Provide security support to SDKs
Our runtimes currently receive no security support. This is not good. Especially the stable runtimes are in bad shape, since they do not generally receive even point-release updates from GNOME, let alone freedesktop SDK.
This is a complex issue as it requires paid staff and is therefore not easy to do in the context of a volunteer project like GNOME, and yet we really need to.
E.g. recently a bug in one of the components of our runtime was discovered which could allow a remote attacker to read the cookies of other websites. E.g. it could be used to steal session cookies from other websites and thereby take control of the user's accounts on other websites. The version of Epiphany in flathub is vulnerable to this issue as it uses the GNOME 3.28 stable runtime, which is not actively maintained. I could fix this particular issue by applying a patch to the runtime, but that won't solve the underlying problem, which is that nobody is responsible for tracking and managing this currently. (Anyway, I would sooner pull Epiphany from flathub than volunteer to maintain the stable runtimes.) The GNOME nightly runtime is not vulnerable to this particular issue, but it is probably vulnerable to other issues, because the freedesktop SDK does not to my knowledge receive active security support either. (E.g. I recently noticed it shipped an old unstable development version of GnuTLS, which is not encouraging on many levels for such a security-sensitive component.)
The above cookie stealing example is designed to motivate this issue, and avoid any proposals that perhaps the flatpak sandbox is sufficient security (certainly not).