I’d like to suggest a verification & validation (V&V) team. As Flathub grows, it’s harder to verify if an application is legit or not. When submitting an app, everything is verified and validated, but until then the same app isn’t monitored anymore, so we cannot tell if the maintainer(s) has/have done something malicious. As far as I know, only GNOME Software warns the user that the application requires more permissions when needed, but I still think that there should be a V&V team and a software to facilitate verifying and validating.
I wouldn’t mind volunteering if something like this gets implemented.
What do you think?
I think developers of apps should be encouraged to build their own Flatpak’s. They would obviously have to confirm that they are the developer of said app. Flatpak’s that do not need Internet connections can have network permissions disabled by default.
Not sure that Flatpak has enough success to motivate ransomware gangs yet. But, having some idea of what a “not too wild flathub” could be, yes. That would be useful. Security is hard to get right. Trust can be lost quickly, and is hard to rebuild.
Encouraging developers to think about security is needed, but not sufficient.
Agreed. I don’t think Flathub will be getting any ransomware anytime soon either, but looking through the submission guidelines:
However, permissions should still be limited as much as possible
Maintainers can always give more permissions to an application without the Flathub maintainers knowing.
For what I understand, there can be many FlatHubs, it is decentralized. We could imagine to have a sanitized Flathub, with more stringent condition for entry (for the packages). Like maintainers having 2FA, some peer review …
But usually it requires first that the project (Flatpak) be successful.