Arch Linux

OneAndOnlyRoot

Member

Registered: 2025-01-01

Posts: 21

Firefox Flatpak or Native

I am debating if I should use the flatpak of firefox or the system package.
I already setup a apparmor profile for the native package by the way.

The flatpak I noticed under about:support#sandbox does not have user namespace while the system package does.

I tend not to update my arch system every day usually once a week for stability reasons, flatpak seemed like a good choice as it would be easier to keep updated while seperate from the rest of the system updates.

But seeing as username space has been a source of exploits, is having it off actually more secure?

So what do you think, flatpak or system package?

Thanks

Last edited by OneAndOnlyRoot (2025-06-01 18:37:07)

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 73,727

Re: Firefox Flatpak or Native

I already setup a apparmor profile for the native package by the way.

https://flatkill.org/2020/ - it's not a sandbox in the sense of apparmor or firejail.

The flatpak I noticed under about:support#sandbox does not have user namespace while the system package does.

https://wiki.archlinux.org/title/Flatpa … ned_kernel

I tend not to update my arch system every day usually once a week for stability reasons,

https://gitlab.archlinux.org/archlinux/ … mmits/main
You'll not miss many FF repo updates then anyway?

So what do you think, flatpak or system package?

Clearly vim, emacs is bloated and the inferior editor.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

OneAndOnlyRoot

Member

Registered: 2025-01-01

Posts: 21

Re: Firefox Flatpak or Native

I already setup a apparmor profile for the native package by the way.

https://flatkill.org/2020/ - it's not a sandbox in the sense of apparmor or firejail.

The flatpak I noticed under about:support#sandbox does not have user namespace while the system package does.

https://wiki.archlinux.org/title/Flatpa … ned_kernel

I tend not to update my arch system every day usually once a week for stability reasons,

https://gitlab.archlinux.org/archlinux/ … mmits/main
You'll not miss many FF repo updates then anyway?

So what do you think, flatpak or system package?

Clearly vim, emacs is bloated and the inferior editor.

Thanks for your reply.
I did gather that flatpak isn't a full sandbox, which does make me lean more towards apparmor which I hope could minimise the risk of usernamespace while allowing firefox sandbox max security.

I am using the standard arch kernel, not hardened so kernel.unprivileged_userns_clone is set to 1.

Main thing with keeping it updated is for zero days more than anything. So wanted to be on top of that and get them updated asap.

Mainly just wondered what other people use, flatpak or system package and why.

I am a fan of vim, trying neovim at moment though.

Last edited by OneAndOnlyRoot (2025-06-01 21:44:55)

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 73,727

Re: Firefox Flatpak or Native

I am using the standard arch kernel, not hardened so kernel.unprivileged_userns_clone is set to 1.

The idea was to highlight the conflict and, if you care, how to disable them.
Also see https://github.com/flatpak/flatpak/issues/5921

Main thing with keeping it updated is for zero days more than anything. So wanted to be on top of that and get them updated asap.

https://aur.archlinux.org/packages?O=0& … ox-nightly

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

OneAndOnlyRoot

Member

Registered: 2025-01-01

Posts: 21

Re: Firefox Flatpak or Native

I am using the standard arch kernel, not hardened so kernel.unprivileged_userns_clone is set to 1.

The idea was to highlight the conflict and, if you care, how to disable them.
Also see https://github.com/flatpak/flatpak/issues/5921

Main thing with keeping it updated is for zero days more than anything. So wanted to be on top of that and get them updated asap.

https://aur.archlinux.org/packages?O=0& … ox-nightly

I see, I would prefer to not weaken firefox's sandbox.
I will take a look at firefox-nightly as well.

Generally what would you say people use for the browser, flatpak or system package?

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 73,727

Re: Firefox Flatpak or Native

People? Android.
Arch users? Whatever they want or deem appropriate for their situation.

I don't think that flathub or mozilla keep stats about arch users specifically so your guess is as good as mine or everyone elses.
What I can tell you is that you should absolutely not make that a factor in your decision.

There're plenty of caveats, notably security- and resource-wise because of duplicated and then easily dated system libraries, with flatpak, let alone the additional trust* requirements.
Another frequent problem is system integration (from visual themes to input methos like fcitx5)
If the benefits of using it outweighs them for you, use the flatpak. If not, then don't.

*You bought into trusting arch devs. If they want to fuck your life by compiling some malicious patch into glibc or the kernel you lost anyway.
Adding 3rd parties requires you to trust those parties as well which is is *especially* a problem with flathub, but - in fairness and because it's important to be aware - also the AUR (where you have the benefit and mandate to easily inspect the PKGBUILD before installing anything from there. Always!)
In case of a mozilla issued flatpak or prebuilt binary, the additional trust requirements are minimal, but see the libxz disaster, https://en.wikipedia.org/wiki/XZ_Utils_backdoor - you still trust them that the binary was also compiled out of the code you're trusting anyway.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

OneAndOnlyRoot

Member

Registered: 2025-01-01

Posts: 21

Re: Firefox Flatpak or Native

People? Android.
Arch users? Whatever they want or deem appropriate for their situation.

I don't think that flathub or mozilla keep stats about arch users specifically so your guess is as good as mine or everyone elses.
What I can tell you is that you should absolutely not make that a factor in your decision.

There're plenty of caveats, notably security- and resource-wise because of duplicated and then easily dated system libraries, with flatpak, let alone the additional trust* requirements.
Another frequent problem is system integration (from visual themes to input methos like fcitx5)
If the benefits of using it outweighs them for you, use the flatpak. If not, then don't.

*You bought into trusting arch devs. If they want to fuck your life by compiling some malicious patch into glibc or the kernel you lost anyway.
Adding 3rd parties requires you to trust those parties as well which is is *especially* a problem with flathub, but - in fairness and because it's important to be aware - also the AUR (where you have the benefit and mandate to easily inspect the PKGBUILD before installing anything from there. Always!)
In case of a mozilla issued flatpak or prebuilt binary, the additional trust requirements are minimal, but see the libxz disaster, https://en.wikipedia.org/wiki/XZ_Utils_backdoor - you still trust them that the binary was also compiled out of the code you're trusting anyway.

Thanks for your insight.

You got me thinking of things I did not consider, tho I will say the firefox flatpak is verified so is from mozilla which is a good sign.
I shall do some further research into flatpaks and other areas to better understand it that way I can be more sure what I want to put my trust into.