A statement concerning the Fedora and Flathub relationship from the FPL – Fedora Community Blog
Posted by ashleythorne64@reddit | linux | View on Reddit | 32 comments
darkjackd@reddit
Wake me up when fedora gives up on running their own flatpak repository. Save NIH for Ubuntu.
ExaHamza@reddit
you people are difficult to understand, you criticize snap in contrast to flatpak because, among other reasons, it is possible to have other instances for apps, and now you are nervous about a flatpak repository that you don't use? what kind of falsehood is this?
NightH4nter@reddit
it's not nih, it's different approaches. basically, fedora flatpak repo is security first and flathub is functionality first
mrlinkwii@reddit
isnt this the point of flatpak , is to have multiable sources ,
i remmeber on this subreddit with the "snap bad , flatpak good" saga is was a selling point of flatpak
AlternativePaint6@reddit
Ultramarine Linux should really be talked about more. It's just Fedora but with RPM Fusion pre-installed and full Flathub support out-of-the-box.
ashleythorne64@reddit (OP)
NIH exists literally everywhere. Ubuntu has their own tech stacks, Red Hat has their own tech stacks (that tend to get better adoption by others, but still is NIH at its creation). BSDs, Windows, MacOS, all have NIH tendencies.
I also fail to see the reason why only Flathub should be allowed to distribute flatpaks apps. Flatpak is a decentralized format. It's good to have another option in case of enshittification, outages, for those who prefer fully FOSS software, and who really care about security.
Business_Reindeer910@reddit
I think a lot of people have more problem with fedora using their own runtimes more than their own repo.
JockstrapCummies@reddit
OMG THIS IS NIH! DISGUSTING BEHAVIOR! ONLY FLATHUB CAN RUN A FLATPAK REPO!
OMG THIS IS WALLED GARDEN LOCK-IN! DISGUSTING ANTI-FREEDOM! POO POO PEE PEE!
I'll never understand the Flathub supremacists.
AnsibleAnswers@reddit
How is Fedora hosting a Flatpak repo any different than them hosting RPM repos? You’re not locked into that repo like you are with Snap.
I tend to prefer Fedora Flatpaks for the simple fact that they all share the same platforms. In aggregate, they take up less of my local storage. If they don’t work, I know to submit a bug report to Fedora. I also know how to uninstall and reinstall the Flathub version if need be.
mrtruthiness@reddit
I think Flathub is going to bite quite a few people. I think there are a lot of users that don't understand that "verified" does not mean "safe". I've seen too many packages on Flathub that are "verified" even though the authors are essentially anonymous (no actual name, no actual name in the copyrights section of the code, only a linked github account and an e-mail address) that are essentially not contained.
MyNameIs-Anthony@reddit
Flathub builds from the source. The maintainers are largely just people pointing to new links rather than doing anything themselves.
mrtruthiness@reddit
I'm not worried about that aspect. For that, I'm fine with the "verified" tag.
For example, I'm pretty sure that the Exodus app on flathub is fake and it is there to steal people's cryptowallets. But it's "unverified" so people deserve that. There's even an issue on the github account that says that flathub says it's unverified. IMO it's clear to me that it's a scam. By they way, a scam with this app, reportedly, already succeeded in the snap store.
I'm more worried about apps like sshPilot:
The author is anonymous (mFat aka Mehdi) and they even use the mfat alias for the copyright owner.
It's linked to an anonymous github account (mFat and/or Mehdi). The source is there.
It's "verified". The fact that it's "verified" means only that the source is from that github account and that this anonymous person is the owner.
It is not sandboxed at all and deals in sensitive information (server names/IP's, usernames and passwords [if typed]).
MyNameIs-Anthony@reddit
And you can just check and see that the Flathub entry for Exodus only pulls from the official repository.
https://github.com/flathub/io.exodus.Exodus/blob/master/io.exodus.Exodus.json
Nothing is being inserted or injected.
mrtruthiness@reddit
Interesting. I guess you're right that the Exodus app on flathub is not "fake".
