upvote

points

by guiambros11 hours ago |
comments
upvoteby Ferret744610 hours ago|
[-]
The same is true for all software on your machine.
reply
upvoteby Groxx9 hours ago|
parent|
[-]
Not even slightly. Browser extensions are a trivial counter-example, as are all flatpacks, and anything restricted by user/group. That covers probably literally a majority of all software on your computer, because people have been voluntarily restricting their software to protect you from their potential accidents for decades.
reply
upvoteby Flimm3 hours ago|
parent|
next
[-]
In practise, Flatpak packages have many more permissions than you might expect, and the sandbox feature gives a false sense of security. For example, the Obsidian Flatpak package [0] is given all of the following abilities without explicit permission from the user (the user has to know where to look to find out about them):

- Home folder read/write access

- System folder media

- System folder mnt

- Microphone access and audio playback

- And more...

The Obsidian snap [1] is installed with the --classic flag, which also grants access to the whole home directory, but at least you have to consciously specify the --classic flag to grant this permission.

[0] - https://flathub.org/en/apps/md.obsidian.Obsidian

[1] - https://snapcraft.io/obsidian

reply
upvoteby poulpy12327 minutes ago|
parent|
prev|
next
[-]
> flatpacks

flatpacks have access to all my files, they would be useless without. And they are the only sensitive files in my computers

reply
upvoteby ImPostingOnHN8 hours ago|
parent|
prev|
[-]
> That covers probably literally a majority of all software on your computer

If you're running GNU/Linux, chances are you'll have hundreds, if not thousands, of pieces of software that run totally unsandboxed.

Yes, a very small minority of applications are unfortunately primarily distributed via flatpak or snap, and the distributors don't care about the user experience, so it's error-ridden and problem-ridden, but chances are you can get a "normal computer program" version of it unencumbered by such grossness.

reply
upvoteby Groxx8 hours ago|
parent|
[-]
And tons won't be part of e.g. root, or dialout (to pick one I've had to deal with a lot lately), or many other more-privileged-than-default groups, yes. That's a permissions system working as intended.

Besides. They said "all software on your machine". That is trivially false, to a significant degree.

reply