this post was submitted on 17 Jul 2023
87 points (97.8% liked)

Linux

48074 readers
768 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I usually trust my distro repos without checking. Can the same be applied to flathub without much worry?

top 24 comments
sorted by: hot top controversial new old
[–] [email protected] 41 points 1 year ago

I've never heard of anyone getting an unsafe package from flathub, but they certainly aren't all as thoroughly vetted as stuff from a well maintained distro. Any major package is almost certainly fine, but if you're downloading something obscure I'd use Flatseal to make sure it's very well sandboxed, just in case.

They've also recently added verified checkmarks to the website for flatpaks that are officially maintained by the developers of the app, so that's another thing to look out for.

[–] [email protected] 27 points 1 year ago (1 children)

I don’t remember anything about flathub, but the Ubuntu snap store had some malware a while ago

https://www.linuxuprising.com/2018/05/malware-found-in-ubuntu-snap-store.html?m=1

[–] [email protected] 12 points 1 year ago

Canonical is a disgrace.

[–] [email protected] 24 points 1 year ago (1 children)

Nothing can ever be always secure.

[–] [email protected] 1 points 1 year ago

Needlessly reductionist, but also wrong. If your code is proven to work (like, machine verified), and you use a compiler that is also verified to generate correct code, then that code is secure.

[–] [email protected] 19 points 1 year ago

use flatseal to restrict access helps if worried

[–] [email protected] 18 points 1 year ago

Even disregarding the trust issues with Flatpak packages made by random people: Packages often contain versions of some libraries in order to not depend on the distro's. If there are security vulnerabilities in a library then the distro maintainers usually fix it very quickly (if not go find a better distro) and it's fixed for all packages on your system that depend on it. But this doesn't apply to Flatpak where the package providers have to update the libraries in their own package - and the track record isn't great. Sandboxing doesn't help if that vulnerability leads to wiping your home directory.

[–] [email protected] 18 points 1 year ago

They aren't inherently safe. I don't have any examples of Flatpak packages off FlatHub being poisoned, but FlatHub does allow "community" maintained packages - as in, someone unaffiliated with the development team of an app packages and publishes the app to FlatHub. That would seem to be a really good place to get into a supply chain if you were a bar actor.

[–] [email protected] 17 points 1 year ago

Flathub apps will likely be removed quickly if they're found to be malicious. They're slightly more unsafe than official repos, but you should be fine. Make sure to carefully check apps with like 4 downloads though.

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago)

No, they are not always safe.

Be picky about what you install, and vigilant about permissions.

[–] [email protected] 10 points 1 year ago

Flathub is likely safer than most other places to get flatpaks from, certainly safer than just some random repo you find on some guy's website somewhere, but no software source is guaranteed to be 100% safe.

[–] [email protected] 8 points 1 year ago (2 children)

At https://blog.frehi.be/2023/04/23/the-security-risks-of-flathub/ someone has published an article about Flathub in which he addresses a few problems.

Therefore, the answer is that Flathub is not always safe to use. However, I do not know of any package source that is always safe to use. Is Flathub more insecure than other package sources? I can't answer that because I don't use solutions like Flatpak, AppImage etc. myself.

[–] [email protected] 2 points 1 year ago

It's more about trust, than security. When you use a specific distro, you only have to trust the distro packagers. These packages are reviewed by multiple persons, tested thoroughly and (usually) built in a reproductible way. The packagers are usually different from the developers, so they can also review the code itself and eventually patch issues if needed to be in line with the distro's ideology.

With flatpak, snap and friends, anyone is a potential packager, so for each software you gotta trust this single entity, which is usually the developer itself.

[–] [email protected] 1 points 1 year ago

I can: yes, Flathub is more unsafe than package managers that actually verify all packages signatures after they download software.

[–] [email protected] 6 points 1 year ago

Not 100%, it's not very hard to push packages to Flathub.

[–] [email protected] 3 points 1 year ago

On the contrary, downloading files from flathub are never safe because it does not verify signatures, unlike secure package manager like apt

[–] [email protected] 3 points 1 year ago

The general community is probably going to catch any issues that pop up extremely quickly. Like my main machines are all on whitelist firewalls residing on external devices. If any software tries to make odd connections, the connections will get dropped and logged. I wouldn't hesitate to report anything odd. I don't run sketchy proprietary junk for the most part.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I think so. In some cases the flatpaks are prepared by the developers themselves. This isn't in itself a sign of trustworthiness, but if a dev were to sneak malicious code in somewhere and it were found out... Well, the internet is the courtroom, and the public the jury, right?

But, it is a piece of software, and you never know what one little dependency can do. Same can be said about repos.

load more comments
view more: next ›