I usually trust my distro repos without checking. Can the same be applied to flathub without much worry?
I’ve never heard of anyone getting an unsafe package from flathub, but they certainly aren’t all as thoroughly vetted as stuff from a well maintained distro. Any major package is almost certainly fine, but if you’re downloading something obscure I’d use Flatseal to make sure it’s very well sandboxed, just in case.
They’ve also recently added verified checkmarks to the website for flatpaks that are officially maintained by the developers of the app, so that’s another thing to look out for.
deleted by creator
Even disregarding the trust issues with Flatpak packages made by random people: Packages often contain versions of some libraries in order to not depend on the distro’s. If there are security vulnerabilities in a library then the distro maintainers usually fix it very quickly (if not go find a better distro) and it’s fixed for all packages on your system that depend on it. But this doesn’t apply to Flatpak where the package providers have to update the libraries in their own package - and the track record isn’t great. Sandboxing doesn’t help if that vulnerability leads to wiping your home directory.
They aren’t inherently safe. I don’t have any examples of Flatpak packages off FlatHub being poisoned, but FlatHub does allow “community” maintained packages - as in, someone unaffiliated with the development team of an app packages and publishes the app to FlatHub. That would seem to be a really good place to get into a supply chain if you were a bar actor.
Flathub apps will likely be removed quickly if they’re found to be malicious. They’re slightly more unsafe than official repos, but you should be fine. Make sure to carefully check apps with like 4 downloads though.
Flathub is likely safer than most other places to get flatpaks from, certainly safer than just some random repo you find on some guy’s website somewhere, but no software source is guaranteed to be 100% safe.
I don’t remember anything about flathub, but the Ubuntu snap store had some malware a while ago
https://www.linuxuprising.com/2018/05/malware-found-in-ubuntu-snap-store.html?m=1
Canonical is a disgrace.
use flatseal to restrict access helps if worried
No, they are not always safe.
Be picky about what you install, and vigilant about permissions.
Nothing can ever be always secure.
Needlessly reductionist, but also wrong. If your code is proven to work (like, machine verified), and you use a compiler that is also verified to generate correct code, then that code is secure.
I’d recommend that you stop using Flatpak immediately, it’s a horrific security nightmare.
- It looks like this website hasn’t been updated since 2020.
- Most of the things here are (probably) patched, besides many developers have claimed the right to update their own apps, and those apps are verified (a new feature created in 2023).
- Before uploading an app that requires home or host filesystem access, developers must specify the reason.
- Ever since xdg portals became a thing, I have seen more apps switch to them
The fact that the website hasn’t been updated since 2020 and still has an open CVE shines the light on Flatpak’s attention to security.
Regarding point 3, if that’s true, then why are all of the most-dowloaded packages on Flathub mislabelled as ‘sandboxed’ when they have full write access to a user’s home directory? That isn’t a sandbox.
Flatpak currently has a 7.2 vulnerability that has gone unaddressed since 2017. The maximum vulnerability rating is a 9, so this is quite major.
Maybe you should have read the entries in the link you posted
Flatpak currently has a 7.2 vulnerability that has gone unaddressed since 2017.
Text about the 7.2 vulnerability from 2017:
In Flatpak before 0.8.7
That version was tagged in git on July 20th, 2017
Yes. Flathub aims to replace your distro’s repository as the source for non-system packages.
