Should I trust Flathub with important applications?

There are multiple applications that I’d like to use on Fedora, but some of the most important applications (such as Bitwarden and Standard Notes) I want to use are not officially available as Flatpaks or RPMs. However, they are still on Flathub, presumably built by Flathub developers or maybe random people in the community. So I’m left wondering if/what measures Flathub takes to ensure the validity and security of unofficially built packages like Bitwarden and Standard Notes so I can better determine whether or not I could use them safely as Flatpaks.

(That being said, there are still some important applications which I might not be able to reasonably avoid on Flathub, such as Signal. Unfortunately, they only officially support Debian-based distributions, so it seems like I have no other choice but to use unofficial builds of Signal.)

You can verify the safety by looking at the build logs under https://buildbot.flathub.org/ and the manifests in the respective app repos (there is a manifest link on each flathub page you linked)

With that you can also build your flathub apps locally, if you don’t trust the server. Which is building in an offline environment.

I’m not quite sure what I’m specifically meant to be looking for to verify the safety of an application. Would you be able to elaborate? Apologies in advance, I’m very much a noob when it comes to the Linux ecosystem.

In case verifying applications that way is just beyond my ability, I’d still be interested in knowing if there are any specific measures the Flathub team takes to ensure the security and legitimacy of their apps. For example, is there any vetting of contributors or the applications they build? Are there any automated checks which verify the legitimacy of an application? Etc. My thinking is that I’m already trusting Flathub to some degree, so if they take sufficient precautions to protect their users from potentially modified unofficial builds, I’d feel a lot better with trusting Flathub with important applications like Bitwarden and Standard Notes.

UPDATE

Some discussion is taking place over on Privacy Guides Discussions. Some people are suggesting others to avoid unofficial Flatpaks entirely, but I’m still hoping someone from Flathub will explain how they verify the integrity and safety of unofficial builds… Or at least maybe a plan to do so in the future.

Generally speaking, each app gets it’s build code and flatpak settings (what can it access) vetted when it’s first included in the repository.

After that it’s up to the developer to keep it tight, with oversight from the community. For example, you can check GitHub - flathub/org.signal.Signal to read the configuration for signal. That’s on top of the code that the signal app itself uses. Ideally, those sources would live with the original app, at some point in the future.

https://github.com/flathub/org.signal.Signal/blob/master/flathub.json is configuration to only build the app for x64 cpus and automatically merge security fixes from dependencies.

https://github.com/flathub/org.signal.Signal/blob/master/org.signal.Signal.metainfo.xml is just data for showing the app in the software centers - nothing that’s relevant for privacy

https://github.com/flathub/org.signal.Signal/blob/master/signal-desktop.sh is a file that gets called, when you start the app it figures out some options and uses a tool, that allows running chromium apps in a flatpak sandbox

https://github.com/flathub/org.signal.Signal/blob/master/org.signal.Signal.yaml is the most interesting, as it’s the build instructions.
https://github.com/flathub/org.signal.Signal/blob/69b54db509fc91c57104160e9f291c805f89c759/org.signal.Signal.yaml#L11-L44 are probably the most interesting, as that configures the sandboxing (which you won’t have with most non flatpak apps)

https://github.com/flathub/org.signal.Signal/blob/master/org.signal.Signal.yaml shows, that it’s just downloading the sources from the original website and even checks the sha. It’s build from the .deb, that’s also the reason, why there is only a x64 build.

https://github.com/flathub/org.signal.Signal/blob/69b54db509fc91c57104160e9f291c805f89c759/org.signal.Signal.yaml#L50-L63 basically takes that file, unzips it, moves it, sets some file permissions and changes the .desktop file to point to the flatpak

You might also want to read for more on verified apps Verified apps | Flathub Documentation

So yeah, verified apps are cool, but it does not mean, that non verified apps are bad per se. Especially high profile apps like signal (that are also used in the flathub team) should be in a good state.

So if I understand correctly, you’re essentially pointing out that everything is very transparent and anyone in the community could easily spot malicious modifications?

I appreciate the detailed reply, thanks for taking the time.

Yes, that’s the gist of it.

And in general, the sandbox will help, if your worried about trust. Every normal app on windows/linux that’s not sandboxed has access to more or less the whole system.