A lot of flatkill.org’s statements are made to incite fear in the Linux community. Given that all Flatpak packages and application build scripts are available and able to be edited by anyone, the appropriate response is to educate on why this is a problem, and then fix it. The way that flatkill.org approached this issue says a lot.

Hi,

This is a direct response to flatkill.org 2020.

I’ve heard a lot of misinformation about Flatpak spread by the community and by a website called flatkill.org. I took the time to write my own response with the help of Flatpak contributors and developers to debunk the claims of flatkill.org to stop the spread of false information.

    • federico3@lemmy.ml
      62·
      4 years ago

      Still, nothing makes it trustworthy to end users. If I have to trust a random person on the internet to create a flatpack it’s not more secure than running a binary found on 4chan.

      To provide acceptable security to all users a real software supply chain process is needed:

      • software and sandbox configuration from upstream developers need to be reviewed by a second pair of eyes: package managers
      • package managers work needs to vetted as well through peer review, at least, or more “senior” package managers
      • the people involved need to be vetted in the first place

      …which is a less meticolous version of what Debian does. Various large companies have similar processes for internal use.

      Another clarification: nothing prevents sandboxing application deployed with deb or RPM packages. It’s routinely done for system daemons, for example, and by firejail and similar for applications.

      Also nothing prevents bundling dependencies inside a package when there’s a good reason to do so.