[Debian] Bits from the Release Team: trixie freeze started
https://lists.debian.org/debian-devel-announce/2025/03/msg00011.html
https://redd.it/1jmjrt0
@r_linux
https://lists.debian.org/debian-devel-announce/2025/03/msg00011.html
https://redd.it/1jmjrt0
@r_linux
Reddit
From the linux community on Reddit: [Debian] Bits from the Release Team: trixie freeze started
Posted by gabriel_3 - 18 votes and 1 comment
This Week in Plasma: zero VHI bugs and much more
https://blogs.kde.org/2025/03/29/this-week-in-plasma-zero-vhi-bugs-and-much-more/
https://redd.it/1jmgv3d
@r_linux
https://blogs.kde.org/2025/03/29/this-week-in-plasma-zero-vhi-bugs-and-much-more/
https://redd.it/1jmgv3d
@r_linux
KDE Blogs
This Week in Plasma: zero VHI bugs and much more
Welcome to a new issue of "This Week in Plasma"! Every week we cover the highlights of what's happening in the world of KDE Plasma and its associated apps like Discover, System Monitor, and more.
nVibrant - Digital Vibrance for nvidia under Wayland
https://github.com/Tremeschin/nVibrant
https://redd.it/1jmst7u
@r_linux
https://github.com/Tremeschin/nVibrant
https://redd.it/1jmst7u
@r_linux
GitHub
GitHub - Tremeschin/nvibrant: 🟢 Nvidia Digital Vibrance on Wayland
🟢 Nvidia Digital Vibrance on Wayland. Contribute to Tremeschin/nvibrant development by creating an account on GitHub.
Linux making me feel like a boomer
Haven't used linux in about 20 years, but recently decided to install so I know how to use it.
Figured out how to boot Ubuntu or Windows on the same PC, took a few tries. Figured out how to install Thunderbird on both and make both instances refer to the same profile. Took a few tries.
Had to use different version of Thunderbird than the one Ubuntu installs by default in order to use the same profile as Windows. Trying to make a shortcut to Thunderbird on either the desktop or taskbar.... WHAT THE FUCK? Have watched like 45 minutes of Indian people explaining how to do it and cannot figure out how to make a simple shortcut!
Not asking for help, I'll figure it out, but it made me more sympathetic to my mother and boss and older people in general when they have no clue about how to do simple things on a computer.
https://redd.it/1jmuuzv
@r_linux
Haven't used linux in about 20 years, but recently decided to install so I know how to use it.
Figured out how to boot Ubuntu or Windows on the same PC, took a few tries. Figured out how to install Thunderbird on both and make both instances refer to the same profile. Took a few tries.
Had to use different version of Thunderbird than the one Ubuntu installs by default in order to use the same profile as Windows. Trying to make a shortcut to Thunderbird on either the desktop or taskbar.... WHAT THE FUCK? Have watched like 45 minutes of Indian people explaining how to do it and cannot figure out how to make a simple shortcut!
Not asking for help, I'll figure it out, but it made me more sympathetic to my mother and boss and older people in general when they have no clue about how to do simple things on a computer.
https://redd.it/1jmuuzv
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
How I solved 'different tools on different Linux machines' with Git and dotbins
https://redd.it/1jmznub
@r_linux
https://redd.it/1jmznub
@r_linux
Atomic + Minimal = The Future: Lightweight, Transactional Desktop Distro!
Hey r/linux community,
I’ve been mulling over the current landscape of immutable (atomic) systems like openSUSE MicroOS and Fedora Silverblue.
They offer amazing benefits — transactional updates, rollback capabilities, and overall system stability — but they either cater to container-centric/server use or come bundled with heavier desktop environments (like GNOME).
This leaves a gap for those who crave an atomic system with a truly minimal window manager out of the box.
The Idea:
Base System:
- Use openSUSE MicroOS or Fedora Silverblue as a foundation to leverage their immutable, transactional update frameworks.
