Flatpak doesn’t verify signatures like normal package managers do
So the issue isn’t that you downloaded a flatpak that included malicious code. The issue is that you downloaded a legit flatpak and ended up downloading malicious code because flatpak doesn’t verify what it downloads
Ah okay, thanks for the clarification! I haven’t delved deep into that aspect yet. But I’ve recently become aware of this unaddressed attack vector. And it is definitely something to worry about.
Unsure if it’s solved anytime soon. But, if it is properly addressed and solved at some point in the future, would that (completely) redeem Flatpak’s security model? Or, at least make it superior to what’s found elsewhere?
Flatpak doesn’t verify signatures like normal package managers do
So the issue isn’t that you downloaded a flatpak that included malicious code. The issue is that you downloaded a legit flatpak and ended up downloading malicious code because flatpak doesn’t verify what it downloads
Ah okay, thanks for the clarification! I haven’t delved deep into that aspect yet. But I’ve recently become aware of this unaddressed attack vector. And it is definitely something to worry about.
Unsure if it’s solved anytime soon. But, if it is properly addressed and solved at some point in the future, would that (completely) redeem Flatpak’s security model? Or, at least make it superior to what’s found elsewhere?
They don’t seem to give a shit about security. I think the well is poisoned. Best to just use apt
Nah, I wouldn’t go that far. That’s like way too dramatic.
I will whenever
aptdoesn’t (majorly) rely on backports for its security updates AND actually sandboxes its own packages. Zero Trust, FTW!When a critical security bug is open for years on a project with plenty of funding to fix it…