Nonetheless:
It is unverified: https://flathub.org/en/apps/io.exodus.Exodus
Nobody has properly answered this issue from Sept 6th: https://github.com/flathub/io.exodus.Exodus/issues/245 . Pointing to the verified tag for https://github.com/flathub only shows flathub owns it.
So: Am I to understand that exodus did not create the manifest or the flathub/io.exodus.Exodus repository? Am I to understand that flathub authorized that flatpak and not Exodus.com ???
If so, I would like to inform you and flathub that they are in violation of Exodus' copyright and terms of service. https://www.exodus.com/legal/exodus-tos-20250704-v36.pdf . I don't care if flathub aren't technically redistributing, they are still bypassing the Exodus' "license" and "terms of use" page (which is a violation) and they are using and redistributing the proprietary logo and the Exodus Trademark.
The actual github for exodus is: https://github.com/exodusmovement . Did you ever wonder why they don't release it as a flatpak themselves?
MyNameIs-Anthony@reddit
Because it's a none zero effort
mrtruthiness@reddit
Did you read what I wrote??? The copyright violations are:
Bypassing Exodus' license and terms of service.
There are copyrighted logos and trademarks in the flathub account on github.
Both are violations of US copyright law.
eggbart_forgetfulsea@reddit
I invite you to verify how many piece of software in all of the extant distributions are forensically checked by the relevant downstream package maintainers. Do you know the identify of the primary authors of the thousand or more packages that are installed on your system?
If you don't trust the authors of the software contained in your chosen distribution (not the maintainers), you're almost entirely out of luck.
mrtruthiness@reddit
Most distros separate the developer role from the maintainer role. Do maintainers perform a detailed audit? Of course not. But they certainly examine the diff before changes enter the distro repository.
mrlinkwii@reddit
you would hope that yes , but that isnt always the case
ebassi@reddit
No, they most certainly do not. That’s not a thing that happens even for the most trivial of packages, let alone for the big ones—Firefox, LibreOffice, Blender, etc.
Most distributions moved to automation to package complex software, which removes even more chances of going over diffs.
On average, in basically all distributions that are not a toy, the only code review happens when a new package lands in the repository; any update is entirely deferred to the packager, and doesn’t see any review except in cases where things break horribly. Not even packaging changes are subject to review anywhere.
People have this weird perception of Linux distributions, like they are small labours of love by people with a deep knowledge of all software being included; that is not a thing, and it hasn’t been a thing for nearly three decades. It cannot possibly be a thing if you think about it for more than five minutes:
eggbart_forgetfulsea@reddit
Why do you think that's true? Here's the stats for one of the most popular apps on Flathub:
https://github.com/mozilla-firefox/firefox/compare/ca2ec1f19a8ef81e2c5ec6b637e241b40468adfa...main
That's one week.
Find me a downstream maintainer that could read and understand the implication of all of the changes between one build of a Firefox package and the next. Even among the major distributions with healthy maintainer bases, it's normal for one person to be packaging dozens of different packages.
Jegahan@reddit
The same is true for Flatpak. You can even find devs that maintain both distro packages and flatpaks on flathub saying the Flathub is more stringent.
mrtruthiness@reddit
No it's not. By "diffs" I'm talking about the "Updates" section. Diffs of the manifest/permissions as well as the metadata (name, license, ...) are looked at ... but nobody looks at the diffs in the actual code.
DrinkyBird_@reddit
Most people don't even know verification exists. They use KDE Discover or GNOME Software where verification is literally a 16x16 icon, and there is no indication of when a package isn't verified. Users are actively deceived into thinking even unverified packages are official, since it credits the author of the software and links to their site, but not who maintains the Flatpak or where to report bugs with it. Software developers waste time dealing with users using broken packages they don't support, and the Flatpak maintainers find out their packages are broken. (Ask me how I know.)
