|
|
Subscribe / Log in / New account

Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Posted Jun 17, 2022 17:04 UTC (Fri) by WolfWings (subscriber, #56790)
In reply to: Fedora, FFmpeg, Firefox, Flatpak, and Fusion by taladar
Parent article: Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Also it makes it incredibly difficult if not impossible to actually update individual libraries when (not if) a security vulnerability happens.

Instead of waiting for your distro to ship an updated OpenSSL... now you need to wait for every containerized package to ship an updated image entirely.

to post comments

Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Posted Jun 17, 2022 18:36 UTC (Fri) by farnz (subscriber, #17727) [Link] (7 responses)

At least in the case of Flatpak, that's a false statement - you should be using OpenSSL from a runtime, like org.freedesktop.Platform, and as soon as that runtime is updated, you've got an updated OpenSSL in all Flatpaks using the runtime.

The difference between Flatpak and a normal distro is the granularity of dependencies; with Flatpak, my dependencies come in coarse-grained lumps (the runtime I choose, and any runtime extensions I add), rather than in the fine-grained set a distro gives you. And I'm expected to bundle dependencies that aren't in a runtime.

Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Posted Jun 17, 2022 20:10 UTC (Fri) by intelfx (subscriber, #130118) [Link] (6 responses)

> you should be using OpenSSL from a runtime, like org.freedesktop.Platform, and as soon as that runtime is updated, you've got an updated OpenSSL in all Flatpaks using the runtime

Is that so? Don't flatpak applications "bind" to the specific runtime version/hash they were built against, so that the resulting rootfs is immutable?

Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Posted Jun 17, 2022 22:37 UTC (Fri) by dbnichol (subscriber, #39622) [Link] (5 responses)

No, they're just bind mounted together read only at runtime. An app binds to a particular branch of a runtime, but the particular commit that points to can change.

Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Posted Jun 21, 2022 1:32 UTC (Tue) by WolfWings (subscriber, #56790) [Link] (4 responses)

But that's what I meant originally: You're stuck waiting for the package that calls OpenSSL to update to reference the newer OpenSSL version or verifying they're not version-locked... you can't just update the system-wide single OpenSSL install and know you're done with it.

It moves the version-tracking load to the SysAdmin much more heavily having to know about everything instead of just updating the actual vulnerable package once and done, which is literally the entire point of ABIs and APIs that don't wildly change.

Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Posted Jun 21, 2022 1:58 UTC (Tue) by mjg59 (subscriber, #23239) [Link] (2 responses)

No, you're not. Flatpaks depend on runtimes like 21.08, and 21.08 then gets updated with security fixes.

Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Posted Jun 21, 2022 9:50 UTC (Tue) by kleptog (subscriber, #1183) [Link] (1 responses)

That's actually a neat trick. Sometimes it would be useful to be able to replace layers in Docker images with updated versions without having to rebuild the whole thing. The standard tools don't really support this.

Of course, it's affects your reproducibility, since the image as run might not exactly match the image if you built it again. But if you're careful with the updates this should work quite well.

This article has raised my appreciation of Flatpak somewhat, which wasn't what I expected.

Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Posted Jun 21, 2022 16:57 UTC (Tue) by dbnichol (subscriber, #39622) [Link]

The freedesktop runtime (as well as the GNOME runtime) is built with BuildStream, which is pretty solid with reproducibility by using a distributed object cache. Also, since the flatpak distribution method is ostree and therefore file level, there are immediate benefits of reproducibility since there smaller updates. For that reason, the runtime developers seem keen to add reproducibility fixes.

https://gitlab.com/freedesktop-sdk/freedesktop-sdk
https://www.buildstream.build/

Fedora, FFmpeg, Firefox, Flatpak, and Fusion

Posted Jun 21, 2022 9:35 UTC (Tue) by farnz (subscriber, #17727) [Link]

No - you update the runtime that contains OpenSSL to a new patch version, and all Flatpaks that depend on that runtime pick up the update automatically when they're next restarted. This is exactly the same level of complexity as updating OpenSSL by updating a single .deb, but with the proviso that the amount of data to transfer could be larger (since you're updating a whole runtime, and therefore picking up other fixes, not just targeting an OpenSSL fix).

You still face the problem of applications that are tied to runtimes that no longer get security updates - but that's a similar level of admin burden as handling applications that only link against unsupported OpenSSL versions, where you need to backport a fix from the version of OpenSSL in Debian Buster to the version that shipped with Debian Potato, or update the application to a newer version that runs on a newer runtime, or remove the application.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds