search

flathub / com.vscodium.codium

https://flathub.org/apps/details/com.vscodium.codium
96 stars 20 forks source link

actually needed filesystem access #220

Closed boredsquirrel closed 1 year ago

boredsquirrel commented 1 year ago

I am in the process of fixing all these flatpaks with host access, but VSCodium is more difficult, as it may need some special directory access.

Could you help me?

  - --filesystem=home
  - --filesystem=/media
  - --filesystem=/mnt
  - --filesystem=/run/media
  - --filesystem=/var/run/media
  - --filesystem=/var/mnt

These are the ones needed for most programs, to open virtually anything but system files

noonsleeper commented 1 year ago

Hi @trytomakeyouprivate thanks for the issue, but I don't see this need to be fixed since this is an IDE, it's supposed to have access to the system files, and almost the other IDE/editors in flatpak use the same logic:

Here in the FAQ is already described how to change the default behaviour of codium also remember that not all the people use his home directory to store their code some people use network share directories or another directories, but if you like, you can make an MR with the desired changes and add a section on the README.md that explain how to override this to the most used host access, and we can discuss this with more people that already use this flatpak. What do you think?

boredsquirrel commented 1 year ago

wow that was a detailed response, thanks. Yes I understand that, but when using Flatpaks I assumed people will not store projects outside of home.

Thats why this is an issue and not a MR, as I was not sure what other directories may be needed or are even accessible.

And in general, I would say it would be better to have too little permissions, as this is an IDE and not a videoplayer, and explain in the Flathub repodata file how to enable host access

noonsleeper commented 1 year ago

as I was not sure what other directories may be needed or are even accessible

Also, Me either know how the most of the persons put their files

I would say it would be better to have too little permissions

Yes, I think the same

as this is an IDE and not a videoplayer

Codium install extensions from the well-known https://open-vsx.org, block or not compile internal extensions that allow telemetry and the source files generally are well-known for the developer, in comparison video players generally speaking have access to open unknown internet sources.

What I want to say is that the threat model and attack surface are different from both, in this case that people that we want to protect are developers (or power-users) that already know about security works not regular users as for the case of a video player or any other app.

If you like, Can we leave this issue open for more feedback of the community about what they want or what they think?

boredsquirrel commented 1 year ago

With the Videoplayer metaphor I meant the users know how to tweak stuff.

Flatpaks are currently a bit flawed, often have too many permissions and many will leave it like that as there are no GUIs popping up etc. I would prefer having a text note in the App description:

You can add host permissions by running:
flatpak ...

and mention :ro or not.

Yes I would also leave this open, its not urgent its meant to be a productive issue report and place to discuss before hardening it better.