Flatpak doesn’t verify signatures like normal package managers do
So the issue isn’t that you downloaded a flatpak that included malicious code. The issue is that you downloaded a legit flatpak and ended up downloading malicious code because flatpak doesn’t verify what it downloads
Ah okay, thanks for the clarification! I haven’t delved deep into that aspect yet. But I’ve recently become aware of this unaddressed attack vector. And it is definitely something to worry about.
Unsure if it’s solved anytime soon. But, if it is properly addressed and solved at some point in the future, would that (completely) redeem Flatpak’s security model? Or, at least make it superior to what’s found elsewhere?
Flatpak doesn’t verify signatures like normal package managers do
So the issue isn’t that you downloaded a flatpak that included malicious code. The issue is that you downloaded a legit flatpak and ended up downloading malicious code because flatpak doesn’t verify what it downloads
Ah okay, thanks for the clarification! I haven’t delved deep into that aspect yet. But I’ve recently become aware of this unaddressed attack vector. And it is definitely something to worry about.
Unsure if it’s solved anytime soon. But, if it is properly addressed and solved at some point in the future, would that (completely) redeem Flatpak’s security model? Or, at least make it superior to what’s found elsewhere?
They don’t seem to give a shit about security. I think the well is poisoned. Best to just use apt