this post was submitted on 28 May 2024
59 points (90.4% liked)
Linux
48404 readers
794 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
No cryptographic signature verification, like most package managers have
That doesn't seem to be true? https://flatpak-testing.readthedocs.io/en/latest/distributing-applications.html#gpg-signatures
The link you sent says that its an option that can be turned on or off. Also, that's for uploading. Doesn't say anytbify about verification of downloads.
From the page:
That is talking about downloading as well. Yes, you can turn it off, but so can you usually do it with native package managers, e.g. pacman: https://wiki.archlinux.org/title/Pacman/Package_signing
where does it say this applies to downloads too?
I'm confused why you think it would be anything else, and why you are so dead set on this. Repos include a signing key. There is an option to skip signature checking. And you think that signature checking is not used during downloads, despite this?
Ok, here are a few issues related to signatures being checked by default, when downloading: https://github.com/flatpak/flatpak/issues/4836 https://github.com/flatpak/flatpak/issues/5657 https://github.com/flatpak/flatpak/issues/3769 https://github.com/flatpak/flatpak/issues/5246 https://askubuntu.com/questions/1433512/flatpak-cant-check-signature-public-key-not-found https://stackoverflow.com/questions/70839691/flatpak-not-working-apparently-gpg-issue
Flatpak repos are signed and the signature is checked when downloading.
It's OK to be wrong. Dying on this hill seems pretty weird to me.
If its not documented, we shouldn't assume it has a security feature.
You know what else we shouldn't assume? That that it doesn't have a security feature. And we additionally then shouldn't go around posting that incorrect assumption as if it were a fact. You know, like you did.
Oh, we should absolutely assume that software does not have security features unless those features are clearly documented (and audited)...
Feel free to assume that, but don't claim an assumption as a fact.
You recommended using native package managers. How many of them have been audited?