I have heard that AppImages depend on an outdated library.
But I need AppImages for some application’s like Cryptomator, that are buggy as a Flatpak.
Is it ok to have some AppImages on the system?
1 Like
It depends on your threat model.
It’s best to avoid them so I’d recommend reporting any bugs you find with the Flatpak to Cryptomator. In the meantime it might be better to install it from one of the repositories they endorse (PPA, AUR, Nix) if any of those apply to you. If your distro isn’t supported and you really wanted to avoid AppImages you could mess with Distrobox, but it can take time to learn and has its own downsides.
1 Like
I use Appimage to run many apps on various computers (PrismLauncher (because new versions don’t support offline bypass, but that’s not the topic), VeraCrypt (because updating manually is hell), StandardNotes and some more video/photo editing software)
It is not “security nightmare” but it acts as raw BIN, so it can abuse rights because of lack of sandbox and it is still “no trust = do not run” approach.
P.S: Hashes and virustotal are always good approach, but this isn’t bulletproof.
Actually, I did not found any serious problems with Cryptomator in flatpack version so far.
1 Like
I believe much of the security concern brought up by @Kabo are around appimage reliance on the outdated and unmaintained fuse2 library, and not sandboxing concerns[1].
Though sandboxing concerns are equally valid in my view ↩︎
1 Like
Correct me if I wrong, but isn’t Cryptomator also use fuse2 to mount volumes?
1 Like
As far as I can tell, no Cryptomator does not use fuse2 on Linux, and requires fuse3 instead.
Reference: Volume Types | Cryptomator Documentation
Linux-Based OS
FUSE
Requirements: Linux,
fuse3installedFUSE on Linux works only if the
fuse3package is installed. Luckily,fuse3comes pre-installed on many Linux distributions.
Note: this requirement is separate from the appimage requirement for fuse2 to be installed.
1 Like