On Sat, 2017-07-15 at 13:43 -0400, Matthew Miller wrote: > On Fri, Jul 14, 2017 at 02:56:34PM -0700, Andrew Lutomirski wrote: > > This is only a problem because Flatpak is currently following the > > IMO > > rather busted old Android model. With very few, if any, exceptions, > > I > > think a much better model would be for an application to start with > > basically no permissions and to have to ask for fine-grained > > permissions as needed. Think iOS but tighter. By default, an app > > shouldn't be able to use the network, see what other applications > > are > > installed, or get your unique advertising ID without explicit > > consent, > > let alone access your dotfiles. > > I don't agree. With this model, every time you try to do something, > you're bombarded with questions asking if you want to do the thing > you tried to do. It gets very easy to fall into a default of clicking > a bunch of yesses all the time. That serves no *real* security > benefit and yet adds to user annoyance. There's gotta be a better way > than that.
Flatpak doesn't really use either the old or new Android model - it *does* try to have a better way of doing things. There are a static set of upfront permissions that are associated with the application - this is likely what Andy is thinking of. While they are reasonably fine-grained, they are low-level we are unlikely to present them in the user's default view as more than "sandboxed" vs. "unsandboxed" - some permissions can be considered to be pretty safe (talk to Wayland, talk to the external network), and others entirely not safe (talk to X11, read/write the user's home directory.) These are not going to be used for things like "can read and write my contacts", "can access my computer's camera", and whatever else Android bugs you about - those use cases are handled by portals. The primary user interaction of a portal is to show a user interface for the task (opening a file, sending an email, printing, etc.) - and let the user decide if they want to proceed or not. In the minority of case where this doesn't make much sense - say access to GPS - then the portal asks the user similar to the new Android style and implements smart memory behavior. Regards, Owen _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
