this post was submitted on 02 Jun 2025
159 points (97.0% liked)

Linux

7908 readers
618 users here now

A community for everything relating to the GNU/Linux operating system

Also check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
all 44 comments
sorted by: hot top controversial new old
[–] Limonene@lemmy.world 44 points 2 weeks ago (2 children)

Article doesn't mention my biggest problem with flatpaks, that the packages are not digitally signed. All major Linux distros sign their packages, and flathub should too. I would prefer to see digital signatures from both flathub and the package's maintainer. I don't believe flathub has either one currently.

[–] firelizzard@programming.dev 31 points 2 weeks ago

It is possible to sign a flatpak, but yeah distributors need to actually do that and flathub should require published flatpaks to be signed.

[–] FizzyOrange@programming.dev 9 points 2 weeks ago (5 children)

What would they sign it with? How do you verify the signature?

[–] Creat@discuss.tchncs.de 15 points 1 week ago

I have no idea why you're being down voted. The whole thing with flatpacks is that they come from a large number of individuals, maybe the author of the software, but often not from a central organization you can trust. That's the fundamental difference to distro repos, who can just have a single anchor for trust.

Mindlessly signing something doesn't increase security in any way. Then requiring it just means hassle to having to add keys to be trusted every time you want to install anything. Malicious actors can just create a key and sign the package as well. That's the whole reason it isn't required in the first place.

[–] Limonene@lemmy.world 6 points 1 week ago* (last edited 1 week ago) (1 children)

Mozilla, for example, would sign Firefox's flatpak with a PGP key that they would disclose on their website. You verify the signature using the RSA algorithm (or any other algorithm for digital signatures. There are a bunch.) Or, you could just trust that your connection wasn't tampered the first time, then you would have the public key, and it would verify each time that the package came from that same person. Currently, you have to trust every time that your connection isn't tampered.

Major flatpak providers (Flathub at the very least) would include their PGP public key in the flatpak software repo, and operating system vendors would distribute that key in the flatpak infrastructure for their operating system, which itself is signed by the operating system's key.

[–] FizzyOrange@programming.dev 8 points 1 week ago (1 children)

that they would disclose on their website

Wouldn't it make more sense then for them to simply host the Flatpak themselves? I kind of thought that was the whole idea of Flatpak.

[–] Kazumara@discuss.tchncs.de 7 points 1 week ago

Best to do both, really, so a record of using a consistent public key is created.

Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can't get to the signing key you've prevented the attack.

[–] Colloidal@programming.dev 4 points 1 week ago

F-Droid seems to manage it just fine. It's even got reproducible builds.

[–] dangling_cat@lemmy.blahaj.zone 28 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

I wish it opens a prompt asking a list of permissions when open for the first time. Like, VSCodium always needs local file system access, VPN clients always need network interface permission, etc.

Yeah, we have Flatseal, but it should be automated by the publisher to have a list of prerequisite permissions.

[–] possiblylinux127@lemmy.zip 1 points 1 week ago

Android is very underrated

[–] sxan@midwest.social 27 points 2 weeks ago* (last edited 2 weeks ago)

Hmm. This hard on the heels of Sebastian Wick's comments that core Flatpak development had largely stalled (2025-05-14).

I wonder what happened here. There seems to be a disconnect. TA does acknowledge Wick's talk; it's hard to reconcile the two messages, though.

[–] cupcakezealot@lemmy.blahaj.zone 20 points 1 week ago (1 children)

hey still better than snaps

[–] Samskara@sh.itjust.works -4 points 1 week ago

Still worse than tar.gz

[–] dgdft@lemmy.world 14 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

Flatpak is quite fucking far from perfect, and will always remain so due to its flawed design and UX approach.

Pretty sure the culprit here is Fedora’s packaging which adds an opaque systemd timer to run auto-updates, but the thread immediately next to this one on my homepage just happened to be a nice case-study in Flatpak fuckery: https://lemmy.world/post/30654407

Of course, the proposed changes in the article do nothing to fix this sorta problem, which happens to be the variety that end users actually care about. Flatpak is an epic noob trap since it pretends to be a plug-n-play beginner friendly tool, but causes all sorts of subtle headaches that newcomers inevitably don’t have diagnostic experience to address.

[–] bitcrafter@programming.dev 14 points 1 week ago (3 children)

The problem of there being a separate runtime for each video driver version was explicitly discussed in the article:

If you are part of the huge part of the population who happens to own a Nvidia GPU, it's a whole other can of worms. There are Flatpak runtimes that target specific Nvidia driver versions, but they must be matched with a compatible version installed on the host system, and it is not always a process as smooth and painless as one would hope.

An improvement idea that is floating around is to, basically, just take a step back and load the host drivers directly into the runtime, rather than shipping a specific version of the userspace drivers along with the application. Technically, it is possible: Valve's Linux runtime is pretty similar to Flatpak architecturally, and they solved this problem from its inception by using a library called libcapsule to load the natively installed host drivers into the Steam Runtime. This is the reason why it's significantly rarer that an old Steam game fails to launch on a new GPU, compared to the same scenario on Flatpak!

[–] dgdft@lemmy.world 6 points 1 week ago

Ah - I totally missed the Nvidia-related bit! Thanks for flagging that.

That being said, based on the maintainers’ past stances, I’m pretty pessimistic on them actually implementing a fix like that. They’re very much against the general practice of poking holes in their sandbox security perimeter.

[–] onlinepersona@programming.dev 1 points 1 week ago (1 children)

I really think if flatpaks were built upon nix, it would resolve these problems. It would however bring a new problem: people would have to learn forsaken nix 💀

[–] bitcrafter@programming.dev 2 points 1 week ago

It's not clear that it would, because the root problem is locking a package to a particular version of the nvidia drivers, which nix would not solve. Unless I am missing something?

[–] Sylvartas@lemmy.dbzer0.com 1 points 1 week ago

That solution sounds like a no brainer. I assume it's easier said than done (and maintained) ?

[–] possiblylinux127@lemmy.zip 1 points 1 week ago (1 children)

Flatpak doesn't have a UI? It is a packaging format.

[–] dgdft@lemmy.world 3 points 1 week ago* (last edited 1 week ago) (1 children)

Flatpak: a system for building, distributing, and running sandboxed desktop applications on Linux.

Flatpak application: an application installed via the flatpak command or through a graphical interface, such as GNOME Software or KDE Discover.

Runtime: also called platform, an integrated environment providing basic utilities needed for a Flatpak application to work.

Flatpak bundle: a single-file export format containing a Flatpak application or runtime.

From https://docs.flatpak.org/en/latest/introduction.html#terminology

You might be thinking of AppImages, which are more of a pure file format.

[–] possiblylinux127@lemmy.zip 1 points 1 week ago* (last edited 1 week ago) (1 children)

Are you talking about theming?

[–] dgdft@lemmy.world 4 points 1 week ago

I’m talking about the executable binary flatpak, which is the interface used to execute and manage applications distributed in the Flatpak bundle format.

https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak

[–] BigTrout75@lemmy.world 12 points 1 week ago (1 children)

Guess my next GPU will be AMD

[–] jagged_circle@feddit.nl 0 points 1 week ago (1 children)

Pretty fundementale broken IMHO. Its a security nightmare

[–] HayadSont@discuss.online 2 points 1 week ago* (last edited 1 week ago) (1 children)

Its a security nightmare

How so? Doesn't its sandbox offer superior security (under most circumstances) over most other solutions? Even in its relative infancy*.

[–] jagged_circle@feddit.nl -1 points 1 week ago (1 children)

The sand boxing is a distraction and doesn't matter if you downloaded malicious code

[–] HayadSont@discuss.online 3 points 1 week ago (1 children)

But how is it a security nightmare? Or did you mean "distraction", but chose to use "nightmare" for -I suppose- exaggeration (or similar/related reasons)?

doesn’t matter if you downloaded malicious code

Hmm..., please help me understand: say, I installed a flatpak that included malicious code. But, it required some permission to enact upon its maliciousness. Which, it never received. And thus, if my understanding is correct, it couldn't enact upon its maliciousness. How didn't Flatpak's security model not matter in this case? Apologies if I sound obnoxious (or whatsoever)*, but I'm genuinely trying to understand your case.

[–] jagged_circle@feddit.nl 0 points 1 week ago (1 children)

Flatpak doesn't verify signatures like normal package managers do

So the issue isn't that you downloaded a flatpak that included malicious code. The issue is that you downloaded a legit flatpak and ended up downloading malicious code because flatpak doesn't verify what it downloads

[–] HayadSont@discuss.online 0 points 1 week ago (1 children)

Ah okay, thanks for the clarification! I haven't delved deep into that aspect yet. But I've recently become aware of this unaddressed attack vector. And it is definitely something to worry about.

Unsure if it's solved anytime soon. But, if it is properly addressed and solved at some point in the future, would that (completely) redeem Flatpak's security model? Or, at least make it superior to what's found elsewhere?

[–] jagged_circle@feddit.nl 1 points 1 week ago (1 children)

They don't seem to give a shit about security. I think the well is poisoned. Best to just use apt

[–] HayadSont@discuss.online 1 points 1 week ago (1 children)

They don’t seem to give a shit about security. I think the well is poisoned.

Nah, I wouldn't go that far. That's like way too dramatic.

Best to just use apt

I will whenever apt doesn't (majorly) rely on backports for its security updates AND actually sandboxes its own packages. Zero Trust, FTW!

[–] jagged_circle@feddit.nl 1 points 1 week ago* (last edited 1 week ago)

When a critical security bug is open for years on a project with plenty of funding to fix it..