You can also do that with packages in AUR eg 1password, but you’d also want to check nothing else is added to the PKGBUILD before installing it. Yay makes that rather easy.
With something like Fedora, you can check the rpm spec in COPR. The actual RPMs are built on Fedora’s servers, so it’s not possible for someone to “upload” an RPM there.
With Pagure you can configure your git repo to sync with an upstream repo, but not build packages automatically. That way you could check the RPM spec before clicking build button. Alternatively you could fork repo with the rpm spec and then just sync with a remote. I am sure you could do this with OBS as well.
That’s one of the features I love most about the AUR. I’ve observed the same thing in COPR and like it more than OBS, which seemed much more complicated. I didn’t know about Pagure though!
But in terms of trusting every package on your system by verifying all of the build scripts, that’s only possible on source-based distributions.
Reproducible builds are an important step forward but someone has to actually verify the build, and you need to trust the person who verifies it, or do it yourself, and if you do it yourself, you might as well use a source-based distribution
Realistically nobody is ever going to do that. The base system is going to include 1000+ packages.
I think it’s fair to say its unlikely a main distributor is going to be in your threat model. Typically this is why I would never recommend niche distributions.
To test this, I installed Tumbleweed on KVM. Almost no AppArmor profile was created for any application I installed with the package manager, including Firefox. I understand that Tumbleweed also requires manual profile setting. But snap, installed by default in Ubuntu, creates AppArmor profile as expected for application access permission management etc. So, regardless of the distribution, wouldn’t it be better for average home PC users to use snap on their systems without worrying about things like the snap store using closed source code?
Or do average home PC users not bother with additional configuration for applications they install from the official repository, or for binary installed applications like Mullvad Browser, on Fedora set to “enforcing” SELinux?
Depends on the Snap’s permission, but for many confined snaps it might indeed be better from a security perspective. Bonus with Snaps is that many of the popular Snaps are official.
On Fedora most processes run unconfined. By-default more processes are confined than on Apparmor distros, but these are mainly system stuff and no user applications.
That repo looks more maintained than the apparmor-profiles by the looks of it.
They use confinement for system processes under the targeted policy, while user processes are not which is more a less the same.
With the Firefox snap, also does not interfere with the User Namespaces sandbox and therefore is set to true under about:support. See Does Flatpak weaken Chromium/Firefox's sandbox? With Chrome it’s less of an issue because of Zygote’s spawn strategy.
What I do mostly for ease is use the distributor’s package for Firefox/Chromium as I consider it secure enough and where I particularly care I containerize the app ie with podman which can take a seccomp filter list.
