Is there a reason to prefer Distrobox over Toolbox, except for the availability of more distros to choose from?
1 Like
Off-topic
I hear this with some frequency. Iâd be interested to really understand how distant is the security in gecko browsers. Firefox seems that implemented site isolation in 2021, but if I understand it right it doesnât fully isolate renderer processes per tab. The fission was reported by madaidans back in 2022 ânot as mature as Chromiumâs site isolation, and it will take many more years for it to reach that point.â
How is that measured?
This was raised back in 2022, did we see progress in this front? did the prediction fully materialized?
Then there is the sandbox issues in Linux. It is from my understand that X11 and PulseAudio isnât something affecting most people anymore with Wayland and Pipewire ascension. Remaining strengthening seccomp-bpf.
Have we saw some improvements with seccomp-bpf? For example, Firefoxâs sandbox now includes GPU process sandboxing and other hardening measures, no?
In general, for someone that isnât a target and take security measures in Linux, can we maybe reduce the potential inflamed claim that gecko based browsers are leagues behind in security compared to Chromium based browsers? Can and should we be challenging this view?
Just to be clear, Iâm talking about desktop gecko browsers only not Android browsers.
This is all offtopic but:
How is that measured?
This was raised back in 2022, did we see progress in this front? did the prediction fully materialized?
I havenât seen evidence that this has significantly changed since. If anything, the prediction was too favorable to Firefox, since Chromium has added new service sandboxes and sandboxing improvements since then.
For example, Firefoxâs sandbox now includes GPU process sandboxing and other hardening measures, no?
Disabled by default outside of Windows, AFAIK:
that isnât a target
This is a poor way to think about security. Opportunistic attacks/malware are common.
can we maybe reduce the potential inflamed claim that gecko based browsers are leagues behind in security compared to Chromium based browsers?
No. Itâs not inflamed. Itâs An Inconvenient Truth.
Can and should we be challenging this view?
When/if I find significant free time (whatâs that? 
) I may put together a github gist doing a deep dive into the code showing how little has changed on firefoxâs end and the ways chromium has pulled further ahead since. Or if PG folks have time to dig into the code, that might be a cool video to have? @jordan ?
1 Like
I was all excited, Brave didnât start and Telegram didnât give me the QR and as a novice I went back to Bluefin, I would have to learn to give permissions to all my programs, Iâm not interested in the short term, I hope the security reaches the dummies like me.
1 Like
Brave didnât start
Last I checked, Brave defaults to the X11 backend. I have no idea why they do this especially since itâs a security degradation. If this is the underlying cause, I recommend asking them to fix this on their issues page. 
Also reminder not to use flatpaked browsers (especially chromium-based browsers like Brave) as the flatpaking significantly weakens the internal browser sandboxing.
Telegram didnât give me the QR
Did you lock down flatpak permissions? If so, we make it clear that breakage is to be expected. It should be avoided if users donât want flatpaks breaking without manual permissions changes.
This will configure flatpak to automatically reject most permissions (with the exception of the Wayland socket and the Dri device, since these are commonly used and ensure at the very least most apps will work without crashing).
This will also grant Flatseal and Warehouse access to certain permissions to allow them to operate and make reconfiguring much easier.
NOTE: This will break just about all Flatpaks by default, it is ON YOU to configure them to work with this configuration.
NOTE 2: This DOES NOT enable hardened_malloc, use the harden-flatpak ujust command.