Security of verified apps #4855
Comments
|
There's no way to verify individual builds. You're looking for direct uploads, which should be made available sometime this year https://discourse.flathub.org/t/flathub-in-2023/3808#direct-uploads-12. With this you can generate a token from Flathub and build and push the app from your repo/CI to flathub. Only Flathub admins can add or remove people from this Github-Org. We won't add someone who isn't a previous contributor or has some relationship with upstream or is trusted in Flathub/Flatpak community. Also new people are added upon the previous maintainer's wish or if the package is lacking maintenance. So it isn't exactly "random". Right now, if you wish, you can be added to https://github.com/flathub/net.runelite.RuneLite as a collaborator, which gives you all write access except repo settings.
The list is inactive, it really should be removed.
I’ll fix it. |
I am a collaborator on the repository already, which someone set up some years ago for me (I did not request it directly, I am not sure the process for it). However there are at least 2 other people who have collaborator access I know of to the repo that I do not know at all and definitely have no relationship to upstream.
This looks promising. I may then just wait until this is completed and then migrate my project to that, and hold off verifying for now. |
|
They were involved with the original submission of the flatpak #489, submitters get access. |
|
I see. Can you remove everyone which isn't on https://github.com/orgs/runelite/people and then also add |
|
Here is who has write access to that repository:
As for the verification process you remain mistaken in what it does. It is just a verification the indicate the origin, ie the maintainers upstream verified the relation with the package. There is no "per build verification". But build are reproducible (mostly) so you can check that the manifest produce the same thing on both. I have invited the two users you requested, since they are on the list of the org. (due diligence, sounds reasonable). |
We do not want to verify the package with third parties (non RuneLite or Flathub) having write access since we cannot ensure they will not include code not of our origin. |
|
The manifest is a source of truth. It uses checksum for the tarballs and other sources, or git. All the patches (there are none here) are clearly visible. As for the extra appstream file, .desktop and icon (that are necessary) you could manage them upstream (like they should). |
The concern is what if someone changes the manifest, not whether or not the manifest itself is secure. Right now the manifest is correct, but we can't show that it will be in the future. |
|
A good intermediate step would be to remove the two people in this screenshot, Steve and AsciiWolf, since they are not in my org. |
|
The only way to change the manifest is by committing to the repository. It is visible, public, and probabl easier to spot that on a big code base that also has dependencies. |
|
Hey @AsciiWolf @rushsteve1, I have removed your write permissions as per Adam's request. Thank you for contributing and maintaining the app thus far, it's much appreciated! Adam, we're still working on the point 2 to make the point 1 possible. You're right it's somewhat private for now; there will be an announcement on Discourse and our blog when it's generally available |
|
Thank you! |
bbhtt
added
the
access-request
I want to verify my app https://github.com/flathub/net.runelite.RuneLite, however verification in flathub appears to be app-wide instead of per-build, and there are multiple people who I don't know that have write access to this repository. So verifying the app essentially permits these people to publish "verified" versions of my app, which I'd like to avoid.
Is it possible to do any of:
For number 4, I do not understand what would prevent other random people from being added back to the repository at a later point. As far as I can tell you can just request access to a repository and are granted access, which is not secure and is unacceptable for my app.
I have read through the docs fairly closely, https://docs.flathub.org/docs/for-app-authors/verification/#id-like-to-verify-my-app-that-someone-else-already-published has a promising looking mention of I need to "gain ownership" of my app, however, the link on the page 404s. From reading the other pages, I think it should be linking to https://docs.flathub.org/docs/for-app-authors/submission/#someone-else-has-put-my-app-on-flathubwhat-do-i-do - which instructs me to email the "flathub admins" at flathub@lists.freedesktop.org. I have done this, twice, most recently on Dec 26 2023, but I have received no reply.
My proof is the https://github.com/runelite github org has verified https://runelite.net and also I am in the org https://github.com/orgs/runelite/people.
The text was updated successfully, but these errors were encountered: