I’m trying out Bluefin and Aurora and would like to remove Firefox and Thunderbird. I would rather use Brave and a web app email client. I know with stock Fedora Silverblue and Kinoite it’s possible to hide Firefox but those commands don’t work in Bluefin and Aurora because Firefox is a flatpak. Is there a way to hide or remove them in Bluefin and Aurora?
oh i do the same!
in bazaar, look under installed, you can remove them there.
and also install brave there too
2 Likes
if you opened firefox once, you can erase local leftovers from ~/.mozilla folder
(bazzite bazaar offers to remove application data too, i don’t know if that would remove the above. Aurora one doesn’t ask that)
1 Like
Interesting. I asked because I thought it would be the same as Silverblue and Kinoite that it wasn’t possible to uninstall Firefox because it is part of the base image. Thank you for letting me know as I didn’t even try to look in Bazaar because I just thought it wouldn’t be possible to uninstall it from there.
Brave should not be installed in flatpak form because the Brave team does not recommend it for security reasons. Please see the Brave website here for more information on that.
Thank you again for your help answering my question!
1 Like
Ah yes that was hard choice, flatpak or os tree layering.
I’ll look more into it, thank you!
1 Like
I have the same concerns about installing flatpak browsers. You apparently lose integrity of tab isolation. At least nobody seems to know if you do precisely, but it’s different and the developers don’t seem to trust it. I’m running Brave Flatpak now and it works great but e.g. the Layer 1 sandbox should say Namespace and be green if it was sandboxed as developer intended:
I think installing it in a distrobox and then exporting it from the container so you can launch it easily without distrobox commands is probably the most optimal (to get intended browser process sandboxing at least). A couple downsides I see is no automatic updates (but just a couple clicks in DistroShelf) and if you were to launch Brave and then close it, the container stays open consuming resources unless you manually close the container. I don’t remember how much it uses but that’s easy enough to test. Maybe some scripting can take care of that for you. Or if you have other packages you need you can install them in the same container and it won’t matter that it is left open. But if you have plenty of RAM (and I probably do as well so I don’t know why I care) then it’s probably a moot point.
Appimage is best for Chromium based browsers. You get properly working sandboxing and and web apps. Distrobox messes with web apps.
I use Gear Lever from Flathub to keep the browser up to date.
1 Like
Helium comes with appimage. Maybe too early to try that one though
How does distrobox mess with web apps?
If you override the config in the uupd service you can add updating distroboxes to it easily and the normal ublue update process will work with them.
1 Like
Thanks! I just saw this as well. So I figured there was an easy way to do it.
I just tried and had no issues running Brave in a Fedora container, but I think I’ll just stick with Flatpak for now. It seems a lot of the concerns are outdated (for Chromium at least) as Chromium is now allowed to use SUID sandbox in Flatpak. Firefox based browser don’t have that however (check about:config in them), so I probably would run them in a container if it was my main browser. Also Flatpak restricts filesystem access and looks to be setup well by default with Brave.
This site explains it at the bottom and as I mentioned, it is dated as it says Chromium based flatpaks are forced to use flatpak sandbox for Layer 1, but they are not anymore:
This is true but according to my research I read someone say Chromium’s native sandboxing relies on unprivileged user namespaces and chroots, which are blocked by Flatpak’s default seccomp-filter to reduce the attack surface.
Even though Brave maintains their flatpak version they are open that it is not working well. Here is their statement on that. Installing Brave on Linux | Brave .
I used Distroshelf, available as a flatpak, as it’s a GUI for Distrobox to install Brave in a container. Distroshelf also makes Brave avaliable to the host with an icon.
The containerization interferes with the desktop integration. Last time I tried it, it could correctly create a desktop entry but clicking on the web app icon would show it just as another browser window rather than under its own desktop entry icon. That’s also what happens with flatpak and snap.
The desktop (KDE or Gnome) has to be configured so that the default app is the distro box app. That usually includes calling distrobox as the command followed by an argument, which specifies the application to be launched.
I used Distroshelf which added Brave to the list of apps. I was then able to select Brave as the default web browser.
You are right. Brave flatpak does not use SUID. It’s just they way they show the flatpak sandbox according to some guys on flathub here because they didn’t patch the code for flatpak:
BUT -
Apparently kernel user namespaces are prone to vulnerabilities as well. That is why they are disabled in hardened Linux kernel. It is conceivable that flatpak sandboxing is more secure. These guys seem to think so:
It seems like Firefox Browsers can’t use Flatpak sandboxing so they lose part of sandbox and these should 100% be run in containers instead.
I wish it was more clear about Chromium browsers but I haven’t found definitive evidence that the flatpak bublewrap layer 1 sandbox is worse.
Glad you got distrobox working with it though! Ublue makes it easier to remove stock browser as they take it out of the image unlike Silverblue which is nice.
1 Like
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.