this post was submitted on 04 Mar 2024
943 points (97.5% liked)

Memes

45754 readers
1010 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
943
Chat Apps (kbin.run)
submitted 9 months ago* (last edited 9 months ago) by tsugu@slrpnk.net to c/memes@lemmy.ml
 

I use the apps my friends use but it gets tiring to keep up with so many.

you are viewing a single comment's thread
view the rest of the comments
[–] Pantherina@feddit.de 2 points 8 months ago (1 children)

Hahaha, SimpleX on Android is fine, the Desktop client is kinda incompatible with anything (no flatpak, the ubuntu version is kinda broken, no repo, their sync requires a random firewall port to be open)

[–] CubitOom@infosec.pub 1 points 8 months ago (1 children)

Interesting. For my desktop, I just installed a binary from the AUR and it works wonderfully.

[–] Pantherina@feddit.de 2 points 8 months ago (1 children)

Yeah I avoid installing stuff to my system but I looked into RPM .spec files and that should be possible too. Flatpak would be the way to go though.

[–] CubitOom@infosec.pub 1 points 8 months ago (1 children)

Personally, I do the opposite. I try to avoid flatpaks and the like. And the AUR enables that really well

[–] Pantherina@feddit.de 1 points 8 months ago (1 children)
[–] CubitOom@infosec.pub 1 points 8 months ago (1 children)

Security is a compromise between convenience and safety.

However, simply using flatpaks isn't inherently more secure than using a binary or compiling from source. But it can make it easier to be secure for people that don't want to manage their own sandboxes.

It's also easier for devs so they only have to make one version of their app which in theory should work on all systems. But in practice I find it doesn't always work that way

[–] Pantherina@feddit.de 1 points 8 months ago (1 children)

The AUR is not verified or audited at all, isnt it? So you need to check every release if that script was modified to download something malicious. For sure this works somehow, but idk how.

And sandboxing... flatpak has GUI tooling unlike anything else. Bubblejail is usable.

[–] CubitOom@infosec.pub 1 points 8 months ago* (last edited 8 months ago) (1 children)

From a maximum security perspective, you should be checking all the code you install on your computer. No matter if it is foss, audited by some group, or proprietary (if possible). What would stop a bad actor from auditing malicious code and approving it?

As for sandboxing, there's multiple options, not the least of which is containerization.

Again, security is a compromise. More security normally comes at some cost just as less security does.

But back to the topic of the post. You are complaining that SimpleX doesn't work when installed though a flatpak (because one doesn't exist). So perhaps it's not a good software to rely on flatpaks for. Unless you choose to only install software via flatpaks, to which I'd say that's admirable but also perhaps needlessly limiting. Either way it's your choice, but I would suggest some open mindedness of options that may let you use the software you want.

[–] Pantherina@feddit.de 1 points 8 months ago

Yeah I tried the ubuntu version through Distrobox, which is way more secure. But they have no repo, and it broke apt lol.

Appimages are completely insecure, there are literally no updates. Its a random bundle of libraries, as old as possible to work on every old kernel, and they are just broken by design (see an old post of mine).

There is flatpak packaging work done and I want to learn that and help, as Flatpak is just the best.