Anyone in my network interested in research and prototype network portal for Flatpak?
In the long run we are interested in:
• Give more control to users over app network access
• Allow apps that need network access to be considered “Safe”
We expect something like unsharing the network namespace and a bridge on the host for permissions / monitoring.
Boost welcome
1/2 🧵
#FediHire #Flatpak #Flathub #Linux #Snap #containers #Docker #freedesktop #Ubuntu #Fedora
This entry was edited (1 month ago)
Federico Mena Quintero reshared this.
Sonny
in reply to Sonny • • •Requirements
• System programming (C)
• relevant network technologies
• ideally Linux container technologies
• Good communication skills
It would be a contracting gig, and you'll be joining a great team:
https://foundation.gnome.org/2023/11/09/gnome-recognized-as-public-interest-infrastructure/
Send resume/portfolio to stf@gnome.org
2/2 🧵
GNOME Recognized as Public Interest Infrastructure – The GNOME Foundation
foundation.gnome.orgFederico Mena Quintero reshared this.
Astro
in reply to Sonny • • •Sonny
in reply to Astro • • •Flatpak, bubblewrap and the portals are written in C.
I'm not against writing the prototype in Rust but being comfortable with C is a requirement for the project.
Gary "grim" Kramlich
in reply to Sonny • • •Sonny
in reply to Gary "grim" Kramlich • • •@grimmy
Are you asking if the bridge would take care of NAT traversal for apps?
That's an interesting idea, but it's not in scope for now.
Gary "grim" Kramlich
in reply to Sonny • • •Sonny
in reply to Gary "grim" Kramlich • • •Gary "grim" Kramlich
in reply to Sonny • • •Neal Gompa (ニール・ゴンパ) :fedora:
in reply to Sonny • • •James Milne
in reply to Sonny • • •Astro
in reply to Sonny • • •Sonny
in reply to Astro • • •Kai Lu:ke
in reply to Sonny • • •Petr Menšík :fedora:
in reply to Sonny • • •Will Thompson
in reply to Sonny • • •Sonny
in reply to Will Thompson • • •@wjt
I disagree
• network can be used to talk to services on the host
• network is the only thing needed to scam people, see recent Snap crypto scam events
• some network usage are illegal in certain regions (ex bittorrent)
But more importantly, if we mark it as safe now, that's it, we lose the leverage to ever get something better than broad and uncontrolled network access or encourage apps to work offline first.
Valentin David
in reply to Sonny • • •Sonny
in reply to Valentin David • • •@Valentin @wjt
I was referring to torrenting (uploading) copyrighted material. And the fact that you can receive a fine after having used an app.
It might not be clear to users that's what an app is doing, see Popcorn Time.
Will Thompson
in reply to Sonny • • •Sonny
in reply to Will Thompson • • •@wjt
I can imagine something like a dialog
"Crypto wallet wants to communicate with xfever4ever.xz" yes/no
We can put some educational info in the dialog. We can put a big red flag warning if the domain is on a malware list etc
Sonny
in reply to Sonny • • •Will Thompson
in reply to Sonny • • •I think you are overestimating how much interest most people have in reading a domain name and guessing whether it is safe in order to use an app, rather than clicking through; and the ability of any human to determine whether e.g. d1anzknqnc1kmb.cloudfront.net is a safe domain to talk to. (That's the CDN that served Endless OS images for many years.)
It's an interesting R&D project but I would really like to see some user research on the intended flows to go with it.
Sonny
in reply to Will Thompson • • •@wjt research is part of the project
Note that Chrome and Firefox do exactly that with malware domain.
popey
in reply to Sonny • • •Sonny
in reply to popey • • •@popey @wjt
Good to know 👍
I don't want to focus too much on that case in the conversation.
It's a solved one for us by acknowledging that completely unrestricted network access is unsafe and doing manual reviews.
The way forward is how to consider apps with network needs as safe. Building a portal/API will bring a reasonable compromise.
As always, we'll make sure to share whatever we come up with.
Will Thompson
in reply to Sonny • • •James Henstridge
in reply to popey • • •@popey @wjt Also, presumably a cryptocurrency scam app could steal the user's funds by talking to the same network hosts as a legitimate app would.
How do you distinguish network traffic representing a transaction the user wanted to make from network traffic representing a transaction the user didn't want to make?
Sonny
in reply to James Henstridge • • •@jamesh @popey @wjt
https://floss.social/@sonny/112161056007032368
Sonny
2024-03-26 08:31:34
James Henstridge
in reply to Sonny • • •@popey @wjt If you are relying on manual review and/or trust in the publisher to weed out malicious apps, then what additional benefit does the portal bring?
That seems particularly relevant if a malicious app that escapes the review process can do its thing with the same portal prompts the user would expect for the type of app it purports to be.
Lennart Poettering
in reply to Sonny • • •and i think a dns angle matters. I.e. local name resolution (i.e. via mdns and search domains) should be more privileged than resolving fqdns.
Impl. idea: define an xattr on cgroups that app sandbox reads and resolved reads and honours.
Val Packett
in reply to Sonny • • •I really really wish it would be a capability based API, i.e. the portal taking a host (and socket type etc) and responding with an opened socket fd-passed, and that being the only way to connect to anything. (And the document portal should likewise do fd-passing instead of mounting magic FUSE filesystems..)
but of course that’s probably too much API change inflicted on app developers and we’ll always be stuck with janky sandboxes :(
Sonny
in reply to Val Packett • • •@valpackett
We might end up with a new API for apps to implement to make this work anyway.
Personally I'd already be happy with "this app is requesting network access, do you want to allow it" yes/no
Felicitas Pojtinger 🇨🇦
in reply to Sonny • • •Profile13115
in reply to Sonny • • •There has to be an easy option to "torify" flatpaks aka using proxys. This currently is a huge inconsistent mess; some apps use system proxy settings, some use "hardcoded" proxy variables, others ignore all proxy variables completely, some have proxy settings inside the apps themselves.
It has to be easy for a user to use a proxy for flatpaks, mainly in the lights that many people have to leverage the Tor network for many things that are outside of the day to day internet activities.
Sebastian Wick
in reply to Sonny • • •