Hey there!
Thinking about the whole “should Fedora swap the default Firefox RPM for a Flatpak?” question. Here’s a quick look at the good and the not-so-good:
Flatpak Pros:
Safer Sandbox: Gives Firefox extra isolation from your system, which is great for security against web threats.
Faster Updates: Get the latest features and crucial security fixes way quicker, often straight from Mozilla.
Stuff Just Works: Often includes codecs needed for videos and audio out of the box, less hassle.(Flathub version)
Flatpak Cons:
A Bit Bigger: Flatpaks can take up slightly more disk space because they bundle dependencies.
Worth discussing what’s best for Fedora
I have already done this on my Fedora silverblue.
And it works really good.
And this exactly is the problem, fedora comes just with the opensource free/plugins license, while Firefox it selves might includes non-free stuff.
In this way, the owner of the Fedora trademark cannot be held responsible and the responsibility for any license violation is in the responsibility of the respective individual.
From this point of view your proposal might not been accepted.
We can do one thing which is we can ask user to install like how it asks to install 3rd party software when system boot for firstime of installation. If the user choose yes it will install firefox from flathub if they choose no it will install from fedora flatpak repo.
This solve the issue.
Absolutely not; Fedora’s already slow and secure with SELinux; why does stuff also need wrapped behind Flatpak’s system too? People were up in arms about Ubuntu and Firefox Snap.
Common sense protects against web threats without extra perf hit or hundreds more MB of SSD cell writes
That’d be saying along the lines of the current Firefox maintainer for Fedora not doing a quick-enough job. I think it’s fine.
Mozilla doesn’t package for Fedora. They provide a deb for Ubuntu. I’m not exactly eager to trust a generic browser package over a Fedora-specific RPM built by Fedora infrastructure.
Maybe don’t introduce more complexities with Flatpak (codecs are easy RPM Fusion)
I think Fedora should continue providing a RPM of Firefox at least on non-Atomic/Immutable.
I would imagine the original post is about Silverblue only, a flatpak is obviously not going to be preinstalled on traditional fedora in the near future.
While it would be nice to have a flatpak, I believe the main reason it’s still in the base image - or at least the only reason I would still be against using the flatpak - is that Firefox is actually less secure in flatpak, as the flatpak sandbox interfers with Firefox’s internal sandboxing. It doesn’t seem to be as badly affected as Chromium-based browsers, but still. Sandboxing Firefox itself can be (is?) done with SELinux.
Is it really way quicker? Fedora gets the latest Firefoxes on a rolling basis as far as I know.
As for Flathub… it would be convenient regarding codecs, but for exactly that and probably other reasons, I doubt we’re going to move away from Fedora flatpaks any time soon.
Yes flatpak have issues with browsers own sanboxing i just want to know is it also true for snap.
If i install snap will it also have the same issue with sandbox.
That’s not how it works out in practice. The browser’s multi-process architecture with its own sophisticated sandbox structure gets weakened due to namespaces and chroots getting blocked by Flatpak’s seccomp filter, leaving only Firefox’s seccomp part of its sandbox intact. Flatpak’s own sandbox cannot compensate that. It leaves not only the browser’s valuable data (cookies etc) less protected, but also the OS.
Is there a work around you know.
I find there will be a conference from flatpak and hoping tehy will talking about this issue with browsers stuff. And sandboxing errors hope this will be fixed.
I am pretty sure they are aware of it. They would need to allow a different Seccomp filter for browsers which allows the syscalls needed for namespaces and chroots.
Well the way I see it there are currently two options (please correct me if I am wrong) when wanting to use Firefox with all codecs:
Install Firefox from flathub with the required codecs
Keep native rpm-ostree firefox but install codecs from rpm-fusion
Reading how the sandboxing of the flathub firefox might actually create security issues, I wonder if adding and using rpm-fusion wouldn’t create security concerns as well (not official, community driven, closed source code,…)?
I use the Fedora Flatpak of Firefox currently and it already basically has all the codecs except HEVC, and H264 is software decoding only since Fedora disables hardware decoding for it.
Currently I have openh264 installed from Flathub but from what I understand they are working toward it coming from Fedora like the RPM.
Regarding the sandboxing I believe the user namespaces sandbox is ‘true’ in the rpm version so some are put off by that. Someone else could explain the concerns of this better than me.
Free software always has limited resources for maintenance and packaging. Removing large, complex applications such as firefox from distros could allow distro maintainers to focus on the core tools and libraries. Flatpaks are one attempt to support large applications in a way that reduces the effort required from distro maintainers. There are issues such as differences in security policies and protections across distros that still need work. Linux has a long history of users at all levels trying new things and reporting issues, but some users just need to get on with their work and are better off sticking with the RPM version. If you do encounter problems with firefox RPM version there is a better chance that there will be other users with similar hardware who can help resolve your issue.
