Pantherina, 1 year ago

The Chromium sandbox needs to be removed and something like Zypak needs to be used.

This means that the internal Browser sandbox is weaker and tab isolation. I could not find the source for that yet.

flatkill.org

Even though pretty old and probably outdated, some points are for sure true. Some apps like Onionshare are horribly outdated, and unless every app has at least one packager responsible for it, best official and paid, its a total mess.

Chromium on Flatpak stable for the first time - GNOME blog post

Firefox Snap vs. Flatpak

Flatpak Browser Sandbox Challenges

These where not the sources I refer to, and it is pretty complex. Secureblue disables user namespaces and uses bubblewrap-suid for security, but after madaidans statement that would mean a hole in bubblewrap allows the app root privileges.