It sounds like most other users install it that way too. Which surprises me, since I had thought the Linux community had started to move towards Flatpaks. But anybody who searched Flathub for Tor Browser, would have seen the flatpak with the Tor Project author listed as verified, and there would be no indication that this was in fact an unstable installation.
I get what you’re saying, but at the same time if every developer released software as pre-compiled binaries on their website, installing stuff on Linux would become such a PITA. (This is different from how Windows works because apps for Windows are distributed using installers like xxx.msi, and Linux does not have a unified installation system across distros)
Technically rollbacks are possible using regular packages, but in practice multiple packages will share dependencies and prevent you from downgrading just one of them. This is why it’s important that Flatpaks isolate dependencies between apps.
Are you saying that this bug would have been reported there? I don’t think I ever saw it, and I honestly doubt it was ever posted there. Unless you’re talking about the browser update announcements, but I would still need to check the Help > About page of my browser to notice that it didn’t match the latest version. As mentioned in my post, the Flatpak was updating like usual, the updates just weren’t affecting the browser.
Really, the main reason I made the post was to see if anybody else was affected, and see how other people avoided the bug. And aside from one other user, it really seems like nobody else was affected, which is surprising to me. The only reasons I can come up with are:
Based on the comments I suspect #1 is the main cause. Which makes me lose trust in Flatpaks quite a bit. After all, if nobody is using them, then maintainers have less incentive to maintain them, and the worse they get.
Not to mention:
This was an official Flatpak from Tor Browser, so there’s no reason why it should be less reliable than the packages from distribution maintainers. Not to mention for atomic distros, flatpaks are the official way to install software.
You can check the Tor Project blog to figure out the latest release, and go to your Tor Browser’s menu > Help > About Tor Browser to see if it matches. It should be version 14.0.7. If it is not, the fix is detailed in the Github issue I linked in the post
This seems like something that Flatpak should be able to handle though. Afaik Mullvad Browser never had this issue. Flatpaks also have numerous advantages, like automatically handling desktop shortcuts.
I hope so, Flatpaks are becoming the default way of installing packages, especially with the rise of atomic distros.
Done, reposted to [email protected] and [email protected]. Though maybe [email protected] was unnecessary because this post is already on the lemmy.ml instance…
First off, props on the detailed and informative post. I’ve never seen a post so packed with links and citations. I’d just like to share some of my own experience:
In regards to Debian vs atomic distros. First off, most recommendations for Debian are recommending it for use on the server. I definitely agree that on the desktop, you are better off with a more up-to-date distro, especially for browser patches. But for the server, after having used both Debian and Fedora CoreOS (an atomic distro for servers) for over a year each, I trust Debian more in terms of security and stability. For example, last summer when there was a major OpenSSH vulnerability, Debian had already patched it, because the security researchers had notified the Debian maintainers prior to the announcement. CoreOS on the other hand, took multiple weeks to release the fix. I also ran into some coredumps on Fedora CoreOS. It was only once or twice, but I never experienced the same on Debian. The main reason why I trust Debian is simply because it’s an industry standard. Billions if not trillions of dollars are on the line if Debian is compromised. CoreOS and atomic distros are just not popular enough to receive nearly as much attention. There’s safety in numbers. That’s why for the server, I’d recommend Debian, while for the desktop, Ubuntu or Fedora are better choices. Though if you really want security on the server, I would recommend Proxmox, which uses a similar security model as Qubes. Note that Proxmox is based on Debian.
As for the topic of F-Droid, you brought up the PrivSec article on F-droid security issues. This article is a few years old and is always brought up in criticisms against F-Droid. My main problem with it is that it downplays the importance of open source. One thing not mentioned in the article is that ideally, you shouldn’t even need to trust the developer. That’s one of the benefits of open source. Those familiar with the world of browser extensions are also all too familiar with how often the developer sells the project to a malicious party, who can then backdoor the published extension without updating the source code. Now, open source is only secure if it’s audited, something you mentioned in your post, but in my experience just the fact that it can be audited is good enough to scare away bad actors. Afaik F-Droid has had zero malware. Despite being a small store, that’s still extremely impressive, and speaks for itself. There is still the danger that F-Droid itself is compromised, but that can be solved with reproducible builds, which is something the Play Store can’t offer due to Play App Signing, while F-Droid is pushing for it.
Though that is just in theory. I should mention that there was a pretty worrying issue found in F-Droid reproducible builds recently. I still trust the security of F-Droid more than the Play Store though.
If you don’t mind I am curious to hear your reasons. I personally agree with the developer, I think it’s a lot of work and doesn’t provide a meaningful win. If an attacker has access to the system, there are many other ways they can access your notes even if the notes are encrypted at rest. Based on the thread it sounds like what people actually want is isolation and access control, but I don’t think that responsibility should fall on the app developer, it should be handled by a broader system (like Veracrypt, or Flatpak).