Article doesn't mention my biggest problem with flatpaks, that the packages are not digitally signed. All major Linux distros sign their packages, and flathub should too. I would prefer to see digital signatures from both flathub and the package's maintainer. I don't believe flathub has either one currently.
this post was submitted on 02 Jun 2025
159 points (97.0% liked)
Linux
7908 readers
618 users here now
A community for everything relating to the GNU/Linux operating system
Also check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
It is possible to sign a flatpak, but yeah distributors need to actually do that and flathub should require published flatpaks to be signed.
What would they sign it with? How do you verify the signature?
I have no idea why you're being down voted. The whole thing with flatpacks is that they come from a large number of individuals, maybe the author of the software, but often not from a central organization you can trust. That's the fundamental difference to distro repos, who can just have a single anchor for trust.
Mindlessly signing something doesn't increase security in any way. Then requiring it just means hassle to having to add keys to be trusted every time you want to install anything. Malicious actors can just create a key and sign the package as well. That's the whole reason it isn't required in the first place.
Mozilla, for example, would sign Firefox's flatpak with a PGP key that they would disclose on their website. You verify the signature using the RSA algorithm (or any other algorithm for digital signatures. There are a bunch.) Or, you could just trust that your connection wasn't tampered the first time, then you would have the public key, and it would verify each time that the package came from that same person. Currently, you have to trust every time that your connection isn't tampered.
Major flatpak providers (Flathub at the very least) would include their PGP public key in the flatpak software repo, and operating system vendors would distribute that key in the flatpak infrastructure for their operating system, which itself is signed by the operating system's key.
that they would disclose on their website
Wouldn't it make more sense then for them to simply host the Flatpak themselves? I kind of thought that was the whole idea of Flatpak.
Best to do both, really, so a record of using a consistent public key is created.
Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can't get to the signing key you've prevented the attack.
F-Droid seems to manage it just fine. It's even got reproducible builds.
I wish it opens a prompt asking a list of permissions when open for the first time. Like, VSCodium always needs local file system access, VPN clients always need network interface permission, etc.
Yeah, we have Flatseal, but it should be automated by the publisher to have a list of prerequisite permissions.
Android is very underrated
Hmm. This hard on the heels of Sebastian Wick's comments that core Flatpak development had largely stalled (2025-05-14).
I wonder what happened here. There seems to be a disconnect. TA does acknowledge Wick's talk; it's hard to reconcile the two messages, though.
hey still better than snaps
Still worse than tar.gz
Flatpak is quite fucking far from perfect, and will always remain so due to its flawed design and UX approach.
Pretty sure the culprit here is Fedora’s packaging which adds an opaque systemd timer to run auto-updates, but the thread immediately next to this one on my homepage just happened to be a nice case-study in Flatpak fuckery: https://lemmy.world/post/30654407
Of course, the proposed changes in the article do nothing to fix this sorta problem, which happens to be the variety that end users actually care about. Flatpak is an epic noob trap since it pretends to be a plug-n-play beginner friendly tool, but causes all sorts of subtle headaches that newcomers inevitably don’t have diagnostic experience to address.
The problem of there being a separate runtime for each video driver version was explicitly discussed in the article:
If you are part of the huge part of the population who happens to own a Nvidia GPU, it's a whole other can of worms. There are Flatpak runtimes that target specific Nvidia driver versions, but they must be matched with a compatible version installed on the host system, and it is not always a process as smooth and painless as one would hope.
An improvement idea that is floating around is to, basically, just take a step back and load the host drivers directly into the runtime, rather than shipping a specific version of the userspace drivers along with the application. Technically, it is possible: Valve's Linux runtime is pretty similar to Flatpak architecturally, and they solved this problem from its inception by using a library called libcapsule to load the natively installed host drivers into the Steam Runtime. This is the reason why it's significantly rarer that an old Steam game fails to launch on a new GPU, compared to the same scenario on Flatpak!
Ah - I totally missed the Nvidia-related bit! Thanks for flagging that.
That being said, based on the maintainers’ past stances, I’m pretty pessimistic on them actually implementing a fix like that. They’re very much against the general practice of poking holes in their sandbox security perimeter.
I really think if flatpaks were built upon nix, it would resolve these problems. It would however bring a new problem: people would have to learn forsaken nix 💀
It's not clear that it would, because the root problem is locking a package to a particular version of the nvidia drivers, which nix would not solve. Unless I am missing something?
That solution sounds like a no brainer. I assume it's easier said than done (and maintained) ?
Flatpak doesn't have a UI? It is a packaging format.
Flatpak: a system for building, distributing, and running sandboxed desktop applications on Linux.
Flatpak application: an application installed via the flatpak command or through a graphical interface, such as GNOME Software or KDE Discover.
Runtime: also called platform, an integrated environment providing basic utilities needed for a Flatpak application to work.
Flatpak bundle: a single-file export format containing a Flatpak application or runtime.
From https://docs.flatpak.org/en/latest/introduction.html#terminology
You might be thinking of AppImages, which are more of a pure file format.
Are you talking about theming?
I’m talking about the executable binary flatpak, which is the interface used to execute and manage applications distributed in the Flatpak bundle format.
https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak
Guess my next GPU will be AMD
Pretty fundementale broken IMHO. Its a security nightmare
Its a security nightmare
How so? Doesn't its sandbox offer superior security (under most circumstances) over most other solutions? Even in its relative infancy*.
The sand boxing is a distraction and doesn't matter if you downloaded malicious code
But how is it a security nightmare? Or did you mean "distraction", but chose to use "nightmare" for -I suppose- exaggeration (or similar/related reasons)?
doesn’t matter if you downloaded malicious code
Hmm..., please help me understand: say, I installed a flatpak that included malicious code. But, it required some permission to enact upon its maliciousness. Which, it never received. And thus, if my understanding is correct, it couldn't enact upon its maliciousness. How didn't Flatpak's security model not matter in this case? Apologies if I sound obnoxious (or whatsoever)*, but I'm genuinely trying to understand your case.
Flatpak doesn't verify signatures like normal package managers do
So the issue isn't that you downloaded a flatpak that included malicious code. The issue is that you downloaded a legit flatpak and ended up downloading malicious code because flatpak doesn't verify what it downloads
Ah okay, thanks for the clarification! I haven't delved deep into that aspect yet. But I've recently become aware of this unaddressed attack vector. And it is definitely something to worry about.
Unsure if it's solved anytime soon. But, if it is properly addressed and solved at some point in the future, would that (completely) redeem Flatpak's security model? Or, at least make it superior to what's found elsewhere?
They don't seem to give a shit about security. I think the well is poisoned. Best to just use apt
They don’t seem to give a shit about security. I think the well is poisoned.
Nah, I wouldn't go that far. That's like way too dramatic.
Best to just use apt
I will whenever apt doesn't (majorly) rely on backports for its security updates AND actually sandboxes its own packages. Zero Trust, FTW!
When a critical security bug is open for years on a project with plenty of funding to fix it..