• boredsquirrel@slrpnk.net
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    7 months ago

    The Flathub security rating is useful but too cautious (so many “false alarms” that people ignore it). It is completely independent from the verification though.

    Mixing these up makes no sense.

    But for sure, officially supported Libreoffice may be more secure than distro-packaged Libreoffice.

    Is any of these applications dangerous or a security risk to the system / user?

    Likely not more than Distro packages. They pull in dependencies, and code, just like any other app.

    Flatpaks are too pain tolerant regarding EOL runtimes. These may have security risks, and many badly maintained apps are using them, and at least KDE Discover doesnt show a warning here.

    Create a fork of an app and verify your website with the fork in Flatpak. The system is already broken

    True

    By doing so, it undermines a reason why we use GPL and Open Source.

    Very good points. It is a good security practice to stay close to a trusted upstream though. Browsers for example may have delayed security patches.

    And what about apps where the original author does not care, but was brought to Flatpak by a community member?

    Same here, if the upstream tests the Flatpak BEFORE shipping the release, it will work and be fast. If they dont, they ship the update, the flatpak is updated some time after that, it may have an issue, the packagers may need to patch something, solve the issue upstream etc.

    The thing is that packagers should join upstream, as only integrated packaging gives this inherent stability and speed.

    This is not relevant in many scenarios though. Flatpaks allow to securely sandbox random apps, so they are very often more secure.

    • thingsiplay@beehaw.org
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      The Flathub security rating is useful but too cautious (so many “false alarms” that people ignore it). It is completely independent from the verification though.

      Mixing these up makes no sense.

      That’s right, but I had a point there. My point is, that even verified applications can be marked as insecure on Flathub. That means, unverified applications can be secure based on the standards the Flathub sets. This was my point that its independent and why the verification of source has nothing to do with security. If Linux Mint does hide unverified apps, because it thinks these are unsecure, then it should hide all the applications that are marked as a potential unsecure app; just like the unverified apps are potentially unsecure (just like any other verified app).

      Hopefully this was not too confusing to read.

      • boredsquirrel@slrpnk.net
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        Yes, verification is very different from the security rating.

        Poorly you can sort by subsets but not by the security rating.

        There are legacy apps that are always insecure with huge static filesystem permissions AND they are sometimes not well maintained i.e. they dont support the Flatpak.