Hi!
I’d like to use Flathub, since basically, there is no alternative. However, I am very worried about the security of the Flathub infrastructure, as despite searching for many hours, it seems entirely intransparent. There’s nothing that lists the entities that I need to trust to not meddle with the binaries. I could find some old blog posts, which read like Flatpaks are actually built on some sponsored VMs. Is this still the case? How are build boxes secured? Is there any way to reproduce the builds from the build boxes to make sure they are not compromised? Or is this really all “YOLO, just hope nothing happens! It’s Linux, so it has no viruses!!11”? I really hope it’s not, but given I can find absolutely no documentation about any of this, not even which individuals are operating the Flathub build machines, I’m very concerned.