On 07/15/2017 01:43 PM, Matthew Miller wrote:
On Fri, Jul 14, 2017 at 02:56:34PM -0700, Andrew Lutomirski wrote:
This is only a problem because Flatpak is currently following the IMO
rather busted old Android model. With very few, if any, exceptions, I
think a much better model would be for an application to start with
basically no permissions and to have to ask for fine-grained
permissions as needed.  Think iOS but tighter.  By default, an app
shouldn't be able to use the network, see what other applications are
installed, or get your unique advertising ID without explicit consent,
let alone access your dotfiles.
I don't agree. With this model, every time you try to do something,
you're bombarded with questions asking if you want to do the thing you
tried to do. It gets very easy to fall into a default of clicking a
bunch of yesses all the time. That serves no *real* security benefit
and yet adds to user annoyance. There's gotta be a better way than
That depends whether the process Andrew described happens every time you run the app, or only when the packager prepares a flatpack, in which  case the annoying questions are asked of the knowledgeable packager, and only once. Of course this assumes that it's practical to do a complete run-through of all the different code paths, which may be questionable for large apps.