A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
flatpaks arn’t any safer and with how poor the sandbox is handled by 99% of devs. Hell flatpaks have a new issue every other month. Its almost more often to see a new flatpak problem then aur problem.
Its literally no safer in reality sure on paper its safer but reality has proven that flatpaks just are not some magical fix to this problem.
Hell half the time when flatpaks do have issues they go unaddressed or fixed for months after they are found. While AUR problems get smacked real fucking fast after they are found.
I haven’t heard about all of these flatpak malware incidents.
I agree that Flatpak’s utilization of sandboxing is weaker in practice than is marketed. I get that many apps ship with home/host filesystem access instead of granular permissions, but it does provide meaningful isolation when used correctly.
The one positive with flatpak is that it allows for universal deployment. A lot of projects are providing official builds. But you are still relying on them to vet what they put in.