On Sat, 2017-07-15 at 13:43 -0400, Matthew Miller wrote:
On Fri, Jul 14, 2017 at 02:56:34PM -0700, Andrew Lutomirski wrote:
> This is only a problem because Flatpak is currently following the
> rather busted old Android model. With very few, if any, exceptions,
> think a much better model would be for an application to start with
> basically no permissions and to have to ask for fine-grained
> permissions as needed. Think iOS but tighter. By default, an app
> shouldn't be able to use the network, see what other applications
> installed, or get your unique advertising ID without explicit
> let alone access your dotfiles.
I don't agree. With this model, every time you try to do something,
you're bombarded with questions asking if you want to do the thing
you tried to do. It gets very easy to fall into a default of clicking
a bunch of yesses all the time. That serves no *real* security
benefit and yet adds to user annoyance. There's gotta be a better way
Flatpak doesn't really use either the old or new Android model - it
*does* try to have a better way of doing things.
There are a static set of upfront permissions that are associated with
the application - this is likely what Andy is thinking of. While they
are reasonably fine-grained, they are low-level we are unlikely to
present them in the user's default view as more than "sandboxed" vs.
"unsandboxed" - some permissions can be considered to be pretty safe
(talk to Wayland, talk to the external network), and others entirely
not safe (talk to X11, read/write the user's home directory.)
These are not going to be used for things like "can read and write my
contacts", "can access my computer's camera", and whatever else
bugs you about - those use cases are handled by portals.
The primary user interaction of a portal is to show a user interface
for the task (opening a file, sending an email, printing, etc.) - and
let the user decide if they want to proceed or not. In the minority of
case where this doesn't make much sense - say access to GPS - then the
portal asks the user similar to the new Android style and implements
smart memory behavior.