Linux desktop is not secure at all. Basically anything you install can do anything without limitations. In a few minutes I could whip up a VSCode plugin that sends me your browser session storage and have access to all of your everything.
It's getting a lot better with Flatpak, Wayland, and PipeWire, but the pieces are still being put in place for an actually secure Linux desktop that comes anywhere close to the security of MacOS and iOS.
> In a few minutes I could whip up a VSCode plugin that sends me your browser session storage and have access to all of your everything.
Yeah I know but I’m saying despite that Linux is more secure in practice. Most software is not distributed as some random VS code extension, but as FOSS projects and all the checks and balances of the distro maintainers. That’s who keeps you safe at night, and it works remarkably well.
Capability permission in all glory but it’s not a panacea. What happens in practice is that an app asks for permission to your bank account and eternal soul, and then users say “well, I guess I need to if I want this Instagram filter” and there you go. So it’s not as easy as retrofitting sandboxing onto the OS. Neither am I claiming it’s easy to solve. What I am saying is the App Store model is largely security theatre.
Every traditional package manager I’ve seen installs programs as root and they can do basically everything including adding services to systemd as root, modifying configs in /etc for example.
It’s only the newer stuff like flatpak that bring in some sanity to the installation process.
While this is true, in practice it's more secure than you'd see on most operating systems.
The reason being that the software is typically from a centralized, trusted repo that has been vetted by maintainers. The software is typically OS and it's not the app developer who releases it to you, the customer. It's the maintainer who packages it and will even apply custom fixes to it.
Yes, there's some trust here. But historically, there's very little examples of rogue Debian maintainers doing something naughty. Whereas on, say, the Play Store, the app dev distributes the App to you and the Play Store just does some preliminary black-box checks. They're not getting the code and packaging it like a debian maintainer would.
Some distros, like Debian, even FORCE app devs to use the system provided libs - they can't statically link their own library code. So they're pinned to a particular version of openSSL, libc, wlroots, libpng, etc. This prevents a huge variety of supply chain attacks. You can't bundle a compromised version of any one of the libs.
And lastly, in stable distros the software typically goes through many routes before landing on a customer device. For debian, you're looking at months of real-world usage in testing and unstable before you see the software. This finds out vulnerabilities - this is why, for example, debian stable never had to deal with the XZ vuln. This isn't true for direct-to-customer app stores.
It's getting a lot better with Flatpak, Wayland, and PipeWire, but the pieces are still being put in place for an actually secure Linux desktop that comes anywhere close to the security of MacOS and iOS.