Are flatpaks not all sandboxed? I thought the concept of flatpak and snap was that it offered sandboxing in a way what was never implemented to normal repo packages
Flatpak uses kernel namespaces (like docker) to run software with a bundled set of libraries. From their FAQ:
> Flatpak mostly deployed as a convenient library bundling technology early on, with the sandboxing or containerization being phased in over time for most applications.
I don't really know if sandboxing is worth it for me. Running everything inside docker cotnaienrs sounds like an absolute nightmare when it comes to troubleshooting. You might think logs and things would be well defined and put in the right place for the OS to pick up, but if things were so well behaved we wouldn't feel the need for sandboxing now would we.
Flatpak is one piece of a broader design to secure Linux workstations. It is also intended to work in conjunction with Wayland and the in-development Pipewire. These lock down video and audio respectively, so that shared resources can't be misused by applications.
No, these are bind mounted. Most Linux programs have a standard configuration directory. The application files that don't change would probably be sandboxed so that they can be easily upgraded.
> Flatpak mostly deployed as a convenient library bundling technology early on, with the sandboxing or containerization being phased in over time for most applications.
I don't really know if sandboxing is worth it for me. Running everything inside docker cotnaienrs sounds like an absolute nightmare when it comes to troubleshooting. You might think logs and things would be well defined and put in the right place for the OS to pick up, but if things were so well behaved we wouldn't feel the need for sandboxing now would we.