this post was submitted on 05 Feb 2024
186 points (92.3% liked)

Linux

48372 readers
1411 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

There are big wishes for Signal to adopt the perfectly working Flatpak.

This will make Signal show up in the verified subsection of Flathub, it will improve trust, allow a central place for bug reports and support and ease maintenance.

Flatpak works on pretty much all Distros, including the ones covered by their current "Linux = Ubuntu" .deb repo.

To make a good decision, we need to have some statistics about who uses which package.

you are viewing a single comment's thread
view the rest of the comments
[–] sudneo 2 points 10 months ago

That is one security aspect only, and signature checking is done by OStree, but the only key used is the one from flathub, from what I understand. So you don't verify the key of the application author, but solely the one from flathub, which means if the flathub distribution pipeline is compromised, you will not notice it and install a malicious package.

That said, the isolation that provides is great, and things should be evaluated in context. I will consider much much more likely that a package I install has bugs/cves/is outright malicious, compared to the risk that the publisher pipeline gets compromised (this is essentially what the signature verification would protect from). This means that it is a huge net gain in terms of security, from my PoV, to have an "unverified" package running in flatpak, under the isolation that it provides, if we compare it to having it running in the native system, but verified.

In other words, there is not a specific scale that if you "don't even do..", then it means you are not secure at all.