pona-a 8 months ago

How so? I'm writing this from an Fedora Sericea, which is Silverblue but with Sway instead of GNOME. Atomic Fedoras solve only package hysteresis (your package manager being unable to reproduce the intended system state because of unaccounted for changes) by generating the root file system with OSTree. It has nothing to do with sandboxing the applications themselves.

Reply View 4 replies
  • Arnavion 8 months ago

    It does in the sense that all the applications you install will be via flatpak, so they get sandboxed that way. Of course it depends on how locked down the sandbox is configured for each of those applications.

    Reply View 3 replies
    • yencabulator 8 months ago

      The S in Flatpak stands for Security.

      Flatpak is primarily a convenience mechanism for app makers. Any security boundary you may find in it is optional, all defaults are always toward not breaking apps. Apps pretty much uniformly either silently get read access to all your files, and even when that is not true they often get permanent read-write access to any file you open in them.

      Go look at the permissions for GNOME Papers. Try to argue that it's "sandboxed".

      Reply View 2 replies
      • akimbostrawman 8 months ago

        >Apps pretty much uniformly either silently get read access to all your files

        This is outdated information. The situation has improved since the publishing of flatkill with flathub loudly warning about permissions and less apps having full R/W access.

        Android apps can be configured insecurely too although less severe, still it's the users responsibility to check and modify permission.

        In either case it's a substantial improvement from no isolation at all with much easier handling than other sanbox tools or MACs.

        Reply View 1 reply
        • yencabulator 8 months ago

          > less apps having full R/W access.

          Not good enough when apps can still silently have full access to home and /media without the user even realizing.

          Reply View 0 replies
tholdem 8 months ago

It may be in the future, but for now it is no different from Fedora Workstation in terms of security. Please correct me if I am wrong. AFAIK Silverblue has no additional sandboxing or any other improvements to security.

Reply View 4 replies
  • JCattheATM 8 months ago

    Pretty sure Fedora, being based on Red Hat, has the strongest SELinux policy in place by default, and SELinux is pretty much the best sandboxing option available other than actual virtualization.

    Reply View 3 replies
    • tholdem 8 months ago

      Yes, but this was about Silverblue and how it implements some additional sandboxing, which it doesn't. SELinux is great, but maintaining it and creating configs is huge amount of work and where on AOSP, every process is strictly confined with SELinux, on Fedora, not so much. Not to mention the additional software the user installs. Not at all comparable to real Android or iOS sandboxing.

      Reply View 2 replies
      • JCattheATM 8 months ago

        It's generally only initial work to make the policies to maintain a program, maintaining doesn't even really exist unless the program radically changes in some way.

        Fedora is notable because any software installed via repositories has a policy written for it, so it is already far more in effect than you might realize.

        It's entirely comparable to Android sandboxing because it's part of the foundation of Android sandboxing.

        Reply View 0 replies