Upstream Maintenance:
- Rely on upstream for core base maintenance to ensure security and stability, taking advantage of the robust openSUSE/Fedora ecosystem.
Minimal WM Layer:
- Instead of a full desktop environment, maintain a curated set of extra packages that offer a selection of minimal window managers (think i3, Sway, Openbox, JWM, etc.) and essential graphical components. Users can build a lean, efficient desktop without the bloat.
Benefits
• Atomic Updates: Safe, transactional system updates with easy rollback capabilities.
• Minimalism & Speed: A lightweight GUI tailored for performance and simplicity.
• Flexibility: Choose your preferred minimal WM setup while relying on a rock-solid base.
Why Fedora Silverblue Might Be Better for This
Customizability:
- Silverblue uses rpm-ostree to manage system layers. You can remove the default GNOME environment and layer in minimal WMs like i3 or Openbox. It takes some work, but it’s doable without breaking the system.
Community & Maintenance:
- Backed by Fedora’s strong ecosystem. Updates and tooling are already desktop-focused.
Design Philosophy:
- Silverblue is already meant for desktop use, so customizing it into a minimal desktop is likely easier than extending MicroOS, which is more server/container-oriented.
Why This Matters
There’s a clear void in the current Linux ecosystem — a distro that’s both atomic and minimal out of the box.
Such a project could serve devs, power users, and minimalists who want a secure, efficient, and stable graphical environment without full-blown DEs like GNOME or KDE.
Let’s Talk
If you’re excited about the prospect of a minimal atomic WM distro, let’s get the conversation going!
Have ideas, criticisms, or examples of similar projects? Drop them here!
If I’m wrong and something like this already exists — please tell me about it!
Cheers!
https://redd.it/1jmzm9k
@r_linux
Hey r/linux community,
I’ve been mulling over the current landscape of immutable (atomic) systems like openSUSE MicroOS and Fedora Silverblue.
They offer amazing benefits — transactional updates, rollback capabilities, and overall system stability — but they either cater to container-centric/server use or come bundled with heavier desktop environments (like GNOME).
This leaves a gap for those who crave an atomic system with a truly minimal window manager out of the box.
The Idea:
Base System:
- Use openSUSE MicroOS or Fedora Silverblue as a foundation to leverage their immutable, transactional update frameworks.
Upstream Maintenance:
- Rely on upstream for core base maintenance to ensure security and stability, taking advantage of the robust openSUSE/Fedora ecosystem.
Minimal WM Layer:
- Instead of a full desktop environment, maintain a curated set of extra packages that offer a selection of minimal window managers (think i3, Sway, Openbox, JWM, etc.) and essential graphical components. Users can build a lean, efficient desktop without the bloat.
Benefits
• Atomic Updates: Safe, transactional system updates with easy rollback capabilities.
• Minimalism & Speed: A lightweight GUI tailored for performance and simplicity.
• Flexibility: Choose your preferred minimal WM setup while relying on a rock-solid base.
Why Fedora Silverblue Might Be Better for This
Customizability:
- Silverblue uses rpm-ostree to manage system layers. You can remove the default GNOME environment and layer in minimal WMs like i3 or Openbox. It takes some work, but it’s doable without breaking the system.
Community & Maintenance:
- Backed by Fedora’s strong ecosystem. Updates and tooling are already desktop-focused.
Design Philosophy:
- Silverblue is already meant for desktop use, so customizing it into a minimal desktop is likely easier than extending MicroOS, which is more server/container-oriented.
Why This Matters
There’s a clear void in the current Linux ecosystem — a distro that’s both atomic and minimal out of the box.
Such a project could serve devs, power users, and minimalists who want a secure, efficient, and stable graphical environment without full-blown DEs like GNOME or KDE.
Let’s Talk
If you’re excited about the prospect of a minimal atomic WM distro, let’s get the conversation going!
Have ideas, criticisms, or examples of similar projects? Drop them here!
If I’m wrong and something like this already exists — please tell me about it!
Cheers!
https://redd.it/1jmzm9k
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
Chromium: support for Wayland xdg-session-management merged
https://chromium-review.googlesource.com/c/chromium/src/+/6329003
https://redd.it/1jne5y2
@r_linux
https://chromium-review.googlesource.com/c/chromium/src/+/6329003
https://redd.it/1jne5y2
@r_linux
My laptops CPU is too old for Win11
My daily driver has a 7th gen intel CPU that is outside the range allowed by Win11. The laptop still works great for what i do with it (programming/light gaming) but with Win10 reaching EOL this year im looking into possible ways to extend its lifespan. I have some experience with Linux and I would just fully switch over to it but I do still need access to a windows environment.
Does anyone have any solutions/advice for how to move forward with this? I cant afford a new laptop right now so thats out of the question. Ive considered dual booting or just running a Win10 VM but im curious if there are other options that I dont know about.
https://redd.it/1jni13j
@r_linux
My daily driver has a 7th gen intel CPU that is outside the range allowed by Win11. The laptop still works great for what i do with it (programming/light gaming) but with Win10 reaching EOL this year im looking into possible ways to extend its lifespan. I have some experience with Linux and I would just fully switch over to it but I do still need access to a windows environment.
Does anyone have any solutions/advice for how to move forward with this? I cant afford a new laptop right now so thats out of the question. Ive considered dual booting or just running a Win10 VM but im curious if there are other options that I dont know about.
https://redd.it/1jni13j
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
Docker OS
Would it be in theory possible to get away with the installation of the kernel, x11/wayland and drivers, adding a single user and then pulling all the linux images (like Arch, Fedora, Ubuntu etc) from DockerHub?
That way, one could run multiple OS-es using a single shared kernel in parallel while having the ability to switch between them efficiently if they are running on different tty's -- is that right, or am I missing something?
Wouldn't this be the perfect alternative to virtualization, as the images all had direct access to the hardware and nothing nedded to be emulated?
https://redd.it/1jnkals
@r_linux
Would it be in theory possible to get away with the installation of the kernel, x11/wayland and drivers, adding a single user and then pulling all the linux images (like Arch, Fedora, Ubuntu etc) from DockerHub?
That way, one could run multiple OS-es using a single shared kernel in parallel while having the ability to switch between them efficiently if they are running on different tty's -- is that right, or am I missing something?
Wouldn't this be the perfect alternative to virtualization, as the images all had direct access to the hardware and nothing nedded to be emulated?
https://redd.it/1jnkals
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
Did I just find a bug in the cowsay (and xcowsay) package!!
https://preview.redd.it/cdpzwl25vvre1.png?width=432&format=png&auto=webp&s=561066cca9cdadd1456df8a7d688ccc35a1c3656
Both the packages do werid stuff when exclamation marks are present in the sentence , but not all combinations (try them yourself).. i think the exclamation mark is giving some of the recent commands that have been executed!
https://redd.it/1jnl8jk
@r_linux
https://preview.redd.it/cdpzwl25vvre1.png?width=432&format=png&auto=webp&s=561066cca9cdadd1456df8a7d688ccc35a1c3656
Both the packages do werid stuff when exclamation marks are present in the sentence , but not all combinations (try them yourself).. i think the exclamation mark is giving some of the recent commands that have been executed!
https://redd.it/1jnl8jk
@r_linux
Windows muscle memory somehow works out
I just had an interesting experience with Linux here...
I have an incredibly strong muscle memory for keyboard use of Windows. Just recently, I opened a terminal on Linux by pressing Windows Key, typing "cmd", pressing enter, all very quickly without looking at the screen or thinking. And somehow, that was a completely valid action, and it opened Konsole.
I'd just like to thank everyone involved who decided that "cmd" could be a synonym for Konsole when typed into the start menu in KDE. It's really helpful for heavy keyboard users who haven't made the complete mental switch over.
https://redd.it/1jnm6ea
@r_linux
I just had an interesting experience with Linux here...
I have an incredibly strong muscle memory for keyboard use of Windows. Just recently, I opened a terminal on Linux by pressing Windows Key, typing "cmd", pressing enter, all very quickly without looking at the screen or thinking. And somehow, that was a completely valid action, and it opened Konsole.
I'd just like to thank everyone involved who decided that "cmd" could be a synonym for Konsole when typed into the start menu in KDE. It's really helpful for heavy keyboard users who haven't made the complete mental switch over.
https://redd.it/1jnm6ea
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
My experience with Linux, and some questions I have.
Hey yall! I know you probably get a million of these a day, but I have been using Debian for about 2 years now. Not very well necessarily.
I started on windows xp, and then 7, then 10. I am currently booting Debian using WSL and streaming the Debian desktop to a separate window instead of duel booting. My pc is in need of a motherboard change, and until then I don't really have many storage options.
My questions are as follows,
1. What are some recommendations for moving to Linux more often, and for distribution choices?
I use Debian a bit, but I do want a windows like experience without the need to get something like Ubuntu or Mint. I've used then and just don't enjoy them much.
2. Any tips for gaming? I use my pc for a ton of gaming, I have a 4070ti, but I don't have a good motherboard. I have a 5600x in a b450m board, with 2 small m.2 slots. I'll link my steam account so people can see my games. My profile is public.
I've heard Nvidia drivers aren't great, and I've also heard that there's some compatibility issues with some games and anti cheat.
3. For general work use is Linux good? I currently do work in automation and controls engineering, so a lot of what I do is programing plcs, hmis, scada systems, and the like. I've never been able to get Allen Bradley software working on debian, or kali, nor have I been able to use it for my scada systems. Everything we've done is based off of modified versions of windows 10 for security. I can ofc make programs and database changes at home, then upload my programs at work as I have done before.
4. I really don't want to move to windows 11, is there a good combo where I could continue using 10 with 0patch, and then use Linux for my daily driver? Most of what I'd be doing in 10 would be work if I can't get my programs to run on linux.
5. I know for retro gaming, Linux distributions are pretty good, like batacera. I've been using Knulli for a bit now, but for general use on mini pcs I haven't had much luck. Any advice on a good distribution for that or any customizable forks?
6. I know some Linux syntax, and I use a massive unix and Linux shell programming book when I need help with the general syntax, yes I could Google it, but most of the time I can find conflicting results or stuff that just doesn't work. Is there any tips or tricks for remembering things easier like this? I've never been super good at learning syntax for languages and command lines.
7. I do console repairs and mods, a lot of the programs I've been using for a bit have either windows only versions or Linux only versions. I don't know much about emulating windows programs on Linux, but is there a way to get around this? Kinda similar to 3.
That all I have for now. I don't meant this to be a low effort post if it seems like it. I just want to get more into Linux now that Windows 10 is at the end of its life, and I'd like to be able to actually work on it.
Thanks yall, and hope you have a goodnight.
https://redd.it/1jnshow
@r_linux
Hey yall! I know you probably get a million of these a day, but I have been using Debian for about 2 years now. Not very well necessarily.
I started on windows xp, and then 7, then 10. I am currently booting Debian using WSL and streaming the Debian desktop to a separate window instead of duel booting. My pc is in need of a motherboard change, and until then I don't really have many storage options.
My questions are as follows,
1. What are some recommendations for moving to Linux more often, and for distribution choices?
I use Debian a bit, but I do want a windows like experience without the need to get something like Ubuntu or Mint. I've used then and just don't enjoy them much.
2. Any tips for gaming? I use my pc for a ton of gaming, I have a 4070ti, but I don't have a good motherboard. I have a 5600x in a b450m board, with 2 small m.2 slots. I'll link my steam account so people can see my games. My profile is public.
I've heard Nvidia drivers aren't great, and I've also heard that there's some compatibility issues with some games and anti cheat.
3. For general work use is Linux good? I currently do work in automation and controls engineering, so a lot of what I do is programing plcs, hmis, scada systems, and the like. I've never been able to get Allen Bradley software working on debian, or kali, nor have I been able to use it for my scada systems. Everything we've done is based off of modified versions of windows 10 for security. I can ofc make programs and database changes at home, then upload my programs at work as I have done before.
4. I really don't want to move to windows 11, is there a good combo where I could continue using 10 with 0patch, and then use Linux for my daily driver? Most of what I'd be doing in 10 would be work if I can't get my programs to run on linux.
5. I know for retro gaming, Linux distributions are pretty good, like batacera. I've been using Knulli for a bit now, but for general use on mini pcs I haven't had much luck. Any advice on a good distribution for that or any customizable forks?
6. I know some Linux syntax, and I use a massive unix and Linux shell programming book when I need help with the general syntax, yes I could Google it, but most of the time I can find conflicting results or stuff that just doesn't work. Is there any tips or tricks for remembering things easier like this? I've never been super good at learning syntax for languages and command lines.
7. I do console repairs and mods, a lot of the programs I've been using for a bit have either windows only versions or Linux only versions. I don't know much about emulating windows programs on Linux, but is there a way to get around this? Kinda similar to 3.
That all I have for now. I don't meant this to be a low effort post if it seems like it. I just want to get more into Linux now that Windows 10 is at the end of its life, and I'd like to be able to actually work on it.
Thanks yall, and hope you have a goodnight.
https://redd.it/1jnshow
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
"Disk re-encryption in Linux" by Stepan Yakimovich -- "Disk encryption is an essential technology for ensuring data confidentiality, and on Linux systems, the de facto standard for disk encryption is LUKS (Linux Unified Key Setup)."
https://is.muni.cz/th/zjyql/?lang=en
https://redd.it/1jnsswj
@r_linux
https://is.muni.cz/th/zjyql/?lang=en
https://redd.it/1jnsswj
@r_linux
Reddit
From the linux community on Reddit: "Disk re-encryption in Linux" by Stepan Yakimovich -- "Disk encryption is an essential technology…
Posted by throwaway16830261 - 9 votes and 2 comments
Other Linux builds besides Rocknix or Batocera for the Retroid Pocket 5.
For the Retroid Pocket 5...
I'm trying Rocknix Linux right now, but it's very limited, I don't like the UI, because I want a more open desktop type environment, and I want more freedom to use more apps and do computer type stuff like some light programming on this thing.
Is the Retroid Pocket 5 capable of properly booting into basic Debian image, then for me to install an environment like Q4OS. Or even just to boot into an already graphical environment based Linux OS, like some other Ubuntu or Debian build?
Booting from an SD card if that helps.
Also, I don't know if this server is really for asking specific questions for devices like this, just thought I'd try to post it here.
If this violates any rules, or can't be answered here, just delete it, moderators.
https://redd.it/1jnt7ik
@r_linux
For the Retroid Pocket 5...
I'm trying Rocknix Linux right now, but it's very limited, I don't like the UI, because I want a more open desktop type environment, and I want more freedom to use more apps and do computer type stuff like some light programming on this thing.
Is the Retroid Pocket 5 capable of properly booting into basic Debian image, then for me to install an environment like Q4OS. Or even just to boot into an already graphical environment based Linux OS, like some other Ubuntu or Debian build?
Booting from an SD card if that helps.
Also, I don't know if this server is really for asking specific questions for devices like this, just thought I'd try to post it here.
If this violates any rules, or can't be answered here, just delete it, moderators.
https://redd.it/1jnt7ik
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
Distro based on a virtual environment or containerization type approach
Basically I mean a distro where there Is an option to make venvs like Python to install a specific package such that deleting that venv deletes everything related to it.
1. Do flatpaks/snaps work like that?
2. If no, Does a distro like this exist? I vaguely remember reading this in some article but am unsure.
3. Is this approach actually feasible
https://redd.it/1jnwimp
@r_linux
Basically I mean a distro where there Is an option to make venvs like Python to install a specific package such that deleting that venv deletes everything related to it.
1. Do flatpaks/snaps work like that?
2. If no, Does a distro like this exist? I vaguely remember reading this in some article but am unsure.
3. Is this approach actually feasible
https://redd.it/1jnwimp
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
Linux browser security technical details
Hi all, hopefully this is an OK place to post this; I'm interested in having a bit of a discussion of the technical details of browser security on Linux, mostly because I can't find any solid resources that consolidate all info into one place and, particularly when it comes to flatpak, there seems to be a lot of opinions presented as fact without any evidence or even ignoring key technical aspects of the discussion. This is partly musings on what I can find so far and partly an invitation/request for comment, particularly on the Webkit side.
What I'm most interested in is the security properties of browsers available on Linux with respect to host/browser isolation, tab to tab isolation, and privacy (ie isolating browsing activity from the vendor(s))
As far as running natively, Chromium based browsers seem to have the most robust sandboxing - they use user namespaces and seccomp-BPF to create a multi-layer, hardened sandbox. Firefox in theory uses the same approach but are maybe a touch behind just because there's less effort invested in auditing, testing and hardening their sandbox because of the smaller overall market share. Webkit (biggest example being Epiphany/Gnome Web) uses some sort of sandbox, beyond that I can't find any details so I have no idea if they use seccomp-BPF, user namespaces or both, searching for details of their sandboxing just gets flooded out by discussions of Flatpak and Chromium due to the shear volume. In theory they inherit work on sandboxing from the underlying Webkit which should have additional work put into it by Apple though so the small share of Webkit browsers on Linux might not hold it back as much as Mozilla's limited resources do, which might help them keep up with the bigger players.
For running in a flatpak, the discussion space is flooded with half baked opinions and misunderstandings that completely ignore the fact that host/browser isolation isn't really the same thing as tab to tab isolation and they can (and should) be analysed separately. Flatpak blocks containerised applications from direct access to user namespaces, which means that browsers inside a flatpak can't use that features to sandbox between tabs. A lot of people frame this as "replacing the browser sandbox with a weaker sandbox" but that's completely ignoring the fact that, properly configured, a flatpak sandbox will provide stronger isolation between the browser and the OS since flatpak provides a much simpler and stricter interface between the container and the host than the much more complex interface between a browser and the host, and the fact that flatpak uses the exact same technology - user namespaces - that it's barring containers from accessing, that's the entire reason they block access to it in the first place, so the container can't just reconfigure the namespace and try and escape. This is an important consideration because, in theory, a smaller interface between the upstream sandbox, flatpak, and the OS means that there's a lower chance of malicious code breaking all the way through to the host than there would have been for it to break out of the browser sandbox when running natively. Also worth noting that flatpak allows this to be mitigated by providing a nested namespace tool.
Within the above limits, there's a few approaches. A lot of Chromium browsers use Zypack to emulate the old SetUID approach to the top layer sandbox by effectively tricking the browser into requesting flatpak to set up namespaces for it. A few use a patch that directly calls the flatpak namespace API instead. Firefox just switches off layer 1 sandboxing and relies entirely on seccomp-BPF - in theory this is less secure, in practice the Firefox devs not-unreasonably point out that seccomp-BPF seems to be pretty secure so far (although if that's the case why bother with user-namespaces?). Also of note is that neither Chromium nor Firefox use userns on systems where that feature is disabled, which has historically been the case on a number of Debian based systems and seems to
Hi all, hopefully this is an OK place to post this; I'm interested in having a bit of a discussion of the technical details of browser security on Linux, mostly because I can't find any solid resources that consolidate all info into one place and, particularly when it comes to flatpak, there seems to be a lot of opinions presented as fact without any evidence or even ignoring key technical aspects of the discussion. This is partly musings on what I can find so far and partly an invitation/request for comment, particularly on the Webkit side.
What I'm most interested in is the security properties of browsers available on Linux with respect to host/browser isolation, tab to tab isolation, and privacy (ie isolating browsing activity from the vendor(s))
As far as running natively, Chromium based browsers seem to have the most robust sandboxing - they use user namespaces and seccomp-BPF to create a multi-layer, hardened sandbox. Firefox in theory uses the same approach but are maybe a touch behind just because there's less effort invested in auditing, testing and hardening their sandbox because of the smaller overall market share. Webkit (biggest example being Epiphany/Gnome Web) uses some sort of sandbox, beyond that I can't find any details so I have no idea if they use seccomp-BPF, user namespaces or both, searching for details of their sandboxing just gets flooded out by discussions of Flatpak and Chromium due to the shear volume. In theory they inherit work on sandboxing from the underlying Webkit which should have additional work put into it by Apple though so the small share of Webkit browsers on Linux might not hold it back as much as Mozilla's limited resources do, which might help them keep up with the bigger players.
For running in a flatpak, the discussion space is flooded with half baked opinions and misunderstandings that completely ignore the fact that host/browser isolation isn't really the same thing as tab to tab isolation and they can (and should) be analysed separately. Flatpak blocks containerised applications from direct access to user namespaces, which means that browsers inside a flatpak can't use that features to sandbox between tabs. A lot of people frame this as "replacing the browser sandbox with a weaker sandbox" but that's completely ignoring the fact that, properly configured, a flatpak sandbox will provide stronger isolation between the browser and the OS since flatpak provides a much simpler and stricter interface between the container and the host than the much more complex interface between a browser and the host, and the fact that flatpak uses the exact same technology - user namespaces - that it's barring containers from accessing, that's the entire reason they block access to it in the first place, so the container can't just reconfigure the namespace and try and escape. This is an important consideration because, in theory, a smaller interface between the upstream sandbox, flatpak, and the OS means that there's a lower chance of malicious code breaking all the way through to the host than there would have been for it to break out of the browser sandbox when running natively. Also worth noting that flatpak allows this to be mitigated by providing a nested namespace tool.
Within the above limits, there's a few approaches. A lot of Chromium browsers use Zypack to emulate the old SetUID approach to the top layer sandbox by effectively tricking the browser into requesting flatpak to set up namespaces for it. A few use a patch that directly calls the flatpak namespace API instead. Firefox just switches off layer 1 sandboxing and relies entirely on seccomp-BPF - in theory this is less secure, in practice the Firefox devs not-unreasonably point out that seccomp-BPF seems to be pretty secure so far (although if that's the case why bother with user-namespaces?). Also of note is that neither Chromium nor Firefox use userns on systems where that feature is disabled, which has historically been the case on a number of Debian based systems and seems to
still be the case on Ubuntu if AppArmor isn't configured for a given application. There's absolutely no information I can find whatsoever as to what Webkit does here - if they use seccomp-BPF only when running natively presumably they just keep doing that in a flatpak, but I can't find any details about this.
Any thoughts? Anything I've missed? I'm pretty sure everything I've said is accurate so far but I'm coming at this from the standpoint as a hobbyist sysadmin with some additional interest in security, I'm not a coder by any stretch and would very much appreciate hearing the thoughts of others here, particularly if anyone can detail what Webkit uses.
https://redd.it/1jnykfm
@r_linux
Any thoughts? Anything I've missed? I'm pretty sure everything I've said is accurate so far but I'm coming at this from the standpoint as a hobbyist sysadmin with some additional interest in security, I'm not a coder by any stretch and would very much appreciate hearing the thoughts of others here, particularly if anyone can detail what Webkit uses.
https://redd.it/1jnykfm
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community