It may seem a bit strange, but there is one thing that bothers me about the Flathub app store: I don’t know where it comes from.
– No physical postal address.
– No mention of a company (or foundation) supporting it.
The icing on the cake is some not formally identified publishers, for example: flathub.org/en/apps/org.supertuxproject.SuperTux
Open Chat is a better place for these kinds of discussions, so will move it.
Flathub is owned and run by the GNOME foundation: https://fedoraproject.org/wiki/Changes/UnfilteredFlathub#Who_owns_and_runs_Flathub?
But, why no information about this on the official website?
The GNOME name and logo, the GTK name and logo, the Flatpak name and the Flathub name are trademarks of the GNOME Foundation. They are valuable assets, and should be used responsibly and in accordance with the following guidelines.
Though, on the GNOME website — not on the Flathub website…
@merinos Likewise you can configure to use verified packages… with the --subset=verified option if required.
How is subset=floss? I have verified already but I add floss too as I’m more comfortable with a flatpak if it’s either one or the other.
Many apps are not in the verified subset; eg. wine, element.
Presumably because Flathub is meant to be an open, independent and collaborative project. The GNOME Foundation is currently supporting Flatpak and Flathub financially and legally because the Flatpak team aren’t yet ready to form their own legal entity, but they are aiming to separate themselves legally from GNOME Foundation when it is viable to do so.
They might want to avoid confusing people into thinking that Flatpak and Flathub are GNOME projects, which they are not. They are specifically meant to be as distro and desktop environment agnostic as possible.
I think this relationship could be better disclosed and explained on the website, but they are quite open about it in their forum discussions and other communications.
Pretty cool of the Gnome Foundation to support them in this way.
Thing is, even canonical cannot fully verify the developers of individual snaps (there have been cases of malicious actors releasing malware to the snap store), so Flathub being kinda vague about @merinos’ points is fine by me. Users should always verify where their software comes from and be generally careful what they install anyway.
Agreed. The fact that Flathub is open means it has a really good catalog, but it also comes with risks. At the end of the day, users should take responsibility for confirming the security of their system and the sanity of software installed onto it.
With regard to the concerns about verified software and preference for zypper packages:
Official repositories are almost always going to be the “preferred” source for software, but it’s impossible for any officially maintained repository to always have the latest version of every package that the user might want to install, whether for a lack of willing/available maintainers or because of build issues.
Flatpak, Snap and Appimage provide users with relatively easy ways to install (and manage) software on a Linux machine, but the user needs to be sure that they trust the software they are installing, just like they would need to be sure they trust software they install in Windows, MacOS, Android or iOS.
Curation and verification are important and the Flathub team have stated in the past that improving this is a high priority. Snap Store is more tightly controlled so it might be a safer option for users who are worried about Flathub’s community-sourced nature, but users should still exercise caution as even the most well-fortified walled garden can be breached.
Nothing is secure in Snap; the same problem exists everywhere.
Nothing is secure in Snap; the same problem exists everywhere.
It may be silly, but Canonical, which one may or may not like, has a postal address in the physical world.
Yes, this is why it is important that users be careful when installing software. Even KDE Themes can be dangerous to install:
As more and more people start using Linux, this situation is likely to get worse and the teams behind these software deployment systems are going to need invest more time and resources into ensuring the safety of their repositories.
It’s weird how KDE makes global themes so fast to download, if a new user sees it they might get pulled in hook and sinker into a virus.
It’s even more dangerous because, whether appropriate or not, one of the common talking points used to pitch Linux to non-technical users is the convenience and safety of official software repositories. Zypper, apt, dnf and so on inadvertently train users to just search for what they want, click the checkbox and hit install.
That is relatively safe to do when it’s the distribution’s official repository, but when KDE, GNOME, Flathub and Snap Store all introduce similar interfaces without the same level of safeguards in place, it creates an undeniable security issue.
I’m still pro flatpak and I have a few non-verified flatpaks on my system for the sake of convenience, but I think there’s still a lot of work to be done to make it safer to use.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.