VLC pulling in firewall rule changes seems like a slight security hardening problem
Describe your issue
When installing VLC, the following packages are pulled in: postmarketos-config-nftables-chromecast postmarketos-config-nftables-mdns postmarketos-config-nftables-upnp-client postmarketos-config-nftables-vlc-chromecast. According to the package descriptions themselves, these are firewall rules. if I install VLC for local media playback, I shouldn't be forced to make firewall changes whatsoever - yet it seems like those dependencies are mandatory. If I'm just missing something or misunderstanding a part of this then I apologize, admittedly I'm usually not touching nftables much.
What's the expected behaviour?
VLC doesn't require any firewall changes whatsoever if I don't plan to make use of them. Edit/Clarification: as a default it's okay, but there should be an obvious way to opt out. The common approach that users will be familiar with from other distributions would be to make use of some mechanism like recommended-but-not-required dependencies.
What's the current behaviour?
VLC seems to require firewall changes which I assume let various services through, if the user doesn't plan to use them there should be a way to opt-out. As "recommended" dependency type that gets pulled in by default these would make sense, but as long as apk doesn't have that dependency type, that package setup seems problematic.
How to reproduce your issue?
Install vlc-qt and observe dependencies pulled in
What device are you using?
Steam Deck, PinePhone Allwinner 3GB RAM. The problem exists on both devices, I tested.
On what postmarketOS version did you encounter the issue?
-
edge (
masterbranch) -
v24.06 -
v23.12(supported until 2024-07-16) -
I confirm that the issue still is present after running
sudo apk upgrade -a
On what environment did you encounter the issue?
Environments
- GNOME Shell on Mobile
- Phosh
- Plasma Mobile
-
Sxmo (Wayland/Sway) Please post the output of
sxmo_version.sh - Other: KDE Plasma
How did you get postmarketOS image?
- from https://images.postmarketos.org
- I built it using pmbootstrap
- It was preinstalled on my device
What's the build date of the image? (in yyyy-mm-dd format)
Additional information
Activity
added security label
I shouldn't be forced to make firewall changes whatsoever
You are not. In fact you can revert the changes.
I'm usually not touching nftables much
When the security is one of your concern, it's high time that you learnt about it instead of talking without doing anything.
VLC doesn't require any firewall changes whatsoever if I don't plan to make use of them
And sure, you are the owner, and the device is always yours by the way. You are free to tweak and customise it, including the nftables rules.
Just like dishes, the security won't be done by itself. If you have no idea how, please ask for questions in matrix chats.
We expect features work as-is and user doesn't need to mess with them, so the nftables rules are necessary.
By Raymond Hackley on 2024-07-14T08:04:57
Edited by Ghost User
-
I found the probably most relevant upstream issue: https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10722 It seems that this might actually be worked on, and I misremembered that there was some contention whether to add it at all. That's pretty cool.
By Ellie on 2024-07-14T08:39:14
added status::reported label
added type::feature label
-
Just a note. I am planning to add firewall rules for KDE Connect, which could be one of your concerns.
By Raymond Hackley on 2024-08-03T02:13:56
Edited by Administrator -
Yes, definitely. I don't think it's a bad idea to pull that in by default as a "recommended" package, but there should be an easy way for the user to opt out. I usually check what dependencies get pulled in, and on openSUSE I regularly opt out of recommended default dependencies, and I'm sure some other expert users do as well.
But I understand this is currently blocked on apk, and there isn't much you can do about it until apk addresses it. So I suggest you go ahead with it anyway.
By Ellie on 2024-08-03T02:08:00