• Rentlar@lemmy.ca
    link
    fedilink
    arrow-up
    86
    ·
    7 months ago

    It’s the GUI software manager, I think the LM developers should get a pass at curating selections for users who wouldn’t know any better.

    I personally think they can make it a total non-issue if they put in “some unverified results hidden, see settings to change”.

  • Eugenia@lemmy.ml
    link
    fedilink
    English
    arrow-up
    67
    arrow-down
    2
    ·
    7 months ago

    I actually agree with Linux Mint’s decision. You can not trust any random upload. Either it’s an official/verified upload, or it shouldn’t be there at all (or it should be a separate app for those who want it). That’s why in my system, I only install from the official debian repos and not the community ones. I just don’t trust random anonymous uploaders.

  • thingsiplay@beehaw.org
    link
    fedilink
    arrow-up
    62
    arrow-down
    2
    ·
    edit-2
    7 months ago

    Examples of unverified apps:

    … these would be hidden by default. Is any of these applications dangerous or a security risk to the system / user?

    Linux Mint:

    Unverified Flatpaks represent a huge security risk.

    I personally don’t like this. This is not really true and in worse case even misleading and giving a false sense of security. If an app represents a huge security risk, why in the first place is it allowed in the repository? Unverified does not mean its a security risk, this is their interpretation of it. Unverified simply means, it is not verified by the original author.

    Create a fork of an app and verify your website with the fork in Flatpak. The system is already broken. Another point is, that lot of unverified apps are just normal apps, as this is the way applications are handled in Linux. We have the right to create alternative versions of the programs and the verification badge will show that. There is no point in hiding alternatives. By doing so, it undermines a reason why we use GPL and Open Source. And what about apps where the original author does not care, but was brought to Flatpak by a community member?

    Flathub:

    It’s similar failure to what Flathub does on their site too, but for another thing.

    Potentially unsafe: Full file system read/write access; Can access some specific files

    Even though LibreOffice is verified, it is marked as potentially unsafe application on Flathub.

    • GregorGizeh@lemmy.zip
      link
      fedilink
      arrow-up
      32
      arrow-down
      4
      ·
      edit-2
      7 months ago

      I think it is a stupid change myself, but as far as I (recent Linux convert) can tell, mint is considered the go to distro for people coming freshly over from windows, and decidedly caters to beginners. A default setting for maximum user protection makes sense for that.

      • GolfNovemberUniform@lemmy.ml
        link
        fedilink
        arrow-up
        15
        arrow-down
        2
        ·
        7 months ago

        Being unable to install 90% of the popular apps without diving into settings does not make sense for a beginner-focused distro whatsoever

        • GregorGizeh@lemmy.zip
          link
          fedilink
          arrow-up
          5
          arrow-down
          1
          ·
          7 months ago

          Well I agreed that it is an ultimately bad change, but I can see how the beginner mode mentality would lead to this conclusion. Provide the new user with the most stable and bug free experience possible, and after some time they will probably turn that setting off on their own to get all that popular software.

      • Fizz@lemmy.nz
        link
        fedilink
        arrow-up
        10
        ·
        7 months ago

        Yes but also these people are coming over from windows and this is their first experience with linux. They should have these apps available to them so they dont think oh linux has no apps.

        • boredsquirrel@slrpnk.net
          link
          fedilink
          arrow-up
          3
          ·
          7 months ago

          Especially as many Flatpaks are already working better than Ubuntu apps. I had this with SciDAVis, where the Ubuntu version was just broken and gave me tons of troubles.

          Flatpak is a blessing

        • plumbercraic@lemmy.sdf.org
          link
          fedilink
          arrow-up
          13
          ·
          7 months ago

          I’ve seen many articles, comments and videos praising mint for being friendly to users coming from windows. It looks nice and I’ve been impressed by the friendliness and helpfulness of their forums - if I switched on my laptop I would try mint first.

        • GregorGizeh@lemmy.zip
          link
          fedilink
          arrow-up
          4
          ·
          edit-2
          7 months ago

          I dont know, it is just the general consensus on every “I want to drop windows but i am scared of Linux” post ever made, and from my personal experience I found it actually too much like windows (made a live boot before I chose another distro).

      • boredsquirrel@slrpnk.net
        link
        fedilink
        arrow-up
        4
        ·
        7 months ago

        Meanwhile, they have a Spotify Ubuntu repo… and will offer the installation of all these apps as .deb’s which are able to do whatever they want

          • boredsquirrel@slrpnk.net
            link
            fedilink
            arrow-up
            3
            ·
            7 months ago

            These are Ubuntu Packages. The external Spotify repo are binaries shipped by Spotify. I dont think there is any testing before users get that package, it is an external repo.

            • Blisterexe@lemmy.zip
              link
              fedilink
              arrow-up
              3
              arrow-down
              2
              ·
              7 months ago

              Oh, alright i was wrong, but it’s still direct from Spotify isn’t it? So no problem

              • boredsquirrel@slrpnk.net
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                7 months ago

                It is proprierary Software, running as a pretty unrestricted app on your system.

                The app could steal your Keys, read your photos, scan for pirated music or whatever.

                Yeah, no problem XD

                for sure you could do the Microsoft Way and trust random big tech, because otherwise you would just sue them… but no.

                The spotify Flatpak has no Filesystem permissions afaik, and it thus pretty okay secure, even if you dont trust the upstream.

                • Blisterexe@lemmy.zip
                  link
                  fedilink
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  7 months ago

                  Ok yes it is proprietary, but at least it’s from the main source and is confirmed to work well, which reduces risk, at the cost of sandboxing.

                  it’s a tradeoff, and I think mint did the right thing.

    • boredsquirrel@slrpnk.net
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      7 months ago

      The Flathub security rating is useful but too cautious (so many “false alarms” that people ignore it). It is completely independent from the verification though.

      Mixing these up makes no sense.

      But for sure, officially supported Libreoffice may be more secure than distro-packaged Libreoffice.

      Is any of these applications dangerous or a security risk to the system / user?

      Likely not more than Distro packages. They pull in dependencies, and code, just like any other app.

      Flatpaks are too pain tolerant regarding EOL runtimes. These may have security risks, and many badly maintained apps are using them, and at least KDE Discover doesnt show a warning here.

      Create a fork of an app and verify your website with the fork in Flatpak. The system is already broken

      True

      By doing so, it undermines a reason why we use GPL and Open Source.

      Very good points. It is a good security practice to stay close to a trusted upstream though. Browsers for example may have delayed security patches.

      And what about apps where the original author does not care, but was brought to Flatpak by a community member?

      Same here, if the upstream tests the Flatpak BEFORE shipping the release, it will work and be fast. If they dont, they ship the update, the flatpak is updated some time after that, it may have an issue, the packagers may need to patch something, solve the issue upstream etc.

      The thing is that packagers should join upstream, as only integrated packaging gives this inherent stability and speed.

      This is not relevant in many scenarios though. Flatpaks allow to securely sandbox random apps, so they are very often more secure.

      • thingsiplay@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        The Flathub security rating is useful but too cautious (so many “false alarms” that people ignore it). It is completely independent from the verification though.

        Mixing these up makes no sense.

        That’s right, but I had a point there. My point is, that even verified applications can be marked as insecure on Flathub. That means, unverified applications can be secure based on the standards the Flathub sets. This was my point that its independent and why the verification of source has nothing to do with security. If Linux Mint does hide unverified apps, because it thinks these are unsecure, then it should hide all the applications that are marked as a potential unsecure app; just like the unverified apps are potentially unsecure (just like any other verified app).

        Hopefully this was not too confusing to read.

        • boredsquirrel@slrpnk.net
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          Yes, verification is very different from the security rating.

          Poorly you can sort by subsets but not by the security rating.

          There are legacy apps that are always insecure with huge static filesystem permissions AND they are sometimes not well maintained i.e. they dont support the Flatpak.

    • SayCyberOnceMore@feddit.uk
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      2
      ·
      7 months ago

      It’s similar failure to what Flathub does on their site too

      My understanding is that Mint is just following Flathub’s classification, so it would be identical…?

      And (would need to verify when this version is released) some of those apps are available without Flatpacks anyway… (ie VLC for example), so I’d expect those to still be available

      I don’t see this as a big issue…

      • boredsquirrel@slrpnk.net
        link
        fedilink
        arrow-up
        2
        ·
        7 months ago

        This assumes that distro packages would be more secure. Which are not “verified” most of the time, by design. And which are installed to the system, can do whatever they want.

        A system package can edit /etc, autostart itself, write to all your devices and /home.

        Flatpaks MAY do that, but these will have an “insecure” rating on Flathub. And they can still not write a lot of areas, for example other Flatpaks internal storage, even if they have home permission.

        • thingsiplay@beehaw.org
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          A system package can edit /etc, autostart itself, write to all your devices and /home.

          Distro packages are not inherently more secure, but they are all controlled and packaged by the team who manages your operating system. So you trust them fully. Which you cant for arbitrary packages from Flatpak, similar to arbitrary packages from Google playstore on Android. That’s why those “unmanaged” Flatpaks need such a rights system. I’m not saying one is better than the other, just that you can’t limit the security value by just what the app is allowed to do (in my opinion).

          • boredsquirrel@slrpnk.net
            link
            fedilink
            arrow-up
            2
            ·
            7 months ago

            Linux mint and Ubuntu both add the “universe” repo by default. That repo is basically community grade, and even used for official flavors which tells a lot about their reliability.

            Same with Fedora. Everything outside of Workstation or the KDE Spin needs to be checked for maintenance carefully. There is lots of abandonware.

            With Flatpak on the other hand too, and you can still use it as it can just use EOL runtimes even on a rolling distro…

      • thingsiplay@beehaw.org
        link
        fedilink
        arrow-up
        3
        ·
        7 months ago

        But that’s a personal decision. It’s not like Steam Flatpak would be a huge security risk, as the Mint devs say. Just because its not officially verified. Even Valve themselves recommended to use the Flatpak version of Steam, as an alternative to Snap package. You think such a package would be good enough if Valve itself sanction it. I would like to provide a link for this, but cannot find it right now.

  • fpslem@lemmy.world
    link
    fedilink
    arrow-up
    52
    ·
    7 months ago

    I’m fine with this, particularly since you can just tick the box and still access them. Linux Mint is such a good gateway for new Linux users, it makes sense to hide unverified flatpaks until they understand the risks. Plenty of people (perhaps myself included) won’t ever need to worry about unverified flatpacks if their needs are simple and they don’t add much beyond the standard software.

  • subtext@lemmy.world
    link
    fedilink
    arrow-up
    27
    ·
    7 months ago

    A new preferences dialog has been added to Software Manager that has, among other options, a toggle to show unverified Flatpaks — but the distro makes clear this is “not recommended”

  • theshatterstone54@feddit.uk
    link
    fedilink
    arrow-up
    27
    arrow-down
    2
    ·
    7 months ago

    This is the first time I ever find myself kind of disagreeing with the Mint team. As others have said, some of the most popular packages on Flathub are unverified so popular programs like Inkscape are not going to show up as Flatpaks?

    I think just a warning, like what Flathub does, and maybe a dialog before installing, warning the app is packaged by an unverified packager, would have been enough.

    • GolfNovemberUniform@lemmy.ml
      link
      fedilink
      arrow-up
      22
      ·
      7 months ago

      Idk if a warning is a good idea too. As you said, most of the apps are unverified. If a beginner sees warnings when installing every package, it will raise some questions

    • Diplomjodler@lemmy.world
      link
      fedilink
      arrow-up
      9
      ·
      7 months ago

      I think their approach is pretty solid. For beginners, it’s probably better to only see the verified FPs. More advanced users can change the preference. There is simply no ideal solution in this case, until we get more verified FPs

      • theshatterstone54@feddit.uk
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        7 months ago

        Completely unrelated but your use of FP really confused me at first, as I’ve been studying for a Programming exam, half of which is on FP (Functional Programming).

    • biribiri11@lemmy.ml
      link
      fedilink
      arrow-up
      9
      ·
      7 months ago

      If a new user installs malware from flathub while trying out mint for the first time, they’ll probably blame mint instead of flathub. Nobody will say “damn, I should have listened to that warning” while their “discrod” app rm -rf’s their entire PC away, they’ll instead claim Linux is crap and go somewhere else. Doing this helps keep mint safe, and definitely encourages unverified FOSS apps to hurry up and get verified.

  • NaN@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    22
    ·
    7 months ago

    I appreciate the clear marking that something is unverified, but don’t think disabling by default is the right move. As others have mentioned, most of the software in the distribution is also unverified.

    • SapphironZA@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      ·
      7 months ago

      I think this strategy makes sense, if you do an overall push to have all software sources verified. Knowing users, a simple warning that an app is unverified rarely affects their behaviour. You need to hide the app, to encourage app developers to get verified for it to work. Users ideally should be able to trust by default, because we can’t trust them to know any better.

      • NaN@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 months ago

        I think most likely app developers who aren’t verified don’t care to be. Spotify isn’t rushing to build a flatpak.

  • biribiri11@lemmy.ml
    link
    fedilink
    arrow-up
    21
    ·
    7 months ago

    This is a great start, but tbh, I’m not fully sold on “verified” flathub apps. Verification requires a token to be placed into a source repo or a website, but there appears to be nothing on actually verifying that the source/site are the original creators. So, for example, if someone packaged a malicious version of librefox and established it under io.github.librewolf-community instead of the canonical io.gitlab.librewolf-community, I’m concerned it’ll still show as verified (though quickly removed). The process can be read about here.

    • JustAnotherRando@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      7 months ago

      Is the token not keyed to a specific source? I would have expected it to operate similarly to an SSL cert, where part of the verification process is that the source is the correct origin that the token belongs to - so if someone just lifted a valid cert to put into a malicious one, it would catch anything from changing a single character in the project name to changing the repository host (i.e. GitHub to GitLab)

      • biribiri11@lemmy.ml
        link
        fedilink
        arrow-up
        8
        ·
        7 months ago

        Afaik yes, the token is keyed to a specific source in the case of verifying through a website, but from what I can tell, that doesn’t stop someone else from creating a separate malicious website (or git repo) that looks similar but contains malware, and publishing that as a verified app with a similar name as the real app to flathub (so there would be multiple versions of an app, with only 1 being the “real” one on flathub).

  • BananaTrifleViolin@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    1
    ·
    edit-2
    7 months ago

    It kind of makes sense except the vast majority of software in all distros is not being packaged by the developers, its being packaged by volunteers in the relevant project. Most software is being used on trust that it is built off the original code and not interfered with.

    Its very difficult for any distros to actually audit all the code of the software they are distributing. I imagine most time is spent making sure the packages work and don’t conflict with each other.

    The verified tick is good in flatpaks but the “hide anything not verified” seems a little over the top to me. A warning is good but most software is used under trust in Linux - if you’re not building it yourself you don’t know you’re getting unadulterated software. And does this apply to all the shared libraries on flathub? Will thebwarn you if your software is using shared libraries that ate not verified?

    And while Flatpak is a potential vector to a lot of machines if abused, it is also a sandboxed environment unlike the vast majority of software that comes from distros own repos.

    Also given the nature of Flatpaks, any distros could host its own flatpaks but everyone seems to use flathub. If they’re not going to take on the responsibility of maintaining flathub and its software then their probably needs to be some way of “verifying” packages not coming directly from the developers. Otherwise users may lose put on the benefits of a shared distros agnostic library of software.

    I get why mint are doing this but i think its a bit of a false reassurance. Although from mints point of view they would be able to take direct responsibility for the software they distribute in their own repos (as much as you can in a warrentyless “use as your own risk” system)

  • boredsquirrel@slrpnk.net
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    7 months ago

    Have a look at my flatpak repo list with instructions on that

    The question is, do they change the remote or just hide the apps?

    I currently use 2 flathub remotes, the verified (named flathub-v) and the unfiltered one. When installing from CLI I can see if it is verified (2 possible remotes show up). I hope COSMIC store and KDE Discover will show the verification check soon.

    I use nearly only verified Flatpaks (a list of recommended ones is here, will soon update)

    But a few popular ones are not, like VLC (developers dont know Flatpak, should get an introduction by the current maintainer), Inkscape, Spotify, Steam, Bitwarden, Signal, Torbrowser launcher, Blender, Calibre, and more (excluding Chromium Browsers, use the native versions for security reasons) are all missing.

    Important things to consider:

    • distro packages are nearly always unverified i.e. maintained by distro packagers instead of upstream
    • spotify flatpak is not verified, but the flatpak is securely packaged. Mint has a deb repo, and that proprietary piece of malware could do whatever they like with your entire system
    • flatpaks are very often more secure, at least they have some security mechanism that can be easily manually hardened. Unlike firejail or bubblejail, which are very complex.
    • bitfucker@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      The difference with the distro package is that you are already using the distro anyway. If you cannot trust the distro package then the whole distro itself is untrusted. Or depending on the repo provided, maybe the whole repo not the whole distro.

      • boredsquirrel@slrpnk.net
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        7 months ago

        There is a difference between the packages shipped by default, and any random package in the repo.

        In this case, Ubuntus universe repo will have less supported packages.

  • Plopp@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    7 months ago

    Since the user can select to show unverified software I’m very much in favor of this. As long as it’s still very visible that a package is unverified after you changed the setting. With security being one of the main selling points of Flatpaks, there should be a clear distinction between verified and unverified packages, and the goal should be that all packages should be verified.