Linux

8893 readers

355 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

149

Flatpak is not perfect, but it's getting better (thelibre.news)

submitted 2 months ago by Pro@programming.dev to c/linux@programming.dev

39 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Limonene@lemmy.world 44 points 2 months ago (9 children)

Article doesn't mention my biggest problem with flatpaks, that the packages are not digitally signed. All major Linux distros sign their packages, and flathub should too. I would prefer to see digital signatures from both flathub and the package's maintainer. I don't believe flathub has either one currently.

[–] FizzyOrange@programming.dev 11 points 2 months ago (7 children)

What would they sign it with? How do you verify the signature?

[–] Creat@discuss.tchncs.de 16 points 2 months ago

I have no idea why you're being down voted. The whole thing with flatpacks is that they come from a large number of individuals, maybe the author of the software, but often not from a central organization you can trust. That's the fundamental difference to distro repos, who can just have a single anchor for trust.

Mindlessly signing something doesn't increase security in any way. Then requiring it just means hassle to having to add keys to be trusted every time you want to install anything. Malicious actors can just create a key and sign the package as well. That's the whole reason it isn't required in the first place.

load more comments (6 replies)

load more comments (7 replies)