I have been starting the Linux journey for the past year and just now getting a little comfortable with it.
I have been using Manjaro and I have liked it. However, I am going to be rebuilding my system and with all the negative things said about Manjaro, I thought going Fedora for my daily driver is probably a good move. With that said, I am fairly new to the different repositories. I really didn’t give it a second though until that xz ‘virus’ type backdoor was discovered. After that, I started doing some research and one thing stands out to me. The fact that you install RPM’s with sudo makes me kind of nervous now.
Are Flatpaks better? If I am correct, using flatpacks doesn’t require you to install with sudo, which makes more security sense.
Thoughts? Please correct me if I was inaccurate in my terminology…still learning.
This is a complicated and nuanced topic, but whether you need to use sudo is not a key aspect of security IMHO. After all, your most important data probably lives in your home directory, for example your browser profile.
There are two basic approaches to application security: running trusted code and sandboxing. Fedora packages rely almost entirely on the former, but the xz situation has maybe called into question how much we can rely on ‘vetted’ software from distro repositories. And even without actually including malware, unsandboxed apps can be vulnerable to exploits that would compromise the entire system (or at least all of your data).
Flatpak compromises a bit on the former while leaning heavily on the latter. However, many apps have broad permissions (e.g. filesystem=home) which effectively bypass the sandbox. On the trust side, Flathub has introduced a verification system, so you can know that an flatpak package is endorsed by the upstream developer (whether you trust upstream is a separate matter). There are also Fedora flatpaks, which are in some sense the best of both worlds. They have the same pedigree as the RPMs they’re built from, as well as flatpak sandboxing.
To answer your question though, by default flatpak is still installing things as root (via polkit and a system helper daemon), but unlike RPM, it doesn’t allow installed apps to run any code during installation, except inside a strict sandbox. So, compared to installing a third-party RPM package, flatpak is significantly safer. For apps with broad permissions, that benefit may be diminished somewhat when you actually run them.
This was apparently an issue with the upstream provider of xz (on github) having been breached and malware loaded into what appeared to be a routine update. This simply goes to show that even the most diligent of security and vetting by a distro is still subject to malware if it appears to come from a trusted source as a routine update.
It seems Fedora was not the only distro that was caught unawares by that breach, and fedora did immediately announce the problem and make the fix available for users. It also was limited by the fact that apparently only f40 (in beta) was affected.
I give kudos to fedora for the quick and positive response to limit the spread of malware.
It is interesting that in the (non-atomic) Workstation edition of Fedora, in Gnome Software, the installation order of a package is the following:
Flatpak from Fedora repos
RPM from Fedora repos
Flatpak from Flathub (if repo enabled).
This means that, by default, if available, a package gets installed as Flatpak and not as RPM. I wonder if this is the intended setup for a “traditional” Fedora OS, and the reason behind it.
Hello @stoss ,
As noted by @chrisawi , your user home directory is for sure the most crucial from a security POV for external attacks. Perhaps, you want to look at using systemd-homed as an option for securing your home. Docs are at Home Directories
Ok, never mind, I am going back to Windows LMAO j/k
Thanks all for the information. This is a lot to digest.
I guess for me, the xz backdoor incident issued in a whole new realm of questions and concerns. Nobody caught this until one person noticed a small performance issue. The actual code that was changed over time, was never detected. That is troubling.
I will be looking into the systemd info and securing my system as much as possible. I guess that is all I can do.
Thanks all very much, I wish I could say this helped my concerns but it didn’t overall. It did help with the RPM vs. Flatpak question, but the broader issue of upstream vetting is still a little bit nerve racking.
I guess we just have to push forward and be vigilant about what gets installed and by whom.