PipeWire sound server permission marks application as potentially unsafe #1919
Comments
|
PipeWire isn't just a sound server - it handles screen sharing, cameras, and all sorts of multimedia devices too. It should 100% be marked as potentially unsafe. How it's marked as potentially unsafe is the topic for discussion here. |
|
Do you mean flatpak applications should avoid pipewire and use pulseaudio to be safe? I want to get rid of this for my application, not a clearer statement. I don't think my application should be marked as such just because it uses the more modern API. |
|
I don't mean anything - it's up to the apps to choose what they want to use here. But safety warnings don't really matter right now, until quite a few portals land (an expanded Device portal, for one). |
It seem to stuck for two years already? |
|
I'd wonder what's the recommended approach to avoid application being marked as potentially unsafe for now 🤔 |
Contributions welcome. |
|
@ilya-fedin can you try if this also happens in gnome software (ideally gnome software 45) if it does happen there:
if it doesn't, I probably missed it when I implemended this. |
|
It would also be great to let us know which apps you were able to test this with, I'm not feeling like I should have to hunt this down :) |
|
@razzeee I don't think I can, I'm a NixOS KDE user, installing GNOME software will likely be a big headache (will require activating addition services in the system config but I don't want to rebuild my system now)... |
|
@ilya-fedin I can probably check it for you, I have a vm and a laptop already on 45, but I will need an app with that permission set |
|
https://github.com/search?q=org%3Aflathub%20--filesystem%3Dxdg-run%2Fpipewire-0&type=code |
|
Yeah, this seems to be an oversight in g-s too, I think. I'll open an issue over there. |
|
https://gitlab.gnome.org/GNOME/gnome-software/-/merge_requests/1811/diffs is the current state of gnome software |
|
Do I understand right that pulseaudio access will still be displayed as safer than pipewire access? |
|
I don't think so, but can you point me to an example/finish-arg? |
|
finish arg of what? pulseaudio access? |
|
As far as I know, that only allows audio playback (at least if https://docs.flatpak.org/en/latest/sandbox-permissions.html#standard-permissions is right) which should be safe. The pipewire file, allows you to play sound, record sound, access the camera, the screen contents etc. |
|
It also allows to record the sound. Or apps like Discord wouldn't work. It's an unsandboxed access to the pulseaudio socket, just determining the socket path on your behalf. |
|
Right, can you report this to gnome software and link us here to that issue? |
|
I'm not sure I can given that I don't use gnome software? I wouldn't be able to answer gnome software-specific questions. |
|
Lurking regarding the |
According to flatpak/flatpak#5130 (comment),
--filesystem=xdg-run/pipewire-0is the right permission for PipeWire acting as sound server yet flathub website marks applications as potentially unsafe with the following:PulseAudio permission doesn't cause such a problem.
The text was updated successfully, but these errors were encountered: