flatpaks are generally safe as in safe from dependency issues. it makes it so if you have a newer version of a dependency that would break that program it should not break, because its sandbox with the older dependency. this should help to maintain software and make it work on many different distributions without needing to test on all of them. Flatpaks also try to fill the security concerns on un-trusted software. I think it sometimes does this well but generally it fails at it. a program can have much more access than you want it even though it is sandbox. You can use flatseal to help with this and there are warnings in software center that can inform you if the systems used by the software have vulnerabilities that are not protected against. So flatpaks are as safe as the developer makes them and how you use them. I try to make sure the flatpak i use comes from a source i trust but honestly its not easy for me to verify if it is. if in doubt use flatseal.

Originally posted by catbox:

flatpack are designed to be isolated from the rest of the main operating system as much as possible

ie: sandboxed

https://flathub.org/apps/details/com.realm667.Wolfenstein_Blade_of_Agony

why you think a mod for a game needs to be sandboxed to be "safe" is beyond me. the underlying game runs on gzdoom


while i understand the benefits and concerns of flatpak & snap. i dont believe they are required and are quite wasteful when native software has been running on linux for three decades
flatpak and snap are basically installing an entire OS that the game requires in a folder, which is overkill.
so, im against flatpak style software
https://ludocode.com/blog/flatpak-is-not-the-future

It's mostly that I generally just keep to the repos, so going to a different source is just going out of my comfort zone. Hence why I'm checking.

I have checked the permissions explicitly and the flatpak in question doesn't seem want access to anything out of the ordinary. In fact it doesn't even want to access the home directory or any other directory from what I can see, it just want permissions to interact with X11, pulseaudio and things like that, which is exactly what I would expect from a game. At least that's if I'm understanding things correctly when I tried to look at the permissions, since it's my first time I'm not sure I actually understand.

Originally posted by Trisimiton:

flatpaks are generally safe as in safe from dependency issues. it makes it so if you have a newer version of a dependency that would break that program it should not break, because its sandbox with the older dependency. this should help to maintain software and make it work on many different distributions without needing to test on all of them. Flatpaks also try to fill the security concerns on un-trusted software. I think it sometimes does this well but generally it fails at it. a program can have much more access than you want it even though it is sandbox. You can use flatseal to help with this and there are warnings in software center that can inform you if the systems used by the software have vulnerabilities that are not protected against. So flatpaks are as safe as the developer makes them and how you use them. I try to make sure the flatpak i use comes from a source i trust but honestly its not easy for me to verify if it is. if in doubt use flatseal.

I was thinking more of not getting something malicious on my computer, I know that in terms of dependencies it should be safe. The devs mention the flatpak on their website and even give installation instructions, so I guess it's official or have their blessing. Have checked the permissions and unless I'm misreading things (which is very possible) then it doesn't want access to anything special. Not my home folder, not any folder, just X11, pulseaudio, stuff like that which a game would need to run.

Originally posted by AD:

It's mostly that I generally just keep to the repos, so going to a different source is just going out of my comfort zone. Hence why I'm checking.

I have checked the permissions explicitly and the flatpak in question doesn't seem want access to anything out of the ordinary. In fact it doesn't even want to access the home directory or any other directory from what I can see, it just want permissions to interact with X11, pulseaudio and things like that, which is exactly what I would expect from a game. At least that's if I'm understanding things correctly when I tried to look at the permissions, since it's my first time I'm not sure I actually understand.

Generally, games are pretty well isolated. They work as operating systems that can only see the relevant folder/files. If the game is going to access other files, they have to notify the user that it's going to happen.

in terms of sandboxing, flatpaks *can* be pretty good at isolating the app from the host OS:
https://developer.nvidia.com/rtx/raytracing

however you have to trust the default permissions set by the distributor (usually flathub.org) or go the extra mile and inspect these via an extra app before actually running the flatpak app, because the permission choices aren't made by the user explicitly during install (something Android used to do) nor all disabled by default until the first time they are invoked by the app (which is what Android does now, invoking a dialog to allow forever / allow just this once / deny)

It's basically like snaps. A third party software repo if you just want stuff to work. But without canonical.
No dependency hunting, just
flatpak install spotify, steam, gimp, whatever.
I mean i have flatpak with flathub installed, but i almost never use it.
But I'm an arch users so everything is either in pacman already or in the aur already.
But great if you don't use arch or something based on it if it isn't in the fedora, Apt or whatever repo

I dunno I don't trust it. As a debian user. Anything that brings in it's own dependencies that is not free software is a true gamble.

It's an abomination. It might as well run a whole windows subsystem lol.

Flatpacks, like any software, are as safe as where you get them.

Flathub is pretty trusted, but some third party sites are not.

Likewise, their sandbox is not particularly strong, so the damage any malicious software can do is within the scope of what you permit the software to do. Since they use capabilities based permissions, check the required permissions before installing. Almost all request access to the filesystem at the level of the user running them, which basically amounts to no more sandboxing than any other user level program.

Its a valid question as new Linux users are always pointed towards the official repositories instead of downloading their software from random websites. FlatHub can of course be trusted but one could theoretically put a tainted version of an app on a random website.

Fedora has its own FlatPak remote where flatpaks reside which are built from the existing RPMs (repository packages). This has of course the same trust as the main repositories. See the whole story here.

https://fedoramagazine.org/an-introduction-to-fedora-flatpaks/

Originally posted by tfk:

Its a valid question as new Linux users are always pointed towards the official repositories instead of downloading their software from random websites. FlatHub can of course be trusted but one could theoretically put a tainted version of an app on a random website.

Fedora has its own FlatPak remote where flatpaks reside which are built from the existing RPMs (repository packages). This has of course the same trust as the main repositories. See the whole story here.

https://fedoramagazine.org/an-introduction-to-fedora-flatpaks/

Yeah how does that work? I just installed fedora few hours ago and just installed the flathub versions of programs instead of the rpm, because i've had a good experience with them in Arch and Manjaro.
Or in general. Is there even a difference to begin with between flathub or flatpak rpm?
One exception is Steam because i've heard setting up other drives is harder when it's a flatpak

They've build them with the RPMs as source. Its still a flatpak with all that comes with it. I think its more like the Fedora community wants to keep track themselves what is in their repositories.

Also, Fedora has a strict policy of only open source software in their main repo's. The RPMFusion repo's are for the binary blobs. I don't know what FlatHub's policy is.

But that's my interpretation of it.