I want to add a small bit of info that might be useful in the future.
Your script doesn't need really to be run with root privileges. Your backup script likely needs access to parts of the filesystem which are only readable from root but that's all it needs.
The root privileges are essentially a combination of capabilities (see man capabilities) attached to processes. In your case, what you want is the CAP_DAC_READ_SEARCH, which allows read access to every file.
You can for example add this capability to rsync (or more likely, to Borg,restic or rustic - which are backup tools I recommend you look at! They do encryption, deduplication etc.) and then you can use that binary as a low-privileged user, but having that slice of root privileges. Obviously, there is a risk in this too, but can be compensated in other ways as well (for example running the backup job in a sandbox etc. - probably out of scope for now).
While in this particular case it might not be super relevant (backups are executed often as root or as a backup user which has read access), it might be useful in the future to know that very rarely full root privileges are needed, and you can run tools only with the specific capability needed to perform that privileged action. You can check setcap and getcap commands.
It's also not too hard to cook a Dockerfile for it, or even write a systemd wrapper with security settings. However, with flatpak you get this out of the box and mostly in a transparent way, plus you get all the usually annoying aspects (like having GUI applications work in containers) taken care of.
And that's fair enough. However, putting a bounty on the feature is definitely a big incentive that might have caused those features to be implemented by someone else and/or prioritized.
I stopped hearing discussions about it long ago. I suppose the thing died down.
One thing I will never understand is their endless complaint about moderation tools.
They had/have a decent amount of donation, why they didn't just put a bounty on the features they needed in github and encourage contributions in that space (if not contributing directly)? It feels like it was sterile criticism when they had/have the means to actually work on the solution.
EDIT:
Adding to the above. From their opencollective page, they are in +6k$. Even 1000$ on a feature and I think plenty of people will want to contribute. Considering that they were complaining about a handful of features, I don't see how it was not feasible. That will both give back to the developers and get them where they are. Win-win...?
That is one security aspect only, and signature checking is done by OStree, but the only key used is the one from flathub, from what I understand. So you don't verify the key of the application author, but solely the one from flathub, which means if the flathub distribution pipeline is compromised, you will not notice it and install a malicious package.
That said, the isolation that provides is great, and things should be evaluated in context. I will consider much much more likely that a package I install has bugs/cves/is outright malicious, compared to the risk that the publisher pipeline gets compromised (this is essentially what the signature verification would protect from). This means that it is a huge net gain in terms of security, from my PoV, to have an "unverified" package running in flatpak, under the isolation that it provides, if we compare it to having it running in the native system, but verified.
In other words, there is not a specific scale that if you "don't even do..", then it means you are not secure at all.
Tbh, for me the value of flatpak is in the isolation (great for how easy it is to achieve), rather than the compatibility.
For example, I run obsidian with no network access and fs access to just the path where my notes are stored. This is really reassuring considering I am not really sure what all the plugins might do. While it is not perfect, it's much better than having it running natively in my box (I.e. root namespaces).
Really? I switched everything for almost 3 years now, and to be honest for me was a "fire and forget" situation. I run /e/OS on my phone and I had basically no issues ever. I moved to Proton mail with a few clicks and their migration tool, I always used firefox, and then I switched to kagi.com as a search engine approx. 1 year ago. That's pretty much it, but I have to say, I was not a very heavy user of all the bells and whistles Google makes.
Zelensky's campaign was supported by a Ukrainian oligarch. Not exactly an "absolute outsider". In fact, during the campaign the supporters of Poroshenko (who tend to be more nationalists) used this as ground to accuse him of being associated with Russia (among other things).
Each container, by default, runs in a separate network namespace. You can use docker CLI to create specific networks that can be shared with other containers, or use docker-compose for it. Technically, for processes outside containers you can still use the same network of that container by running the inside the network namespace of the 'VPN' container (for example running them with unshare). However, I wouldn't recommend this, as containers are supposed to run mostly isolated workload and not for this kind of use-case. But yeah, technically it's feasible.
Of course, but I assume elderly people getting familiar with a completely new technology need anyway some kind of personal support and introduction from someone close.
I don't think anybody would plan to throw a Mac at some elderly person and say "if any issue call Apple support", right?
I get your point though, and I am just saying that there are situations where Linux might work totally fine.
Also, the used market for apple product is not that big where I lived. Nobody in the family had a Mac also, which means she wouldn't have had anybody to ask for support at all. It's a specific situation, but my point is that having an official support is not going to help that much in some cases.
I find Mac to be extremely unintuitive in how things are organized tbh, but that's just me.
Anyway, you are right, but she wanted to spend just 3-400 euros for a laptop, which is incompatible with Apple prices.
Obviously this means being there to support if something goes wrong, but with a minimal install and Linux being stable, it doesn't happen often (I also have my mom's laptop running mint). I do have a reverse tunnel script configured that allows me to SSH in their machines using a "panic" icon on their desktop.
My great-aunt asked for a PC when she was 85 and her grandchild moved abroad. I installed Linux mint with a few scripts and shortcuts to ease her life, and she picked that up (check email, Skype, nothing super sophisticated ofc). I guess if it's a new thing, windows does not the advantage of being already familiar, and Linux is more stable in my experience, which leads to less random errors.
It's the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security's tracee, which is way less mature.
It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn't disappear overnight).
I want to add a small bit of info that might be useful in the future. Your script doesn't need really to be run with root privileges. Your backup script likely needs access to parts of the filesystem which are only readable from root but that's all it needs. The root privileges are essentially a combination of capabilities (see man capabilities) attached to processes. In your case, what you want is the CAP_DAC_READ_SEARCH, which allows read access to every file. You can for example add this capability to rsync (or more likely, to Borg,restic or rustic - which are backup tools I recommend you look at! They do encryption, deduplication etc.) and then you can use that binary as a low-privileged user, but having that slice of root privileges. Obviously, there is a risk in this too, but can be compensated in other ways as well (for example running the backup job in a sandbox etc. - probably out of scope for now).
While in this particular case it might not be super relevant (backups are executed often as root or as a backup user which has read access), it might be useful in the future to know that very rarely full root privileges are needed, and you can run tools only with the specific capability needed to perform that privileged action. You can check setcap and getcap commands.