those that don’t understand the warning. If we could quantify the helpfulness of that warning, odds are that it saved 0 users from malicious action from that avenue of attack.

    Never expect Linux as a whole to be “helpful” to the new crowd.

    • orcrist@lemm.ee
      link
      fedilink
      arrow-up
      17
      ·
      5 months ago

      Isn’t this why we’d expect new users to use a built-in package manager? Because it avoids this exact problem?

      • Schwim Dandy@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        Which is why I said “linux as a whole”. Many distros will try to undo the nerdery and neckbeardism that is built into the parent distros but as a whole, linux is going to always be less welcoming to a new user than someone that’s used to useless warnings and repeated password entries for elevated privileges. Being safer and being new-user-friendly rarely go hand in hand.

        • areyouevenreal@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          Not all user friendly distros have a parent distro. Checkout Solus.

          There are sometimes things upstream causing problems. The Linux kernel itself isn’t one of them though as Linus is pretty adamant that Linux distributions should be easy to setup and use. KDE is also designed to be pretty friendly while being customizable still. The main issues seem to come from apps and distributions.

  • PlantPowerPhysicist@discuss.tchncs.de
    link
    fedilink
    arrow-up
    21
    ·
    edit-2
    5 months ago

    In defense of this warning, when I first put my application on Flathub, I had it because of how file i/o worked (didn’t support XDG portals, so needed home folder access to save properly). It did actually motivate me to get things working with portals to not request the extra permissions and get the green “safe” marker.

    A lot of apps will always be “unsafe” because they do things that requires hardware access, though, so I could see them wanting something more nuanced.

  • lolcatnip@reddthat.com
    link
    fedilink
    English
    arrow-up
    19
    arrow-down
    2
    ·
    5 months ago

    To be fair, if a naive user is going to get a virus, there’s a very high chance a browser will be involved.

  • Mactan@lemmy.ml
    link
    fedilink
    arrow-up
    19
    arrow-down
    3
    ·
    5 months ago

    those warnings on mint and flathub are so ridiculous, there’s no difference between those and official ones, somebody could just as easily put something nefarious in any flatpak

  • KindaABigDyl@programming.dev
    link
    fedilink
    arrow-up
    16
    arrow-down
    1
    ·
    5 months ago

    They should be worried. We don’t want them comfortable.

    So many negative things have entered our culture bc people don’t care about dangers. Nearly every app should have a warning

    • AeonFelis@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      ·
      5 months ago

      Nearly every app should have a warning

      No. If you put a warning on every app (except for the most trivial ones that don’t actually do anything useful) then the warnings mean nothing. The become something more than ass-covering legal(ish) BS.

        • AeonFelis@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          5 months ago

          What do you mean by “improving”? This alarming warning appears because Firefox requires permissions. Let us look at the permissions listed there:

          1. “User device access”. From the docs, I’d say the browser needs it for rendering?
          2. “Download folder read/write access”. This one is obvious - the files you download with your browser go there.
          3. “Can access some specific files”. This one, I’ll admit, is a bit cryptic - what files does it need to access? But this one is on Flatpak for making the permission so general.

          App permissions should not be about “this app cannot be trusted because it asks for scary scary permissions”. They should be about “take a look at the list of permissions the app requests and determine whether or not it make sense for such an app to need such permissions”.

          • jbk@discuss.tchncs.de
            link
            fedilink
            arrow-up
            2
            ·
            5 months ago

            To 1.: dri instead of all would handle hardware-accelerated rendering. Then some webcams or controllers won’t be accessible though. This one’s a bit complicated, since the necessary portals for e.g. generic USB device access aren’t yet there.

            To 2.: portals should be used instead of that. Using them doesn’t require these permissions.

            To 3.: click on details and see. This is Flathub making it easy to understand for users.

            Permissions should make clear whatever dangerous things an app can do. If not, why do all this effort of isolation? Firefox could delete everything in downloads, either by accident on Mozilla’s side, or a privilege escalation. If the app used portals instead, it couldn’t, at least without user interaction. Or a browser security vulnerability could open up any USB devices to webpages. It’s all about what could happen with granted permissions. And these can 100 % be fixed in at least some way.

    • alphafalcon@feddit.de
      link
      fedilink
      arrow-up
      6
      ·
      5 months ago

      They should not be worried, they should be educated.

      If you worry a new user enough they’ll go back to Windows or Apple because there’s less scary warnings there.

      We need to make the transition as pain free as possible. Learning about the joys of kernel compilation and SELinux can come later.
      The first step is "Hey, this is as usable as Windows, without stupid ads in the start menu.

    • Onihikage@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      If “nearly every app” that people already use suddenly has a big warning on it, people will quickly decide the warnings are meaningless and start ignoring them, like Prop 65 warnings. Congratulations, we’ve moved the needle backwards.

      You have to meet people where they’re at. I finally switched to Linux when MS introduced a feature I wanted no part in (Recall AI), but I would have given up within a day or two if the transition hadn’t been basically seamless. I was able to pick up right where I left off, using all the same apps I did on Windows except MusicBee RIP, but now I’m in a better position than before, on an open-source OS instead of closed-source. Now there’s a little less friction between me and better, freer software.

  • Synnr@sopuli.xyz
    link
    fedilink
    arrow-up
    16
    arrow-down
    1
    ·
    edit-2
    5 months ago

    This should have been much more well thought out The wording, image, buttons, specific wording for each page.

    They really screwed the pooch.

    Another 4-6 months minimum before release. But quarterly numbers must be met.

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      18
      arrow-down
      1
      ·
      5 months ago

      Which is hilarious because desktop apps have always had the capability to spy on all other apps and steal all your data.

      • Skull giver@popplesburger.hilciferous.nl
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        5 months ago

        Actually, Windows has implemented quite a few tricks to make this very difficult without setting off antivirus engines at least. X11’s security model is absolute trash compared to Windows Vista and above. Linux is getting safer with Wayland, but Linux on the desktop hasn’t had the XP SP1 security humiliation that Windows had so almost all of it is opt-in.

        Solving the issues Windows has already solved with things like integrity levels will break compatibility with many applications (it also did on Windows, which is why Vista made you run everything as admin) but simply enabling the Flatpak sandbox can solve many problems already.

        I wonder if there’s a desktop distro out there that enforces sandboxed applications by default. It would make running Linux a lot less risky.

        • refalo@programming.dev
          link
          fedilink
          arrow-up
          5
          ·
          5 months ago

          Windows has implemented quite a few tricks to make this very difficult without setting off antivirus engines

          That’s funny because we have been shipping a commercial Windows app since XP that is keylogger-based using SetWindowsHookEx, and it has only tripped users’ antivirus maybe 1 or 2 times in 20 years.

          I wonder if there’s a desktop distro out there that enforces sandboxed applications by default.

          EasyOS is the first distro I’ve seen that at least runs every app as its own user by default, similar to Android.

        • pivot_root@lemmy.world
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          5 months ago

          You’re thinking of operating systems that give unrestricted access to all parts of a computer that aren’t memory or the camera. That would everything1, actually.

          1 There’s also Linux with properly-configured SELinux, but good luck with that on a distro that isn’t focused on opsec.

          • Para_lyzed@lemmy.world
            link
            fedilink
            arrow-up
            6
            ·
            5 months ago

            Fedora has pretty good SELinux configured out of the box, and isn’t focused on opsec. It’s just sane defaults and proper limitations to access. It also switched to Walyand-by-default this release, completely removing X11 from the default packages, which mitigates many of the “app spying on other app” scenarios that a previous user in the thread was talking about. That’s not to say that Fedora is the pinnacle of Linux security or anything, but it comes with pretty good defaults for the average user. You’d have to get into kernel hardening and deep into SELinux to do better as an end user, which is not something that most users are inclined to spend time or energy on.

            • pivot_root@lemmy.world
              link
              fedilink
              arrow-up
              8
              ·
              5 months ago

              If you’re willing to admit that you’re denigrating an operating system for having the same flaws as the one you prefer and are being a massive hypocrite in doing so, sure.

              • Bilb!@lem.monster
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                6
                ·
                5 months ago

                You’ve lost me on this one. No idea what you mean. But either way, I think you should take my comment just a bit less seriously.

    • federino@programming.devOP
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      5 months ago

      It’s not specific to browsers, but to every flatpak that is verified and has the potentially unsafe warning.

      • eveninghere@beehaw.org
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        “Verified” doesn’t mean too much to privacy advocates. There have been incidents. I indeed want to check what my app is going to access before installing it.

        • federino@programming.devOP
          link
          fedilink
          arrow-up
          4
          ·
          5 months ago

          I think it’s okay to check what the app is going to access in your system. I’m just talking about the warning design, this comment suggests a different approach for a less alarming design.

          • eveninghere@beehaw.org
            link
            fedilink
            arrow-up
            2
            arrow-down
            2
            ·
            5 months ago

            Ah, very good point! If we all had the dedication for UX like you do, Linux would be so so so perfect.

  • tearsintherain@leminal.space
    link
    fedilink
    arrow-up
    12
    ·
    5 months ago

    Just reminding folks that just because it’s flatpak’d, doesn’t mean it’s sandboxed. But they probably should add some general click here for more info.

  • bloodfart@lemmy.ml
    link
    fedilink
    arrow-up
    12
    arrow-down
    1
    ·
    5 months ago

    Good.

    People need to view out of channel software with a hairy eyeball.

    Hell, I run Debian all over and it’s absurd that the main repositories don’t do checksums on downloaded packages!

      • bloodfart@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        yeah apt just trusts the server if it properly identifies itself

        the barrier to entry for attacking that seems pretty high though

        if that freaks you out, switch to a rhel derivative, they got a shiny progress bar

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      5 months ago

      I think it’s absurd that most distros have no tools whatsoever for doing regular checksums of their own files. Windows certainly got that part right IMO.

      • bloodfart@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        I’m double checking this myself now, but there are plenty of tools (debsum) they’re just not part of the default implementation as of last time I looked.

        • refalo@programming.dev
          link
          fedilink
          arrow-up
          2
          ·
          5 months ago

          Right, I’m talking about like periodic or real-time scanning and alerting, which DISM/SFC on windows does.

          • bloodfart@lemmy.ml
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            5 months ago

            i’m almost 100% that debsums on apt stuff and the --verify flag in rpm distros do what sfc did. (kinda, debsums and --verify check against a list of checksums from the repo, i’m pretty sure sfc cracks open an actual known version of the files and compares em with whats on disk)

            idk what dism does.

  • raspberriesareyummy@lemmy.world
    link
    fedilink
    arrow-up
    12
    arrow-down
    4
    ·
    5 months ago

    isn’t flatpak by definition relying on a second software source, hence 2x as much risk as relying on a single source (your OS repo)?