Are there any downsides to using Homebrew as a package manager on Linux?
I'm especially concerned about it being somehow broken, unwieldy, insecure or privacy-invasive.
Case in point; at times I have to rely on a Chromium-based browser if a website decides to misbehave on a Firefox-based browser. Out of the available options I gravitate towards Brave as it seems like the least bad out of the bunch.
Unfortunately, their RPM-package leaves a lot to be desired and has multiple times just been awful to deal with. So much so that I have been using another Chromium-based browser instead that's available directly from my distro's repos. But..., I would still switch to Brave in an instant if Brave was found in my distro's repos. A quick search on repology.org reveals that an up-to-date Brave is packaged in the AUR (unsurprisingly), Manjaro and Homebrew. I don't feel like changing distros for the sake of a single program, but adding Homebrew to my arsenal of universal package managers doesn't sound that bad. But, not all universal package managers are created equal, therefore I was interested to know how Homebrew fares compared to the others and if it handles the packaging of the browser without blemishing the capabilities of the browser's sandbox.
P.S. I expect people to recommend me Distrobox instead. Don't worry, I have been a staunch user of Distrobox for quite a while now. I have also run Brave through an Arch-distrobox in the past. But due to some concerns I've had, I chose to discontinue this. Btw, its Flatpak package ain't bad either. But unfortunately it's not official, so I choose to not make use of it for that reason.
...why would you use homebrew on linux?
You already use an arch container that has access to the AUR, which has literally every package, available on linux.
Also, if anything, flatpaks are THE official (universal) packaging format for Linux, it's the most widely adopted and most well integrated of the universal packaging formats. I'm not saying that homebrew is bad, just why bother with it when you've got 100 other packaging formats that are all better...
Call me paranoid if you will.
I don't deny that, I make good use of a ton of flatpaks on my system. I also believe that it's the best we have. And I would literally switch to Brave as a flatpak if it would satisfy the following:
I rely on flatpaks for all non-firefox browsers and haven't had any issues with them, I've used the brave flatpaks specifically for almost a year now and no issues...
it's still factual that flatpaks sandbox is weak by default, especially compared to what chromium provides on its own.
The web process sandboxing is basically the same inside and outside of flatpak.
Would you mind elaborating? First time hearing this and a quick search didn't resolve it.
https://github.com/refi64/zypak
It lets Chromium use flatpak sub-sandboxes and is basically identical to its normal sandbox in terms of permissions.
I am thankful that zypak exists so that Chromium-based browsers and Electron apps don't have to explicitly flag
--no-sandboxto continue functioning. However, it doesn't undermine the fact that native Chromium's sandbox is more powerful than Flatpak's sandbox. As such, if one desires security, then one should gravitate towards the native installed one.Are you sure that's the case?
The sandbox is not weakened meaningfully. It’s in a different namespace, no filesystem, no network, no GPU, seccomp rules still applied.
Unfortunately, you didn't -to my knowledge- support nor retract your claim on Chromium using flatpak sub-sandboxes. Therefore, I find it hard to continue taking your words at face value.
I have enjoyed these interactions, so don't get me wrong; but if I (possibly) catch you on spreading misinformation (even if unintentional), then I find it hard to keep engagement up as there's no guarantee that anything else coming from you is actually correct.
I would love to be corrected on this though, so please feel free if I have misunderstood you or anything else that would revive this conversation. If not, then I would still like to thank you from the bottom of my heart for this friendly interaction we've had. Take care!
I linked the source but sure, I'll link it more for you.
The portal code is here: https://github.com/refi64/zypak/blob/ded79a2f8a509adc21834b95a9892073d4a91fdc/src/dbus/flatpak_portal_proxy.h
The actual code that Chromium calls is here: https://github.com/refi64/zypak/blob/ded79a2f8a509adc21834b95a9892073d4a91fdc/src/helper/spawn_latest.cc#L21
This calls the
org.freedesktop.portal.Flatpakservice.This service is here: https://github.com/flatpak/flatpak/tree/main/portal
The
Spawnmethod creates a new sandbox completely isolated from the originating sandbox.I am aware, but the same source seemingly contradicted your point^[1]^ regarding sub-sandboxing.
Wow, thanks a lot for the work you've put into this! It might take some time for me to go through this, but I'll definitely take a look and perhaps I'll return on this at a later point. Perhaps with this I will finally be able to install my Chromium-based browsers as a flatpak and don't feel bad about it.
Once again, your engagement has been much appreciated! So please feel free to let me know if I can buy you a coffee or something 😊! Unfortunately, statements like "Thank you so much!" don't quite capture the sheer magnitude of gratitude I feel towards you right now. For whatever it's worth; I salute you, good human.
The comment on there is odd, I’m not even sure what that issue is referring to. Not much exciting happened in that release for new features but there were subsandbox security fixes https://github.com/flatpak/flatpak/compare/1.10.8...1.12.0
I think I already addressed that point with
If you meant something else, then please feel free to correct me.
Officially supported doesnt mean its more stable. They can just take binaries, add dependenciesy tadaa.
Bubblewrap is not insecure. But I am not an expert
Never implied that anyways. Official merely ensures that the amount of trusted parties can be minimized.
Bubblewrap, when properly applied is indeed excellent; perhaps the best utility to sandbox applications on Linux. I'm thankful that flatpaks makes use of bubblewrap, namespaces and seccomp to offer relatively safe/secure apps/binaries, I'm unaware of any other '(universal) package manager' within the Linux-space that offers similar feats in that regard. Unfortunately, Chromium-based browsers just happen to have an even stronger sandbox -if properly configured- than flatpaks are currently capable of.
Okay true. I am not so much into this Browser sandbox thing and dont really get it. Its a different way than bubblewrap, as from Firefox RPM for example I can open any file and save anywhere. But its process isolation right?
For Firefox, the verdict on its native sandbox vs Flatpak's native sandbox doesn't seem conclusive. With -assumingly- knowledgeable peeps on both sides of the argument, which indeed does raise the question how knowledgeable they actually are. Nonetheless, for myself, I've accepted Flatpak's sandbox to not be inferior to Firefox' native one. Thus, I don't see any problem with using its flatpak.
Apart from having all the nice KDE integration and things like Keepass integration, Fido2 keys, drag and drop and some more things...
Also afaik the Fedora Firefox has a good SELinux profile and it runs damn fast. I did a speed test and it was best, along with Mozillas all-together-binary.
I'm a sucker for GNOME :P , but I'll keep it in mind.
The flatpak does allow integration, but isn't built-in unfortunately; so one has to fiddle a bit themselves to set it up.
I should rely more on those. Do you have any recommendations? I've been hearing good things about Nitropad and Yubico, but I honestly don't know if they're actually good and how they would fare amongst eachother.
Overrated anyways /s :P .
It's probably better configured with the native package than the flatpak one indeed. I wonder if this will change as Fedora is interested to ship Firefox as a flatpak by default on Silverblue (and variants).
I haven't had the best internet speeds since I've been relying on free VPN. But that's on me :P .
Fedora packages a Flatpak Firefox themselves, based off the RPM. So its good too, but lacks codecs with currently no way to enable them so yeah. They would need am extension of some sort hosted on Flathub. So simply using Firefox Flatpak from Flathub makes more sense.
I got a Nitrokey for Heads but for some reason it never arrived? I can say these things are very expensive. And Heads uses PGP and not others.
I somehow forgot that Fedora also had Firefox in their flatpak repos.
You know what's good, fam.
That's messed up, though.