search

flathub / org.gnome.Evince

https://flathub.org/apps/details/org.gnome.Evince
2 stars 15 forks source link

fix: Unsecure permissions. Remove filesystem=host. #61

Closed tim77 closed 1 year ago

tim77 commented 3 years ago

Please. There is no need for disabling sandbox entirely. See discussion: https://pagure.io/fedora-workstation/issue/244#comment-751477

flathubbot commented 3 years ago

Started test build 61034

flathubbot commented 3 years ago

Build 61034 successful To test this build, install it from the testing repository:

flatpak install --user https://dl.flathub.org/build-repo/58879/org.gnome.Evince.flatpakref
hadess commented 3 years ago

Please. There is no need for disabling sandbox entirely.

Even if it's not something desirable, giving access to the host filesystem isn't anywhere near "disabling sandbox entirely".

flathubbot commented 3 years ago

Started test build 61327

flathubbot commented 3 years ago

Build 61327 failed

flathubbot commented 3 years ago

Started test build 61334

flathubbot commented 3 years ago

Build 61334 failed

flathubbot commented 3 years ago

Started test build 62165

flathubbot commented 3 years ago

Build 62165 successful To test this build, install it from the testing repository:

flatpak install --user https://dl.flathub.org/build-repo/59998/org.gnome.Evince.flatpakref
gpoo commented 3 years ago

I dislike having filesystem=host enabled, but IIUC, that is the one the currently gives Evince access to neighbour files. That is, until there is a fix for https://github.com/flatpak/xdg-desktop-portal/issues/463.

wjt commented 2 years ago

What does Evince use its access to neighbour files for OOI?

gpoo commented 2 years ago

What does Evince use its access to neighbour files for OOI?

For having access to synctex files, which allows users jump to the corresponding position in a LaTeX source file and the PDF.

hadess commented 2 years ago

I dislike having filesystem=host enabled, but IIUC, that is the one the currently gives Evince access to neighbour files. That is, until there is a fix for flatpak/xdg-desktop-portal#463.

This could be changed to filesystem=home at least.

wjt commented 2 years ago

This could be changed to filesystem=home at least.

Depends if this feature working on removable media is important I guess?

hadess commented 2 years ago

Depends if this feature working on removable media is important I guess?

The diff has: "--filesystem=/run/media:ro",

It should be made r/w IMO, but that covers this specific use-case.

gpoo commented 1 year ago

Thanks for the patch. I merged #88 instead.