Being able to open videos from /tmp #118
Comments
|
In your system you can set |
|
You may also use flatpak firefox where it will work out of the box. |
|
I simply added the permission to "/tmp:ro" locally, using Flatseal, but I opened this issue because I think not everyone know/wants to change the default permissions, so it might be nice to add it by default, if possible. |
|
This issue is not vlc specific - it affects all flatpaks, see flathub/org.libreoffice.LibreOffice#138 for example. The argument about changing defaults works both ways and you will never please everyone with so I recommend to move on if you fixed it yourself already. |
|
I agree that this issue is greater that VLC alone, but from the user perspective, this is still an issue, especially if you compare to the distro-native package. Overall, I appreciate the security reasons behind it, and I'd not ask to add security holes in the sandbox of closed-source apps, because we can't know what they are doing on the filesystem. That said, for open-source apps, I don't really understand why we can't take the same security measures as with the native package. I know that no security hole is always better than one security hole, but we also need to consider the users here, IMO. Flatpak is being used more and more as a replacement of the native packaging system for desktop apps, and it's advertised as such. But this behavior, from the non-technical user perspective, feels like Flatpak injects a regression. |
|
Native packages have no security measures at all. If you make flatpaks the same then what's the point of all of it? It doesn't really matter if app is closed or open source when you use it to open potentially malicious files you just downloaded from the web. Flatpak was made to promote modern, secure solutions on linux desktop like portals which vlc and many other flatpaks supports. You need to consider users who use flatpak for security improvement for whom replacing no security with no security make flatpak pointless. Using /tmp for sharing files is anti-pattern and IMO allowing /tmp for all flatpaks is worst solution which only seals insecure status quo. As I said if you used ff flatpak (or even snap) you wouldn't have this issue. |
|
As I said, I appreciate the reasons. I still respectfully disagree (as I explained), but I'll close this issue nonetheless. |
Problem:
As a user, when I open the URL of a video in my browser, I am asked either to open the video in the video player of my choice, or download the video. In the case of VLC (using Flatpak), if I choose to play the video directly, VLC can't read it and fails with this error:
Solution:
Add
/tmp:roto the list of permissions.But this would not fix everything since
/tmpis only used for browsers using the native package system. For that, I don't know if Flatpak has a solution already in place.The text was updated successfully, but these errors were encountered: