this post was submitted on 04 Jun 2024
264 points (98.5% liked)

Linux

48652 readers
1134 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
top 40 comments
sorted by: hot top controversial new old
[–] [email protected] 84 points 6 months ago (2 children)

It's the GUI software manager, I think the LM developers should get a pass at curating selections for users who wouldn't know any better.

I personally think they can make it a total non-issue if they put in "some unverified results hidden, see settings to change".

[–] [email protected] 11 points 6 months ago

Exactly. Linux mint is one of the few distros that really follow through that their users may not be proficient.

It's why it's my business distro of choice.

[–] [email protected] -2 points 6 months ago

Meanwhile they offer a deb repo for Spotify...

[–] [email protected] 61 points 6 months ago (2 children)

I actually agree with Linux Mint's decision. You can not trust any random upload. Either it's an official/verified upload, or it shouldn't be there at all (or it should be a separate app for those who want it). That's why in my system, I only install from the official debian repos and not the community ones. I just don't trust random anonymous uploaders.

[–] [email protected] 28 points 6 months ago (2 children)

AUR users fuming at this comment

[–] [email protected] 6 points 6 months ago

Yeah, the AUR seems pretty dodgy.

[–] [email protected] 0 points 6 months ago (1 children)

Why? they don't like using AUR or what?

[–] [email protected] 8 points 6 months ago (1 children)

Anyone can upload packages to the AUR, and people often use it without verying the source, so yeah that can be dodgy

[–] [email protected] 13 points 6 months ago

You use the AUR because you want more packages.
I use the AUR because I believe in humanity.
We are NOT the same.

[–] [email protected] 1 points 6 months ago

Unofficial Flatpaks are not random uploads

[–] fpslem 50 points 6 months ago

I'm fine with this, particularly since you can just tick the box and still access them. Linux Mint is such a good gateway for new Linux users, it makes sense to hide unverified flatpaks until they understand the risks. Plenty of people (perhaps myself included) won't ever need to worry about unverified flatpacks if their needs are simple and they don't add much beyond the standard software.

[–] [email protected] 46 points 6 months ago

This is a fair default and warning to the user.

[–] subtext 27 points 6 months ago

A new preferences dialog has been added to Software Manager that has, among other options, a toggle to show unverified Flatpaks — but the distro makes clear this is “not recommended”

[–] [email protected] 24 points 6 months ago (3 children)

This is the first time I ever find myself kind of disagreeing with the Mint team. As others have said, some of the most popular packages on Flathub are unverified so popular programs like Inkscape are not going to show up as Flatpaks?

I think just a warning, like what Flathub does, and maybe a dialog before installing, warning the app is packaged by an unverified packager, would have been enough.

[–] [email protected] 21 points 6 months ago (1 children)

Idk if a warning is a good idea too. As you said, most of the apps are unverified. If a beginner sees warnings when installing every package, it will raise some questions

[–] [email protected] 5 points 6 months ago

Ooh, good point.

[–] Diplomjodler3 9 points 6 months ago (1 children)

I think their approach is pretty solid. For beginners, it's probably better to only see the verified FPs. More advanced users can change the preference. There is simply no ideal solution in this case, until we get more verified FPs

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago)

Completely unrelated but your use of FP really confused me at first, as I've been studying for a Programming exam, half of which is on FP (Functional Programming).

[–] [email protected] 8 points 6 months ago (1 children)

If a new user installs malware from flathub while trying out mint for the first time, they’ll probably blame mint instead of flathub. Nobody will say “damn, I should have listened to that warning” while their “discrod” app rm -rf’s their entire PC away, they’ll instead claim Linux is crap and go somewhere else. Doing this helps keep mint safe, and definitely encourages unverified FOSS apps to hurry up and get verified.

[–] [email protected] -5 points 6 months ago

That sounds suspiciously similar to the kind of gatekeeping Apple is doing.

[–] [email protected] 18 points 6 months ago (1 children)

This is a great start, but tbh, I’m not fully sold on “verified” flathub apps. Verification requires a token to be placed into a source repo or a website, but there appears to be nothing on actually verifying that the source/site are the original creators. So, for example, if someone packaged a malicious version of librefox and established it under io.github.librewolf-community instead of the canonical io.gitlab.librewolf-community, I’m concerned it’ll still show as verified (though quickly removed). The process can be read about here.

[–] JustAnotherRando 4 points 6 months ago* (last edited 6 months ago) (1 children)

Is the token not keyed to a specific source? I would have expected it to operate similarly to an SSL cert, where part of the verification process is that the source is the correct origin that the token belongs to - so if someone just lifted a valid cert to put into a malicious one, it would catch anything from changing a single character in the project name to changing the repository host (i.e. GitHub to GitLab)

[–] [email protected] 8 points 6 months ago

Afaik yes, the token is keyed to a specific source in the case of verifying through a website, but from what I can tell, that doesn’t stop someone else from creating a separate malicious website (or git repo) that looks similar but contains malware, and publishing that as a verified app with a similar name as the real app to flathub (so there would be multiple versions of an app, with only 1 being the “real” one on flathub).

[–] [email protected] 18 points 6 months ago (1 children)

I appreciate the clear marking that something is unverified, but don’t think disabling by default is the right move. As others have mentioned, most of the software in the distribution is also unverified.

[–] [email protected] 3 points 6 months ago (1 children)

I think this strategy makes sense, if you do an overall push to have all software sources verified. Knowing users, a simple warning that an app is unverified rarely affects their behaviour. You need to hide the app, to encourage app developers to get verified for it to work. Users ideally should be able to trust by default, because we can't trust them to know any better.

[–] [email protected] 2 points 6 months ago

I think most likely app developers who aren’t verified don’t care to be. Spotify isn’t rushing to build a flatpak.

[–] BananaTrifleViolin 11 points 6 months ago* (last edited 6 months ago)

It kind of makes sense except the vast majority of software in all distros is not being packaged by the developers, its being packaged by volunteers in the relevant project. Most software is being used on trust that it is built off the original code and not interfered with.

Its very difficult for any distros to actually audit all the code of the software they are distributing. I imagine most time is spent making sure the packages work and don't conflict with each other.

The verified tick is good in flatpaks but the "hide anything not verified" seems a little over the top to me. A warning is good but most software is used under trust in Linux - if you're not building it yourself you don't know you're getting unadulterated software. And does this apply to all the shared libraries on flathub? Will thebwarn you if your software is using shared libraries that ate not verified?

And while Flatpak is a potential vector to a lot of machines if abused, it is also a sandboxed environment unlike the vast majority of software that comes from distros own repos.

Also given the nature of Flatpaks, any distros could host its own flatpaks but everyone seems to use flathub. If they're not going to take on the responsibility of maintaining flathub and its software then their probably needs to be some way of "verifying" packages not coming directly from the developers. Otherwise users may lose put on the benefits of a shared distros agnostic library of software.

I get why mint are doing this but i think its a bit of a false reassurance. Although from mints point of view they would be able to take direct responsibility for the software they distribute in their own repos (as much as you can in a warrentyless "use as your own risk" system)

[–] [email protected] 10 points 6 months ago* (last edited 6 months ago)

They should have an option to show unverified Flatpaks

Edit: there is a toggle

[–] [email protected] 8 points 6 months ago* (last edited 6 months ago) (1 children)

Have a look at my flatpak repo list with instructions on that

The question is, do they change the remote or just hide the apps?

I currently use 2 flathub remotes, the verified (named flathub-v) and the unfiltered one. When installing from CLI I can see if it is verified (2 possible remotes show up). I hope COSMIC store and KDE Discover will show the verification check soon.

I use nearly only verified Flatpaks (a list of recommended ones is here, will soon update)

But a few popular ones are not, like VLC (developers dont know Flatpak, should get an introduction by the current maintainer), Inkscape, Spotify, Steam, Bitwarden, Signal, Torbrowser launcher, Blender, Calibre, and more (excluding Chromium Browsers, use the native versions for security reasons) are all missing.

Important things to consider:

  • distro packages are nearly always unverified i.e. maintained by distro packagers instead of upstream
  • spotify flatpak is not verified, but the flatpak is securely packaged. Mint has a deb repo, and that proprietary piece of malware could do whatever they like with your entire system
  • flatpaks are very often more secure, at least they have some security mechanism that can be easily manually hardened. Unlike firejail or bubblejail, which are very complex.
[–] [email protected] 1 points 6 months ago (1 children)

The difference with the distro package is that you are already using the distro anyway. If you cannot trust the distro package then the whole distro itself is untrusted. Or depending on the repo provided, maybe the whole repo not the whole distro.

[–] [email protected] 0 points 6 months ago

There is a difference between the packages shipped by default, and any random package in the repo.

In this case, Ubuntus universe repo will have less supported packages.

[–] Plopp 6 points 6 months ago

Since the user can select to show unverified software I'm very much in favor of this. As long as it's still very visible that a package is unverified after you changed the setting. With security being one of the main selling points of Flatpaks, there should be a clear distinction between verified and unverified packages, and the goal should be that all packages should be verified.

[–] [email protected] 0 points 6 months ago

Eminently logical.

[–] [email protected] -2 points 6 months ago (1 children)

Too bad they go the Ubuntu route now.

[–] [email protected] 8 points 6 months ago (1 children)

What do you mean? That they are based off Ubuntu?

[–] [email protected] -2 points 6 months ago (2 children)

They derived from Ubuntu to provide a better experience - what they did.

But they now go down the Ubuntu way with dumbing down the interface and holding back and/or hiding software they disagree with.

[–] tabular 2 points 6 months ago (1 children)

That's what Mint is for, like removing Snap from Ubuntu.

[–] [email protected] 0 points 6 months ago

Yes. And now Flatpaks the don't like, too.

[–] bruhduh 1 points 6 months ago (1 children)
[–] [email protected] 2 points 6 months ago

I'm happy with the distribution I use. But I now need something new to suggest to interested users.