On Jul 14, 2017, at 12:54 PM, Florian Weimer
The app store model also assumes that the app store operator acts as
some sort of gate keeper, so there has to be some policy enforcement at
this level, too. It is not sufficient to pass through just what the
application developer asked for.
This is only a problem because Flatpak is currently following the IMO
rather busted old Android model. With very few, if any, exceptions, I
think a much better model would be for an application to start with
basically no permissions and to have to ask for fine-grained
permissions as needed. Think iOS but tighter. By default, an app
shouldn't be able to use the network, see what other applications are
installed, or get your unique advertising ID without explicit consent,
let alone access your dotfiles.
I would like to see a situation in which running random Flatpaks is as
safe or safer than visitng random webpages, at least insofar as the
*intentional* surface by which it can damage you should be as small or
smaller than that of a webpage.