If a Flathub application has “Community built” at the bottom does that mean the Flathub application is built completely from source files including the dependencies?
Like in every case, if I look at the manifest file on https://github.com/flathub/example-application/manifest.file will it only link to source files (not binaries)?
Thanks for you time, I’m a big fan of Flatpak and Flathub!
No, community build is only referring to it having an open license and us having a link to the place where development happens.
Thanks for the reply. It would be great if there was a fast way to know that. It does seem to be the case in most “community built” software, even unverified ones.
It’s more important for the unverified ones really.
Ideally it would be great if you could quickly see if it was built from source and the domains the source files are hosted on. It’s very reassuring to go into the ExampleApp manifest and even if it’s unverified see the source files are hosted on gnu.org, opendesktop.org and exampleapp.com. Even if it’s unverified it’s almost certainly safe, at least as safe as a binary directly from exampleapp.com
It may sound excessive but it could just be a neat little box, the same size as the community made box, and generated automatically. It would make things very transparent.
Would work for some apps, but on others, it would kinda explode. Especially with python, node or rust apps, as they tend to have hundredths of dependencies and thus hundredths of downloads.
Perhaps if it could just confirm it’s made from completely from source and the domain of the main application. Right now it’s just taking there word for things, if it was malicious or modified you wouldn’t know. It’s just a pain to look through the manifest file every time. This would negate the perceived gamble of using unverified applications. It would be a big point of difference to Snap applications.
That wouldn’t change much, if anyone wants to do bad things, they can just as easy download stuff while running the app, as long as it has network access.
Only if it also did when it was built from source from the official github or domain right?
It would be a significant step forward.
It’s just “trust me, an open source project exists with this name, this is it” at the moment. At least for unverified applications.
Yeah, still, whatever get’s downloaded can change and that means you can do stuff
It’s more a cta and wants you to check the license and potentially get involved, if you can.
Flathub could update the URLs as the application updates, it’s grabbing them from the manifest file.
All of this is just making the manifest file more accessible, it’s linked in ever application web page.
Saying “This application is built in the open by a community of volunteers” with zero checks is misleading.
Can you pass this idea along to the developers?
Thanks for your time replying.
I also think this is misleading. Just because an application has a free open source license does not mean it’s being developed by a “community of volunteers”.
It seems like it’s currently enough for a project to have a <url type="homepage"> tag for this message (and the “Get involved” link) to appear. Wouldn’t it make more sense if it only showed if there was a <url type="contribute"> tag? This url type is not mention in the flathub metaInfo guidelines but it’s in the official appstream docs.
That’s defiantly not the case. We’re checking the license, not the url type homepage.
If the license is a floss license, it will show the green icons etc. and the get involved call to action, linking to the homepage, if we have that.
That’s because contribute (and vcs-browser) is new in appstream terms, they have only been around for two years.
For perspective, flathub has 4597 apps/runtimes/addon etc
Out of those 155 have a contribute tag
Forgive me. Earlier you wrote
community build is only referring to it having an open license and us having a link to the place where development happens
and I saw some “community built” applications (with a FOSS license) that only had url type homepage so I assumed that was the link that was required but maybe you was referring to some other link.
I had to dig up this old thread but this naming scheme here is extremely confusing.
When you, for example, open Firefox’s page on top you see that it was “verified” to be released by Mozilla but at the bottom right corner you see “Built by community”. If I tell someone my house was built by the community, they automatically expect that a bunch of random people built my house.
It should just be called “License” and not have anything that would accidentally give the impression that the Flatpak was not built BY the developer.
You need to distinguish the source code from the shipping party.
Everybody can send patches to mozilla, but they decide, if those patches get merged and thus shipped. You are trusting them to check those patches correctly. Every random can send patches.