183
Fedora threatened with legal action from OBS Studio due to their Flatpak packaging (www.gamingonlinux.com)
submitted 1 week ago by cm0002@lemmy.world to c/linux@programming.dev
33 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] jagged_circle@feddit.nl 2 points 1 week ago* (last edited 1 week ago)

Yeah, thats optional. Unlike actual secure package managers like apt, where signing has been required since 2005.

What you need to look at is the docs for installing, and note it doesn't say anything about requiring valid signatures after downloading a payload.

Flatpak doesn't care about security. avoid them.

[-] MissingInteger@lemm.ee 8 points 1 week ago* (last edited 1 week ago)

This seems to be blatant misinformation.
The default seems to require a gpg signature. It can be disabled for a remote with --no-gpg-verify, but the default for installing and building definitely requires a signature.
You keep talking about the docs, so please show me where is says that in the Flatpak Documentation.

[-] jagged_circle@feddit.nl 2 points 1 week ago

You're the one spreading misinformation.

The burden of proof is on you. I linked you to the docs showing how package signatures have been required in apt since 2005. Most package managers do not have signature verification.

Point me to where the docs say signatures are required to be verified after download.

[-] ms5K8oWx@programming.dev 9 points 1 week ago* (last edited 1 week ago)

The burden of proof is on you.

You accused flatpak of being insecure. The burden to prove that is totally on you.

[-] jagged_circle@feddit.nl 1 points 6 days ago

Nah, tech is insecure by default.

[-] MissingInteger@lemm.ee 8 points 1 week ago

You have not provided a single link.

I'm am no expert on flatpak and just did some basic searching.
From reading the command reference it seems GPG-Verification is enabled for each remote and can't be disabled/enabled for each install. I can just find some issues where gpg verification fails

Error: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)
error: Failed to install bundle fr.handbrake.ghb: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)

Documentation seems to be more user oriented and not developer oriented maybe someone more knowledgeble can go in the source code and tell us how it actually works.

[-] jagged_circle@feddit.nl 2 points 1 week ago

Sorry here's the link

https://wiki.debian.org/SecureApt

[-] MissingInteger@lemm.ee 6 points 1 week ago

So you linked to apt.
I guess good for anyone who finds this interesting…
But more on topic here is is a link to answer from 2020 from an flatpak maintainer:

If a user installs or updates a specific app-id the code verifies that:

  • The new app is gpg signed by a trusted key
  • Checksum verifying that all files are untampered with
  • The new app has that app id
  • The new app has a later timestamp on update
[-] jagged_circle@feddit.nl 2 points 1 week ago

Link me to the docs that say this

[-] MissingInteger@lemm.ee 6 points 1 week ago

You are not arguing in good faith.
I have linked multiple times to the docs and to the GitHub repository of flatpak.
Now how about you link to something useful in the docs that proves your point or maybe just a random article as source to your misinformation.

[-] jagged_circle@feddit.nl 1 points 6 days ago

You have failed to find a doc that say signatures are required to be valid on the client for everything it downloads.

This software isn't secure. You can live in la-la land, pretending it has features it doesn't, but that doesn't change the facts.

this post was submitted on 15 Feb 2025
183 points (100.0% liked)

Linux

6111 readers
304 users here now

A community for everything relating to the GNU/Linux operating system

Also check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev