This is a great start, but tbh, I’m not fully sold on “verified” flathub apps. Verification requires a token to be placed into a source repo or a website, but there appears to be nothing on actually verifying that the source/site are the original creators. So, for example, if someone packaged a malicious version of librefox and established it under io.github.librewolf-community instead of the canonical io.gitlab.librewolf-community, I’m concerned it’ll still show as verified (though quickly removed). The process can be read about here.
this post was submitted on 04 Jun 2024
282 points (99.0% liked)
Linux
48044 readers
771 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
Is the token not keyed to a specific source? I would have expected it to operate similarly to an SSL cert, where part of the verification process is that the source is the correct origin that the token belongs to - so if someone just lifted a valid cert to put into a malicious one, it would catch anything from changing a single character in the project name to changing the repository host (i.e. GitHub to GitLab)
Afaik yes, the token is keyed to a specific source in the case of verifying through a website, but from what I can tell, that doesn’t stop someone else from creating a separate malicious website (or git repo) that looks similar but contains malware, and publishing that as a verified app with a similar name as the real app to flathub (so there would be multiple versions of an app, with only 1 being the “real” one on flathub).
I'm fine with this, particularly since you can just tick the box and still access them. Linux Mint is such a good gateway for new Linux users, it makes sense to hide unverified flatpaks until they understand the risks. Plenty of people (perhaps myself included) won't ever need to worry about unverified flatpacks if their needs are simple and they don't add much beyond the standard software.
They should have an option to show unverified Flatpaks
Edit: there is a toggle
I actually agree with Linux Mint's decision. You can not trust any random upload. Either it's an official/verified upload, or it shouldn't be there at all (or it should be a separate app for those who want it). That's why in my system, I only install from the official debian repos and not the community ones. I just don't trust random anonymous uploaders.
Unofficial Flatpaks are not random uploads
AUR users fuming at this comment
Yeah, the AUR seems pretty dodgy.
Why? they don't like using AUR or what?
Anyone can upload packages to the AUR, and people often use it without verying the source, so yeah that can be dodgy
You use the AUR because you want more packages.
I use the AUR because I believe in humanity.
We are NOT the same.
Have a look at my flatpak repo list with instructions on that
The question is, do they change the remote or just hide the apps?
I currently use 2 flathub remotes, the verified (named flathub-v) and the unfiltered one. When installing from CLI I can see if it is verified (2 possible remotes show up). I hope COSMIC store and KDE Discover will show the verification check soon.
I use nearly only verified Flatpaks (a list of recommended ones is here, will soon update)
But a few popular ones are not, like VLC (developers dont know Flatpak, should get an introduction by the current maintainer), Inkscape, Spotify, Steam, Bitwarden, Signal, Torbrowser launcher, Blender, Calibre, and more (excluding Chromium Browsers, use the native versions for security reasons) are all missing.
Important things to consider:
- distro packages are nearly always unverified i.e. maintained by distro packagers instead of upstream
- spotify flatpak is not verified, but the flatpak is securely packaged. Mint has a deb repo, and that proprietary piece of malware could do whatever they like with your entire system
- flatpaks are very often more secure, at least they have some security mechanism that can be easily manually hardened. Unlike firejail or bubblejail, which are very complex.
The difference with the distro package is that you are already using the distro anyway. If you cannot trust the distro package then the whole distro itself is untrusted. Or depending on the repo provided, maybe the whole repo not the whole distro.
There is a difference between the packages shipped by default, and any random package in the repo.
In this case, Ubuntus universe repo will have less supported packages.
view more: next ›