While this incident isn't good, I still think the setup is a ton better than Flathub, where you have flatpaks being maintained by third parties with no relationship to the software vendors. For example, all of the Jetbrains snaps are managed by a volunteer, as is Zoom (!)
Compromise one of those devs' personal computers, and you've now got a path to getting a backdoor out to everybody using those. I trust Canonical's security team over random volunteers.
I agree, FlatHub isn't ideal either. They also fail to make it clear that the flatpak isn't made by the developers of the software, the "developers" on the Zoom snap lists zoom.us, and the only potential indication that it might not be official is the "See details" link under "Publisher" which takes you to a github contributors list.
How is a user supposed to decide whether they want to trust a flatpak published mainly by "flathubbot" (according to the page linked by FlatHub) and a bit by various other contributors with names like "TheEvilSkeleton" and "barthalion"? I have no idea.
Yes, but distributions provide a security layer, as well as source repositories. With flathub, binaries with no source code are being packaged up (albeit with scripts), and the process of pushing updates is quite easy.
Not really, distributions do not check every piece of code that is packaged and distributed.
I just meant that centralising distribution does not make thing specifically safe neither. Some form of audit over flathub would be nice though, but I personally much prefer projects open to community contributions.
It looks a lot like they are auditing what gets included very tightly. On the other hand, Flathub is all about convenience, and while I get where they're coming from, they've already shot themselves in the foot when it comes to credibility by allowing third parties to package binaries. If the sandboxes that flatpaks run in were really impenetrable, that'd matter much less, but they're not.
Flatpak is more like Docker than Snap. Flathub, an unaffiliated 3rd party that uses the Flatpak format and provides a Flatpak repo -- Flathub, allows people to publish packages to their repo that aren't the official developers.
It's because Zoom / Jetbrains haven't stepped up to package their software as flatpak, so volunteers got in there. There's a flathub policy that a flatpak project will be handed over to the vendor to maintain if they make that request - which is definitely good, but the fact of those volunteers being able to do this (however well intentioned) is not.
Yep. On top of that, some people just straight-up don't intend to port their software to Flatpak. There are a lot of unofficially supported packages (or incomplete ports) that will remain that way forever, which really makes Flatpak no better than the AUR in many respects.
The biggest problem IMO is that Flatpak coupled itself too closely with Bubblewrap. Flatpak is missing many key features because of this (support for running services???), and it makes zero sense in the context of a modern desktop. Apps like Flatseal should focus on sandboxing regular applications with Bubblewrap rather than trying to manage all of the software on it's own. As-is, Flatpak is the last resort of packaging methods for all of my systems, even behind Snap.
> There is nothing stopping Canonical from offering a Flatpak based App Store that only contains approved and vetted apps.
I agree consolidation on a single format would be great. They have no incentive to make this switch though - most of the flak they're taking is about them being in control of their app store, rather than snap as a technology.
Compromise one of those devs' personal computers, and you've now got a path to getting a backdoor out to everybody using those. I trust Canonical's security team over random volunteers.