Linux developers are going to have more than one choice for building secure, cross-distribution applications.
Ubuntu’s “snap” applications recently went cross-platform, having been ported to other Linux distros including Debian, Arch, Fedora, and Gentoo. The goal is to simplify packaging of applications. Instead of building a deb package for Ubuntu and an RPM for Fedora, a developer could package the application as a snap and have it installed on just about any Linux distribution.
But Linux is always about choice, and snap isn’t the only contender to replace traditional packaging systems. Today, the developers of Flatpak (previously called xdg-app) announced general availability for several major Linux distributions, with a pointer to instructions for installing on Arch, Debian, Fedora, Mageia, and Ubuntu.
Though Flatpak has multiple developers from the GNOME community, “Flatpak is the brainchild of Alexander Larsson, Principal Software Engineer at Red Hat,” the announcement said. The technology “allows application developers to build against a series of stable platforms (known as runtimes), as well as to bundle libraries directly within their applications. Flatpak is also standards compliant, offering support for the Open Container Initiative specification.”
Like Ubuntu’s snaps, Flatpak developers are promising that apps packaged in the new format will be isolated from each other and from critical parts of the operating system, improving security.
“Flatpak apps are sandboxed. From within the sandbox, the only things the app can ‘see’ are itself and a limited set of libraries and operating system interfaces. This effectively isolates apps from each other as well as from the host system and makes it much harder for applications to steal user data or exploit one another,” the announcement said.
The widely used X11 window system is still “inherently insecure,” limiting the ability to sandbox applications on most current systems, the announcement noted. But that will change. While Flatpak can be installed on systems using X, the emergence of the new Wayland display server “complements Flatpak’s emergence and paves the way for much more complete security model for Linux distributions.”
There are still benefits regardless of the underlying display server. “Flatpak’s sandboxing framework does isolate apps from the host and from each other, whether apps are running on X or on Wayland,” Flatpak contributor Allan Day told Ars today.
Flatpak apps also can’t see host files, processes outside the sandbox, and hardware devices, and they can be optionally restricted from network access, Larsson told Ars. Still, Larsson said the limitations under X11 are significant.
If you’re running an X11 terminal, an “app can use X11 to send fake keyboard events to it and cause it to do whatever it wants,” Larsson said. “Obviously this is a much harder attack to do than just reading some file, but we can hardly call it secure when you can do that. If the app only has access to Wayland, then such attacks are not possible at all because Wayland clients can’t see or talk to each other.”
More technical details on Flatpak sandboxing are available here. On Ubuntu, the X security problems should be solved by the in-development Mir display server. Snaps can run on both Mir and X but will have better security with Mir.
LibreOffice is on board with Flatpak
While snaps can be used to package both server and desktop applications, Flatpak developers say that “Flatpak is designed to run inside a desktop session and relies on certain session services, such as a dbus session bus and a systemd –user instance. So, is not a good match for a server.”
Both snaps and Flatpak can boast support from major open source application developers. While the Ubuntu snap announcement mentioned Firefox, LibreOffice, Krita, and Mycroft, the Flatpak team said applications already available as Flatpaks include LibreOffice, GIMP, InkScape, MyPaint, and Darktable. The Document Foundation, developer of LibreOffice, said Flatpak will help it “distribute a better LibreOffice, with up-to-date dependencies and a platform that can run on many systems.”
“Linux desktops are also adopting Flatpak,” the announcement said. “A fully functional GNOME runtime has been available since March: this allows application developers to build and distribute Flatpaks using the GNOME development stack. Work on a similar runtime for KDE is proceeding.”
Though Flatpak doesn’t require the use of any particular desktop enviornment or operating system, the project has close ties to GNOME and Red Hat. The Flatpak.org domain is registered by the GNOME Foundation, and Red Hat’s Fedora project participated in today’s Flatpak announcement, with Red Hat Senior Manager Christian Schaller saying, “we plan to continue supporting this effort going forward and help advocate it to a wider audience.”
Flatpak pointed out that developers can contribute to the project “with no copyright assignment or contributor license agreement required.” Ubuntu developer Canonical requires contributors to sign a contributor license agreement, though contributors still own the copyright.
Developers of both Snap and Flatpak say they hope to decrease the fragmentation that makes it hard to package applications for all Linux distributions—though that might be difficult with multiple systems for cross-platform distribution. Users can install Flatpak or snap themselves, but different Linux operating systems could support one or the other by default, instead of both.
Snap and Flatpak aren’t the only new cross-distribution application packaging technologies either, as there is also AppImage and OrbitalApps. But they have different focuses: AppImage doesn’t have the same security features, while OrbitalApps is designed for making apps portable, so you can carry them on a USB stick and run them on any computer.