Verification doesnt help at all if the source is not trusted. All this says is “upstream developers maintain this package”. Unofficial packages can be safe too, like VLC.
It does help prevent actual malware from being downloaded, though, since upstream developers probably won’t publish malware on Flathub.
But this is still a half-measure. I don’t understand why Red Hat and Canonical don’t treat this issue seriously; people on Linux are used to assuming software installed from the repos are safe, and yet Snap and Flatpak are being pushed more and more despite their main repositories being potentially unsafe.
Because both Red Hat and Canonical are of the “pay us to care” mindset. If you aren’t paying for support, you’re a freeloader and need to do your own research.
Verification doesnt help at all if the source is not trusted. All this says is “upstream developers maintain this package”. Unofficial packages can be safe too, like VLC.
It does help prevent actual malware from being downloaded, though, since upstream developers probably won’t publish malware on Flathub.
But this is still a half-measure. I don’t understand why Red Hat and Canonical don’t treat this issue seriously; people on Linux are used to assuming software installed from the repos are safe, and yet Snap and Flatpak are being pushed more and more despite their main repositories being potentially unsafe.
Because both Red Hat and Canonical are of the “pay us to care” mindset. If you aren’t paying for support, you’re a freeloader and need to do your own research.
Fedora has their own flatpak repo built from their own rpms and their own runtime. Flathub has more flatpaks though.