New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensuring integrity of flatpaks on flathub #1498
Comments
Here you're talking about reproducible builds, which are mostly outside the scope or control of Flatpak but are being worked on in the broader community. One thing that is in scope for Flatpak is checking if a built flatpak is reproducible; see flatpak/flatpak-builder#251 Note also that Flathub builds happen on Flathub servers, unlike Debian which allows developers to upload binaries (last I checked). However a Flathub maintainer is still responsible for pointing to the correct sources.
Flatpak does verify the integrity of files as it is downloading/installing them. For ostree remotes this is done using GPG signatures (which are better than mere checksums). If you want to see the commit ID (which is like a checksum) for something on flathub use e.g.
We don't check the integrity of installed files when using them because that would be resource intensive, but one could check manually with the
Right, more strongly verifying source files when building flatpaks would be a step forward, but as you point out we already have an issue for that so no need for a duplicate. |
I don't have permission to but I think we can close this; it's essentially a duplicate of a few issues as I said above. |
It looks like flatpak and flathub currently don't have a comprehensive system for verifying downloaded files built in. Checksums of the files are only compared to sha256 hashsums specified in json files like this.
However:
It's important to verify the downloaded files because maintainers of a flatpak package might not be the authors or official maintainers of a software or the the build- and flathub rollout-process might have resulted in flawed files (due to a mistake or software or hardware issues). Furthermore, for security software-providers should be untrusted inherently and the integrity of files be checked by technical means. Data integrity is a really important part of software distribution; I'll cite from the Wikipedia article:
Here is some information on how data integrity of packages is currently being ensured on Debian. And here the same for apt-get. Using flatpak/flathub instead of a package-manager using apt-get and official repositories would mean a substantial decline of security (and definitely not increased security despite of the sandboxing features).
A thorough system of data integrity verification would include GPG verification as already outlined previously here where Alexander Larsson wrote:
The complete file verification system would ensure that:
Flatpak with flathub could revolutionize Linux app distribution, making things easier/more convenient, more up-to-date, more widely available, more consistent and possibly even more secure. However, this issue with both flatpak and flathub imo stand in the way of this. Hence I'd consider this the top priority issue, even more important than any major bugs.
There already (or rather: still) is an open issue for this at flatpak here: https://github.com/flatpak/flatpak/issues/16
The text was updated successfully, but these errors were encountered: