search

subuser-security / subuser

Run programs on linux with selectively restricted permissions.
http://subuser.org
GNU Lesser General Public License v3.0
890 stars 65 forks source link

Comparison to Flatpak #363

Open numberZero opened 1 year ago

numberZero commented 1 year ago

First, is Subuser still alive? There doesn’t seem to be much activity recently.

But my primary question is, how does Subuser compare to Flatpak? I know that Flatpak, the program, has very insecure defaults but is that inherent? E.g. it grants full access to the user’s directory but also, it supports “portals“ which are presumably designed for fine-grained file and device access (although the design is... special, IMO).

Edit: didn’t realise Flatpak and “Gnome sandboxes” is the same thing... it is not Gnome-specific nowadays. But that definitely explains the design.

timthelion commented 1 year ago

Hi there,

subuser is currently resting. The reason it is resting is that the current version is two slow in two ways:

1) Linux GUI apps are very large and we tend to install a lot of them. Building images is too slow since we end up installing/downloading a lot of dependencies. To fix this, there needs to be a better way to share those dependencies.

2) Launching GUI apps with subuser is too slow. It is not yet clear how to fix this problem. It has three components. a) normally on linux a lot of the shared stuff that gets loaded into memory when a GUI app is launched is only loaded once. After that the dynamic linker just magically re-links it so you don't have to re-load it for every app. b) The COW filesystems used by docker are too slow. c) The XPRA/X11 bridge takes a while to load.... I don't know how to fix a, b is improving every couple of months. Linux's kernel is getting better at this. c can be fixed by using wayland isolation instead of the bridge.

In comparison to flatpak (which is newer than subuser):

1) One of the major advantages is that it uses ostree rather than layerd docker images for storage. This fixes the storage space problem I mentioned in problem 1. Deduplication is certainly the way to go here, and ostree does many things right. The next version of subuser/whatever comes after subuser should either use ostree or take inspiration from it.

2) The authors of flatpak have been rather optimistic about security from the start. They made claims about their software being secure before the isolation system had even begun to be implemented. Even with portals, they are relying on giving apps partial access to the session dbus daemon. There is sort of an OK story for security for partial access to dbus, but I'm not sure how far along it is yet (I haven't been keeping up with those developments). I don't think that security was ever a big goal for flatpak.

3) The main difference between flatpak and subuser though is that flatkpak is trying to make it easy to deploy software that is tightly integrated with the host system including integrations with the desktop environment. They want to do things like unify GUI themes and fonts. This isn't bad. But it comes at the cost of making it so that software hosted by flatpak may become obsolete over time. The primary goal of subuser however is to create software that runs on every linux desktop and doesn't suffer from bitrot. For subuser bit rot and insecurity are the main things I am fighting against. I don't think that it is possible to do both: a. be tightly integrated with an advanced desktop environment such as gnome and b. fight bitrot. Both goals are good, but I fear that they are mutually exclusive.