Chromium Flatpaks

Hi folks,

Curious what’s the current state of the old Chromium sandboxing in Flatpak conundrum, where allegedly process isolation is less robust when using Flatpak.

This leads to browsers typically recommending Atomic users to layer non-flatpak versions of their browsers, even when those flatpaks are maintained officially.

There was some discussion about it on ublue’s answer overflow about 2 years ago, with regards to Vivaldi specifically, that seemed very hopeful.

Is this something we can work out, and how can people contribute towards this goal?

Do people generally just use the Flatpaks anyway and decide not to worry about it?

Or does the community typically layer browsers on top of the image?

I believe Firefox is free from this issue, but could be wrong.

Happy to hear whats the latest news and what everyone elses approach here is!

Firefox also has a weaker sandbox as it uses user namespacing, which is blocked by the flatpak sandbox.

The real solution is for flatpak to allow apps to use user namespaces so that hacky, less-tested workarounds like zypak are no longer necessary. I believe they were disabled due to security concerns and its use in privilege escalation attacks, but apparently that’s less of an issue nowadays. And flatpak developers do want to enable user namespaces, but I guess they haven’t gotten around to putting all the pieces in place.

For a while I did use the Vivaldi Flatpack, but for now, I am running Vivaldi through distro box to avoid the security issues. This also has the benefit of not having to worry about sandboxing issues that are sometimes there with flatpak.