Which is more secure? I read that flatpaks do not make full use of selinux, while native packages have basically no isolation or permission control. What do you think? I would like to install everything as native packages for better integration and user experience but i worry that i sacrifice security.
For example if i open a malicious pdf with a pdf viewer - will i be more secure if the pdf viewer is a flatpak?
What is the reason for which you are asking for this question from a security perspective?
I mean.. this will basically come down to your threat model, practically speaking. Native packages are not updated as often if the apps makers are not maintaining flatpaks at the same rate. Flatpaks are popular and mostly used on Fedora especially for a reason.
Unless you’re threat model is too high to a point where such questions are something you have to seriously consider, I would imagine you’d be using Whonix or Tails or Qubes. But since you are using Fedora, I would say you’re fine using Flatpaks for most apps but browsers. For browsers, use the native package as much as possible.
Neither flatpaks nor native packages (rpms) use SELinux on Fedora by default. SELinux is only used to confine most rootful processes.
1 Like
I’m probably missing some exceptions but I’ve always understood the best practice is to prefer Flatpaks except for Chromium and Firefox based browsers, which should be installed “natively”.
1 Like
imo the whole point of choosing a distro is based on how they handle packaging and using flatpaks completely sidesteps that
flatpaks only have the advantage that they are somewhat sandboxed via bubblewrap
flatpaks also have the downside that the runtimes aren’t necessarily updated as frequently as they should be, so a library with a vulnerability may be patched quicker by your distro than the runtime maintainer
I’m a proponent of using both firejail and doing most of your computing in disposable virtual machines, so I only use flatpak for programs that aren’t available in the distro.
this question has already been asked a dozen times on here, better to search for other threads on it.
2 Likes