Security for crypto currency apps. (PIVX)

Eric_Stanek · March 21, 2020, 1:07pm

Hello,

I am an advanced Linux user, but brand new to FlatHub. A user requested that the crypto currency application PIVX be setup on Flathub.

Since the PIVX wallet holds currency, we want to make sure there are steps and procedures in place to prevent a scammer from integrating a version of the wallet with malware that steals their funds and adding it to Flathub.

Can someone please describe how Flathub prevents this from happening?

I think twice now, there has been a fake Github repository created for PIVX by changing the name slightly. (Example, PIVX-project instead of just PIVX etc.) Each time, there were many people who were fooled, and they lost funds.

We would like users to go to our official Github where they can also obtain the signatures, but the truth is - most everyone skips checking signatures.

I would hate for 1,000’s of people to update PIVX via Flathub, only to find that they got scammed because someone exploited a vulnerability, and put a version of PIVX on Flathub with malware inside.

I appreciate any advice on how this is prevented.

Thanks!

barthalion · March 25, 2020, 3:02pm

Hi Eric,

As for submission itself, we expect person submitting the manifest to contact upstream developers about adding their application to Flathub. We also check if source code/binary being used comes from the project website and not some kind of personal forks unless there’s a very very good reason for it – but that never happened to “wallet” applications.

On infrastructure level, all builds go through our infrastructure and are signed by our GPG smartcard so Flatpak would report invalid signature for the summary file if anyone managed to fiddle with it.

Let me know if anything is unclear!

marcello42 · January 15, 2021, 11:35am

Hey @barthalion

thanks for this clarification.
So to get it straight - flatpaks from flathub got their code from the source of the developer upstream. How does it work with closed source projects? I’ve never seen any information whether it is packaged from source code or from provided binaries.
The biggest + using official distro repos is to be very sure about getting software which does not contain malicious code.
I cannot imagine anyone would have the time to audit all codes, especially with all updates, that are in the flathub repos.
What can I as a user do to ensure a high level of security on my system?
Afaik as a new developer want to distribute malware with a fake just made up profile and distribute it via flathub, there is no way to avoid it. please correct me if I am wrong here.

Thanks,
Marcel