Security for crypto currency apps. (PIVX)

Hello,

I am an advanced Linux user, but brand new to FlatHub. A user requested that the crypto currency application PIVX be setup on Flathub.

Since the PIVX wallet holds currency, we want to make sure there are steps and procedures in place to prevent a scammer from integrating a version of the wallet with malware that steals their funds and adding it to Flathub.

Can someone please describe how Flathub prevents this from happening?

I think twice now, there has been a fake Github repository created for PIVX by changing the name slightly. (Example, PIVX-project instead of just PIVX etc.) Each time, there were many people who were fooled, and they lost funds.

We would like users to go to our official Github where they can also obtain the signatures, but the truth is - most everyone skips checking signatures.

I would hate for 1,000’s of people to update PIVX via Flathub, only to find that they got scammed because someone exploited a vulnerability, and put a version of PIVX on Flathub with malware inside.

I appreciate any advice on how this is prevented.

Thanks!

Hi Eric,

As for submission itself, we expect person submitting the manifest to contact upstream developers about adding their application to Flathub. We also check if source code/binary being used comes from the project website and not some kind of personal forks unless there’s a very very good reason for it – but that never happened to “wallet” applications.

On infrastructure level, all builds go through our infrastructure and are signed by our GPG smartcard so Flatpak would report invalid signature for the summary file if anyone managed to fiddle with it.

Let me know if anything is unclear!