new container escape vulnerability just dropped (specific to flatpak): https://www.openwall.com/lists/oss-security/2024/04/18/5
it’s because flatpak is a shim on top of bwrap, and they forgot to use a — to stop getopt processing.
guess which other container ecosystem is a pile of shims on shims? 🙃