There are big wishes for Signal to adopt the perfectly working Flatpak.

This will make Signal show up in the verified subsection of Flathub, it will improve trust, allow a central place for bug reports and support and ease maintenance.

Flatpak works on pretty much all Distros, including the ones covered by their current “Linux = Ubuntu” .deb repo.

To make a good decision, we need to have some statistics about who uses which package.

  • sudneo@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    9 months ago

    That is one security aspect only, and signature checking is done by OStree, but the only key used is the one from flathub, from what I understand. So you don’t verify the key of the application author, but solely the one from flathub, which means if the flathub distribution pipeline is compromised, you will not notice it and install a malicious package.

    That said, the isolation that provides is great, and things should be evaluated in context. I will consider much much more likely that a package I install has bugs/cves/is outright malicious, compared to the risk that the publisher pipeline gets compromised (this is essentially what the signature verification would protect from). This means that it is a huge net gain in terms of security, from my PoV, to have an “unverified” package running in flatpak, under the isolation that it provides, if we compare it to having it running in the native system, but verified.

    In other words, there is not a specific scale that if you “don’t even do…”, then it means you are not secure at all.