• BananaTrifleViolin@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    edit-2
    5 months ago

    It kind of makes sense except the vast majority of software in all distros is not being packaged by the developers, its being packaged by volunteers in the relevant project. Most software is being used on trust that it is built off the original code and not interfered with.

    Its very difficult for any distros to actually audit all the code of the software they are distributing. I imagine most time is spent making sure the packages work and don’t conflict with each other.

    The verified tick is good in flatpaks but the “hide anything not verified” seems a little over the top to me. A warning is good but most software is used under trust in Linux - if you’re not building it yourself you don’t know you’re getting unadulterated software. And does this apply to all the shared libraries on flathub? Will thebwarn you if your software is using shared libraries that ate not verified?

    And while Flatpak is a potential vector to a lot of machines if abused, it is also a sandboxed environment unlike the vast majority of software that comes from distros own repos.

    Also given the nature of Flatpaks, any distros could host its own flatpaks but everyone seems to use flathub. If they’re not going to take on the responsibility of maintaining flathub and its software then their probably needs to be some way of “verifying” packages not coming directly from the developers. Otherwise users may lose put on the benefits of a shared distros agnostic library of software.

    I get why mint are doing this but i think its a bit of a false reassurance. Although from mints point of view they would be able to take direct responsibility for the software they distribute in their own repos (as much as you can in a warrentyless “use as your own risk” system)