Excel sheets can be used without macros, i.e. executable code. Macros can be disabled in Libreoffice afaik, and this is likely possible via some sort of policy.

These are great things to try out and I want to experiment with it when I have time. For example not sure if policies work with flatpak, as users could be able to change them.

Antivirus is a joke, for sure you could run it, but it just doesnt work. It would be just there for the compliance, while you simply dont run any code, not even trusted code, that doesnt come from trusted repos like Fedora, Ubuntu or flathub-verified

If you dont even have a way of running untrusted code on your production environment, how the heck is that worse than badness enumerating AV?

Insurances…

Damn that is really cool. Good compression algorithms are key.

I also think that flatpaks huge issue is

• installing the entire runtime instead of just needed components
• being universal (and Linux has a reputation to support old hardware) thus wasting potential
• not being good to backup

To get rid of Viruses, simply clean out all executable attachments in mails, mailcow and other solutions support that.

You can also mount /home nonexecutable, which means everything you can run needs to be on the system. Without that, “control over what is installed” is worthless. You could literally download any package, export the binary and run it from anywhere.

To run untrusted software, you can use a server that uses something like KASM. It is image-based, accessed through the browser, suppports uploading files and viewing lots of stuff. You can also run antivirus there, but as shown in this video antivirus is often simply tricked by encoding and re-encoding the scripts into something like Base64.

Antivirus really is flawed. You need to control the origins of code, and run all untrusted code in immutable VMs.

Interesting, you have no compression as that is likely only on BTRFS

Damn.

Bubblewrap on the other hand…

Is that sandboxing graphically available like with Flatpak? To my knowledge it required Apparmor patches but that these are upstreamed is a good info. The SELinux implementation sounds interesting, but well… I dont see the point?

They offer support for it and contribute a lot to all those projects. But I was mainly focused on projects restricting their license, RHEL is a complicated topic.

Please just use that tool. Why would you move flatpak to a different partition? But interesting results

I didnt say it is broken because I dont like it.

Flatpak does this, just have a look. Every app has its config stored in its own directory. Apps only have access to that directory, if they dont get other static permissions.

yes you could of course script that, but it doesnt change the problem with appimages having insecure updates. Flatpak uses OSTree, Android has a package manager that saves the signature and if that doesnt match, an update fails.

you can add images inline with ![title](url)

Check again with that tool that size is really strange.

I am not a fan of that bloat, as Android works similar and apps are 30MB max. I simply think flatpak is the best foundation.

Awesome tool! If you use it with nerdfonts, you can have nice icons too!

Note: it is not a 1:1 replacement for ls! Wait for uutils to be completed, and then start to use it.

You hace that image inline, if you add a linebreak before it, it will render normally on mobile clients :D

Hahaha that is actually mentioned in the article below

According to Robin Stern, PhD, co-founder of the Yale Center for Emotional Intelligence, “Gaslighting is often used in an accusatory way when somebody may just be insistent on something, or somebody may be trying to influence you. That’s not what gaslighting is.”[17]

Yes for sure and I dont know what I think about that RedHat move. But specifically about redis, (the thing I forgot the name of) and others, I get the feeling they just try to protect themselves against being used for free by megacorps.

Would you say portable builds (like deadbeef) also install another distro onto your system?

They statically link binaries which is pretty similar.

You can also extract the appimage and run the AppRun script, comes with the downside that…

I guess you cannot update an app anymore when doing that.

Flatpak uses BTRFS compression afaik, so I dont know if it has a performance hit and it can likely not be turned off.

Is it strange idea to not want my home cluttered by a bunch of useless top level dotfiles?

That is .firefox etc. Flatpaks put everything in ~/.var/app/ which doesnt clutter anything.

Those Appimage helpers sound interesting and I will look at them. The tasks of placing somewhere, creating desktop entries etc. is not hard, but needing to do that manually is a strange and broken concept. I suppose those helper programs have some kind of community support, as Balena Etcher or whatever dont supply .desktop files.

I agree with the problems you mentioned after that. Relying on glibc is bad, using outdated x86_64 architecture is silly. The last one could be fixed easily. The former one probably not that easily.

Desktop Linux is messy for sure. But Flatpak is just really good at what it can do.

Portable apps are their own distro, yes.

Why use an appimage when they also have official RPM or DEB repos? There is nothing gained here, but you have an insecure install and update mechanism.

Please use this tool and report the real sizes

https://gitlab.com/TheEvilSkeleton/flatpak-dedup-checker