2 comments
Good explanation of the flatpak sandbox escape.<p>For those allergic to LLM writing: Some sentences read very LLM-like, e.g.:<p>> The fix wasn’t “change one function” — it was “audit the entire call chain from portal request to bubblewrap execution and replace every path string with an fd.”
Knowing what to be concerned about in security is a skill, it is possible to overengineer security and put too much effort in non risks.<p>This reminds me of when a student was concerned about the client leaking the server's ip address.<p>Not saying that there aren't vulns, but the fix is fixing the bug and using a standard hardening mechanism like selinux or unix users. I strongly doubt that the root issue is the good old filesystem api everyone has been using for decades, it's more likely to be your code bro