Pro@programming.dev to Linux@programming.devEnglish · 5 days agoFlatpak is not perfect, but it's getting betterthelibre.newsexternal-linkmessage-square42fedilinkarrow-up1164arrow-down15
arrow-up1159arrow-down1external-linkFlatpak is not perfect, but it's getting betterthelibre.newsPro@programming.dev to Linux@programming.devEnglish · 5 days agomessage-square42fedilink
minus-squareFizzyOrange@programming.devlinkfedilinkarrow-up8·5 days ago that they would disclose on their website Wouldn’t it make more sense then for them to simply host the Flatpak themselves? I kind of thought that was the whole idea of Flatpak.
minus-squareKazumara@discuss.tchncs.delinkfedilinkarrow-up7·5 days agoBest to do both, really, so a record of using a consistent public key is created. Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can’t get to the signing key you’ve prevented the attack.
Wouldn’t it make more sense then for them to simply host the Flatpak themselves? I kind of thought that was the whole idea of Flatpak.
Best to do both, really, so a record of using a consistent public key is created.
Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can’t get to the signing key you’ve prevented the attack.