I usually trust my distro repos without checking. Can the same be applied to flathub without much worry?
I don’t remember anything about flathub, but the Ubuntu snap store had some malware a while ago
https://www.linuxuprising.com/2018/05/malware-found-in-ubuntu-snap-store.html?m=1
Canonical is a disgrace.
use flatseal to restrict access helps if worried
Nothing can ever be always secure.
They aren’t inherently safe. I don’t have any examples of Flatpak packages off FlatHub being poisoned, but FlatHub does allow “community” maintained packages - as in, someone unaffiliated with the development team of an app packages and publishes the app to FlatHub. That would seem to be a really good place to get into a supply chain if you were a bar actor.
Even disregarding the trust issues with Flatpak packages made by random people: Packages often contain versions of some libraries in order to not depend on the distro’s. If there are security vulnerabilities in a library then the distro maintainers usually fix it very quickly (if not go find a better distro) and it’s fixed for all packages on your system that depend on it. But this doesn’t apply to Flatpak where the package providers have to update the libraries in their own package - and the track record isn’t great. Sandboxing doesn’t help if that vulnerability leads to wiping your home directory.
deleted by creator
Flathub is likely safer than most other places to get flatpaks from, certainly safer than just some random repo you find on some guy’s website somewhere, but no software source is guaranteed to be 100% safe.
Not 100%, it’s not very hard to push packages to Flathub.
The general community is probably going to catch any issues that pop up extremely quickly. Like my main machines are all on whitelist firewalls residing on external devices. If any software tries to make odd connections, the connections will get dropped and logged. I wouldn’t hesitate to report anything odd. I don’t run sketchy proprietary junk for the most part.
I think so. In some cases the flatpaks are prepared by the developers themselves. This isn’t in itself a sign of trustworthiness, but if a dev were to sneak malicious code in somewhere and it were found out… Well, the internet is the courtroom, and the public the jury, right?
But, it is a piece of software, and you never know what one little dependency can do. Same can be said about repos.
Yes. Flathub aims to replace your distro’s repository as the source for non-system packages.
I’d recommend that you stop using Flatpak immediately, it’s a horrific security nightmare.
