> I don't see how these two things are at all related. There's no fundamental reason I can't have distro-independent software that is also able to run with root privileges if the user desires it.
Nope, you're absolutely right; there is no fundamental reason this couldn't work. It's just not the focus of attention and so there's no work being done in that regard. Flatpak's primary goal is to distribute user software, so most/all of the work is done to deliver that use-case.
> So it seems to me that Flatpak has baked-in this limitation (along with a bunch of others, but I digress).
It's not a limitation of Flatpak - at least not a conceptual limitation. It's possible, it just has to be done by someone.
> It would seem to me that not sandboxing something would actually be much easier than sandboxing it, but perhaps I'm unaware of a fundamental implementation detail of Flatpak.
If the aim is to make sandboxing as easy as possible, that doesn't mean it will be easy to _not_ sandbox.
> Flatpak's primary goal is to distribute user software, so most/all of the work is done to deliver that use-case.
Sometimes user software needs higher level privileges. I don't see why that should exclude it from consideration.
> It's not a limitation of Flatpak - at least not a conceptual limitation. It's possible, it just has to be done by someone.
Flatpak has been around for 5 years, and apparently there are still so many unfinished high-priority things with it that I can expect to wait at least 5 more to see this simple use case addressed?
> If the aim is to make sandboxing as easy as possible, that doesn't mean it will be easy to _not_ sandbox.
I don't follow the logic here. The default state of applications on Linux is that they are not sandboxed. If flatpak did nothing but download and run binaries with appropriate library mappings it would not be sandboxed at all. The sandboxing is something that has to be added on top. When looking for information on how flatpak actually works I find only very obtuse documentation, but nearest I can figure it uses Linux's various namespaces, which shouldn't prevent CAP_NET_RAW from being used as far as I'm aware.
> I'm not sure if I catch your drift.
I was saying the Wireshark flatpak was nigh-useless. Not flatpak in general.
Nope, you're absolutely right; there is no fundamental reason this couldn't work. It's just not the focus of attention and so there's no work being done in that regard. Flatpak's primary goal is to distribute user software, so most/all of the work is done to deliver that use-case.
> So it seems to me that Flatpak has baked-in this limitation (along with a bunch of others, but I digress).
It's not a limitation of Flatpak - at least not a conceptual limitation. It's possible, it just has to be done by someone.
> It would seem to me that not sandboxing something would actually be much easier than sandboxing it, but perhaps I'm unaware of a fundamental implementation detail of Flatpak.
If the aim is to make sandboxing as easy as possible, that doesn't mean it will be easy to _not_ sandbox.
> That specific flatpak, not flatpak in general.
I'm not sure if I catch your drift.