Happy_Phantom@reddit
I think I will always prefer a distribution's package manager due to source code (source repositories) availability and transparency. Containers due have their advantages and some software is only now available this way. As long as the flatpaks originate from the developers themselves, and their source forge of choice has the source code available for inspection, they I believe the flatpak is safe for use.
mrtruthiness@reddit
Who says "the developer" is not introducing malware?
Do you have your flatpak system set to auto-update ... or would you update manually without looking at the changes in the source? If so: Would you dare install sshPilot? It's verified, although the author is anonymous. The source is there. flathub correctly says there is no real containment ("Can acquire arbitrary permissions"). There is nothing in place to stop this anonymous person/developer (known only by mfat or Mehdi) to introduce malware into the code at any time they wish. I'm not saying mfat/Mehdi is a bad actor, but I'm saying that it's a distinct possibility. And there are many more examples.
natermer@reddit
If the developer is introducing the malware then there isn't anything done on the distribution packaging level that is going to stop it.
If you use somebody's software you are going to need to trust them, full stop.
Hot-Employ-3399@reddit
If this was true fractureiser(malware in Minecraft infected mods) would affect flatpak users the same way it affects naive people who believe security is irrelevant.
mrtruthiness@reddit
Most distros separate the developer role from the maintainer role. Do maintainers perform a detailed audit? Of course not. But they certainly examine the diff before changes enter the distro repository.
natermer@reddit
Arguably the situation is worse if you are a Ubuntu user that is using Multiverse, Universe, and PPA repositories. I always wonder about the number of people satisfied with using LTS releases of Ubuntu on their desktop and not realize that Multiverse/Universe packages are not actually supported by anybody other then "the community".
Or if you are a Arch user that is using AURs or Fedora user if you are using COPRs.
Those are probably worse options from a security/sustainability situation.
People are going to have to learn to accept that distributions never will be able to package all the software under the sun. Like if I had to depend 100% on distro packaged software I literally couldn't do my job.
And it is a simple reality that the vast majority of RPM or Deb packages that do exist don't have anywhere near the same level of scrutiny or security assurance that a lot of people think they have.
High profile packages get a lot of attention and distribution maintainers follow the security lists and subscribe to things like that. Systemd, Linux kernel, Nginx, OpenSSL, Firefox, and things of that nature get a lot of attention.
But the tens of thousands of smaller and more niche software packages? They use automation to pull from upstream release tarballs or git repos and build them and ship them. It is up to end users to report issues on them. It is really the users that are the source of actual QA beyond just getting the packages to build.
Ideally we get to the point were packaging is done in upstream. A lot of "community packages" in flatpak is stop gap. Just like most of the reason that Fedora's flatpak repo existed was stop gap.
However if you get upstream to do the packaging and just rely on distributions and users to help advise and document how to do that properly and report then that is going to be superior, security-wise, from most distribution package repositories.
mrtruthiness@reddit
That's not true for "Universe". But what you say is true in regard to Multiverse and PPA. Which is exactly why I don't use them.
That doesn't make it good. It's why I wouldn't use AURs on Arch and COPRS on Fedora.
Certainly. And they're going to have to understand the security risks associated with the packages they do use. For example: Would you use or recommend to someone that they use sshPilot???
I believe that Flathub needs to be more clear about what "verified" doesn't mean: It doesn't mean that Flathub verifies that the application is secure. The author of sshPilot indicated in a reddit post (that looked suspiciously like it was set up by a shill; the author of the original question removed their account) [ https://www.reddit.com/r/devops/comments/1notict/heres_my_little_gift_to_the_devops_community/nfumb9k/ ]:
AFAICT:
In the case of "verified", flathub checks that the application was made by the developer and that the source comes from their github (or gitlab ...) account.
Flathub does check the manifest, license, and makes sure the application needs the listed exceptions for the container. In the case of sshPilot ... it really isn't contained at all.
There are no checks at all for any code changes that the developer pushes. The only checks are with regard to changes to the container/manifest.
OsgoodSlaughters@reddit
All my homies hate flatpak