flatpak icon indicating copy to clipboard operation
flatpak copied to clipboard

Published 20 hours ago verified publisher icon flatpak

[Feature request]: Security updates only, in arguments

Open IkelAtomig opened this issue 1 year ago • 8 comments

Checklist

  • [X] I agree to follow the Code of Conduct that this project adheres to.
  • [X] I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Suggestion

It would be better to have flatpak update --security only to update apps that has a CVE to update it. Instead of updating all the apps available in update catalog similar to apt and dnf

IkelAtomig avatar Jul 06 '24 10:07 IkelAtomig

Missing CVEs are a worse indication for non-security update.

rusty-snake avatar Jul 06 '24 10:07 rusty-snake

it's impossible because there nothing to indicate CVE or not. It's already hard to get proper release notes. All of that rely on the package maintainers.

hfiguiere avatar Jul 06 '24 13:07 hfiguiere

I think it's generally at odds with flatpak idea for developers being able to ship fresh apps to users instead of being gatekeeped by distros shipping outdated code.

Erick555 avatar Jul 08 '24 11:07 Erick555

I proposed this Idea for LTS based distros. Say for Ubuntu, Where users could configure the update manager to download and apply only for Security updates, daily. So, in that case, it will be automatically updated.

In the meantime, Other updates are configured for weekend or monthly once.

This would suffice the system. I understand, Flatpak is about fresh apps. What I meant is not backport fixes rather application updates that are tagged with CVE prioritized by system/distro's update manager along with system apps.

IkelAtomig avatar Jul 12 '24 05:07 IkelAtomig

application updates that are tagged with CVE

The absence of a CVE (tag) does not mean it isn't a security update.

rusty-snake avatar Jul 12 '24 06:07 rusty-snake

No but enforcing such a tag would pull only those instead of all other updates.

IkelAtomig avatar Jul 12 '24 08:07 IkelAtomig

Even if you enforce a boolean is_security_release flag to be present, would the value be accurate? Would some packagers just set it "better safe than sorry" and other only if the have evidence that it is a security release (i.e. if it is but they do not have evidence it is not set).

TL;DR: I don't think you can safely divide updates into security/non-security. It will always be a theater with inaccurate/misleading flags.

rusty-snake avatar Jul 12 '24 08:07 rusty-snake

Enforcing is a better idea, in the context mandating the developer to say when if it's CVE or regular updates. I think it would be better option and also caters needs of those who need security-only updates and also those that need newest version.

For example, Firefox is updated, It has both Security and feature. If I use dnf update --security. It is still fetched into the update list.

This is a better option for LTS users. Just keep Flatpak by default to fetch all and leave --security flag to the LTS distros and the users.

IkelAtomig avatar Jul 12 '24 09:07 IkelAtomig