this post was submitted on 28 Jan 2024
37 points (80.3% liked)
Linux
48328 readers
636 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
We (ublue) remove Firefox and install the flatpak because you want your browser to update when it needs to update, and not only when your OS image updates.
Even on the main images?
The problem is
rpm-ostree override remove
ing it makes it impossible to reinstall as a native package.Those we leave alone, they're really only meant as a base for other images anyway.
Not being able to relayer it is a good thing in this case, you don't want the browser to have any limits on when it can update.
If you need something other than the flatpak, I would recommend installing it in a Fedora distrobox and exporting it.
Browsers need usernamespaces to isolate Tabs from another. At least thats how Chromium does it, and I think Firefox does too.
Flatpak Chromium browsers are very experimental, Zypak is a thing and it sounds nice, spawning a seperate flatpak process instead. But its probably less secure than what is officially supported.
This is why there is no official Flatpak Chromium Browser, Vivaldi actively decided against because of that thing. The Chromium Flatpak does something better, but this was (at least some time ago) not done in other Flatpak Chromium Derivates.
Firefox is supposedly more compatible with the restrictions of Flatpak as it doesnt use user namespaces, but there also is no statement on how they do it, how it can be equally secure etc.
Browser can be best ran in Bubblejail, allowing user namespaces but the rest being blocked just as in Flatpak. The issue is simply that the bubblewrap in Flatpak uses a single seccomp filter, while just Browsers should be allowed to spawn user namespaces.
I am not sure about Distrobox, the Apps are spawned in a seperate user namespace but I suppose they can still use user namespaces anyways. But this is unnecessary overhead without any reason. One could isolate the Distrobox from the system, but portals dont cover that afaik.
So it stays a no. I think if the main image would not include Firefox, projects like Secureblue wouldnt need to actively remove Firefox so users could still layer it regularly. The problem is with having it included and downstream Distros removing it via an override.