nlsociaal
Lyooo
6 maanden geleden
Flatpak verification is extremely important

In Linux Mint, is it safe to open up the Software Manager and install Google Chrome? Yes? No? Well.. it depends, and it has nothing to do with how much you trust Linux Mint, or Google.

You need to trust refi64 because it isn’t Mint or Google who update the Flatpak for Chrome, it’s someone who goes by the name of “refi64” on the Internet.

Now as it happens, refi64 is very nice developer. The problem isn’t refi64. The problem is that amongst the 6 million people who installed his Flatpak, very few people know who refi64 is.

In Flathub, a verified app is an app that is published by its original developer or a third party approved by the developer. Chrome is published by refi64 and is therefore “unverified”.

Right now, 42% of Flatpaks have been verified by Flathub. The store is actively trying to verify apps, especially now after the XZ story and the multiple times malware was injected in the Snap Store.

We’ve been lucky so far. We really need to take action:

  • We’ll update the Software Manager to not show unverified Flatpaks by default. This will be an opt-in.
  • When shown, unverified apps will have a score of 0. The score can help a user build trust towards the application, but the issue here isn’t the application, it’s the fact that the maintainers aren’t who people think they are.
  • When shown, unverified apps will be clearly marked as unverified.

We’re fully aware this goes against convenience and will hurt Linux Mint a little bit. It might not be a popular decision but we think it’s a very important one.

By the time malware hits Flathub, we hope these measures and the measures taken by Flathub will have minimized the number of exposed users and raised awareness around the risks which are being taken.

Unlike the Debian base which takes months or even years to stabilize and reach you here, a Flatpak updated by its maintainer can reach millions of users almost instantaneously. We recommend automated updates, also for security reasons. When it comes to Flatpak the risk isn’t just taken at installation time, it’s taken with every update, at a time when you might not even think about Flatpaks. This is more risky than Windows users downloading software from random websites. It’s supported by the update manager.

You REALLY need to trust where you get your software from and in our own Software Manager we don’t show you the info you need to make informed decisions.

We’ll address this ASAP. Thank you for your attention on this important topic.

Credits and whole column: https://blog.linuxmint.com/?p=4675