I’ve been trying to find an answer to this for a while now - the Chromium Flatpak on Flathub is marked as “Unverified” because it isn’t directly maintained by the Chromium Project. OK, cool. But who is it maintained by? The links all either go back to the Chromium Project anyway, or to the Flathub Github repo for it, but as far as I can tell every single Flathub package has a Github repo associated with it and it isn’t entirely clear what the relationship is between those repos and the package you receive when downloading it (I get that they’re involved in the build architecture but they also pull from upstream sources, right?). There’s a random blog post from years ago about Chromium being patched by a developer involved in the Flatpak project but nothing more recent, nor how much of the final packaging is done by them.
In my mind this is a serious issue with Flathub - one of the most widely used applications, as packaged on Flathub, is being provided without any clear indication of who actually packages it.
The repository for an app you find in the Flathub GitHub organization is where you will find the Flatpak manifest for the app. From this manifest the application will be build by Flathub’s build infrastructure and published to Flathub.
It only contains files needed for Flatpak packaging, the application is sourced from upstream.
In this repository, you can find most answers you’re looking for:
You can check the manifest on what was build with what sources.
Thanks. For the future reference of others, looking through there it looks like the main person maintaining the packages is still Ryan Gonzalez who was mentioned on that blog post (GNOME, not Flathub, sorry: Chromium on Flathub – Will Thompson )
Is there any interest from Flathub in having a less roundabout way to do this? Using only the resources linked from Flathub’s own sites Ryan is just some random guy, it takes a lot more legwork to figure out who he is and how trusted he is as a developer/package maintainer (or even his name for that matter). It seems weird that the only means Flathub has to vouch for a project is just to confirm if it was packaged from upstream directly, even though the upstream dev may be less equipped to provide a trusted package than a reputable third party using a much more robust upstream project…