<div dir="ltr"><div>I've been using LibreWolf for a few months now, and I like it better than FF (Chrome is out of the question!)</div><div><br></div><div>LibreWolf can be a bit fussy sometimes, and cause some websites to fail, but overall it's a solid browser.</div><div><br></div><div>As to Snaps versus Flatpak, I actually dropped Ubuntu after many years because they were getting to pushy with the Snaps business. They were getting too Microsoftish in trying to shoehorn users to do things their way. I'm now on Debian and much happier. I do use Flatpak on occasions, but mostly I live in the package manager, or even the occasional AppImage.</div><div><br></div><div><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Tue, 21 Oct 2025 at 16:21, Doug Moen <<a href="mailto:doug@moens.org">doug@moens.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On my Linux desktop systems, I use flatpak instead of snap.<br>
The main difference, from my perspective, is that flatpak puts the user in control of their experience, and puts the developer in control of what they ship, while with snap, Canonical is in control.<br>
<br>
I can add or remove sandbox permissions from a flatpak using "flatpak override ...".<br>
<br>
My phone runs GrapheneOS. Graphene has a richer set of sandbox permissions than Android (eg, you can deny network access). As a user, I can add or remove permissions from my apps.<br>
<br>
For me, flatpak and GrapheneOS are the best available solutions (for desktop and mobile) of the problem that Mikalai describes.<br>
<br>
For desktop browsers, I have replaced Firefox with LibreWolf, and I have replaced Chrome and Chromium with Ungoogled Chromium. Both provide superior security, privacy and control. Of the two, I like LibreWolf better, but I like to have multiple browsers based on different engines. For me, LibreWolf takes the GrapheneOS attention to detail for security, privacy and user control, and applies those values to a desktop web browser.<br>
<br>
<a href="https://librewolf.net/" rel="noreferrer" target="_blank">https://librewolf.net/</a><br>
<br>
Mikalai talks about curated and trusted app stores. The important thing is that you should have a choice, rather than the corporation that owns the platform having total control.<br>
<br>
On Kinoite, the flatpak app store defaults to a selection of apps that are endorsed by the Fedora project. There is a button for adding Flathub as an additional source, and Flathub is more of a free-for-all. The flatpak ecosystem was designed to support multiple app stores, and I'm already subscribed to two of them on Kinoite.<br>
<br>
On Android, I do not trust the Google Play Store and I won't use it. I get most of my apps from the F-Droid official repo, because I consider them to be the most trustworthy. The F-Droid client permits you to add additional repos curated by other people with different priorities, and I have added some additional repos for a handful of the apps I've installed.<br>
<br>
Doug.<br>
<br>
----- Original message -----<br>
From: Mikalai Birukou via kwlug-disc <<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a>><br>
To: <a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br>
Cc: Mikalai Birukou <<a href="mailto:mb@3nsoft.com" target="_blank">mb@3nsoft.com</a>><br>
Subject: Re: [kwlug-disc] linux distro ... -> sandboxed runtimes<br>
Date: Tuesday, October 21, 2025 2:08 PM<br>
<br>
There is an important aspect with sandboxed runtimes. Sandbox doesn't <br>
allow program to "do anything", requiring permissions, ... but who <br>
should be passing a judgement call: "Big Store" or a "little user/me".<br>
<br>
Context quote:<br>
<br>
> My own personal experience with Snap as a developer is such that I won't allow Snap on any of my machines. When I was working on the Curv open source project, a contributor created a snap package for Curv. I tested it, and it didn't work on my machine due to a sandboxing problem. But Blender, another 3D modelling program, did work on my machine in snap form. The difference was in the sandboxing parameters. I asked the contributor to use the same sandboxing parameters for the Curv snap as was used by the Blender snap. The answer was: this is impossible, because Canonical would not accept the Curv snap with those parameters, and therefore it was impossible to distribute the snap. Only Canonical had the power to allow Curv to run correctly, and the Curv project did not have the same level of political power as the Blender project, so we were out of luck.<br>
<br>
Let's replace: snap -> Android Google Play store, parameters for Curv -> <br>
permission to use camera, -- and we would get a similar situation where <br>
another "Big Store" makes decision on behalf of users, ... to protect, <br>
of course, ... while removing any freedom from users, by removing <br>
competition.<br>
<br>
Argument would then go, "how could little user/me" know?<br>
<br>
Let me come back to short discussion at our October meeting:<br>
- many of these systems with sandboxed runtimes for apps have explicit <br>
permissions parameters, in manifests.<br>
- tools can be made to analyze relationships and give "little user" <br>
actionable suggestions. Information is there, in every user's system.<br>
- such tools where not observed, even by those who are tasked with <br>
making information security judgements.<br>
<br>
What if there is a meaningful help to "little user" for making <br>
permissions? Then the "free world" stops being a synonym with "dangerous <br>
world".<br>
What if it is a "middle user", organization's admin? Then we can have <br>
secure organization context without giving all controls to "Big Co's", <br>
with their tendencies.<br>
<br>
Note that browsers are also similar sandboxed runtimes, and many learn <br>
phrase "User Agent" first in browser context. Hence, experience with <br>
browsers is also relevant here.<br>
<br>
<br>
<br>
_______________________________________________<br>
kwlug-disc mailing list<br>
To unsubscribe, send an email to <a href="mailto:kwlug-disc-leave@kwlug.org" target="_blank">kwlug-disc-leave@kwlug.org</a><br>
with the subject "unsubscribe", or email<br>
<a href="mailto:kwlug-disc-owner@kwlug.org" target="_blank">kwlug-disc-owner@kwlug.org</a> to contact a human being.<br>
<br>
_______________________________________________<br>
kwlug-disc mailing list<br>
To unsubscribe, send an email to <a href="mailto:kwlug-disc-leave@kwlug.org" target="_blank">kwlug-disc-leave@kwlug.org</a><br>
with the subject "unsubscribe", or email<br>
<a href="mailto:kwlug-disc-owner@kwlug.org" target="_blank">kwlug-disc-owner@kwlug.org</a> to contact a human being.<br>
</blockquote></div>