Security for unverified flatpak applications

Phil995511 · May 2, 2024, 11:54am

Good morning,

With all the ill-intentioned people, pirates and others who exist in the world and who are rampant on the internet, I do not understand that you put online unverified Flatpak packages that any dishonest person could put online on your servers.

Do you want, because of your behavior, to be at the center of an upcoming Linux scandal ?!? Because by doing so, it is certain that it will eventually happen ;-(

+/- 20 years ago Linux Mint was hacked and fake images were linked on their website, more recently there was the .XZ scandal and between these two events there must be many more. others…

You should urgently review your security policy because as it stands, unverified applications are a major risk for the entire community of Linux users as well as for the reputation of this OS…

Greetings.

graham · May 2, 2024, 12:45pm

It’s clearly an issue but in the defence of Flathub and Flatpaks in general, they have taken action by indicating which packages are verified (more so than in some package managers one could mention) so what is not to like?
The whole point of FOSS is it’s “openness” and if people choose to use something which might present a risk to mission critical systems, then as adults, that is clearly their choice but a verification process such as Flathub possesses minimises that risk, no?

Phil995511 · May 2, 2024, 2:03pm

As things currently stand, Flathub does not sufficiently secure the flatpak packages made available.

To have security that meets user needs, only verified developers and software should be available.

graham · May 2, 2024, 3:08pm

Which is why I wrote:

Those that are include a small alongside them such as you see here

Erick555 · May 2, 2024, 6:46pm

Verified badge only means the package is maintained or acked by upstream developers(s). It doesn’t mean those apps are more secure or non-malicious. XZ was backdoored by one of core developers so it was 100% verified.

Users may not install unverified apps it they don’t trust them but I think they may not need someone telling them what they should or shouldn’t do.

razzeee · May 5, 2024, 2:15pm

Please read Verified apps | Flathub Documentation and consider locking down your apps to verified only then.

I get the feeling, you’re not understanding this (yet) and you’re also not bringing forth anything technical, just a general feeling of unease.

andrew_j · May 10, 2024, 2:58am

If you look at the manifest file in the link at the bottom of the page you can see the source and binary files used to create the unverified applications. This is very reassuring (I haven’t seen anything suspicious, dependencies are from the official domains you expect and the program themselves are from the official github or official domain) but it is time consuming.

What do you think of my idea?

Edit: Showing a list of source and binary files (the URLs) on the Flathub page. And verifying/being clear if there from binaries or source.