Security of verified apps about flathub HOT 12 CLOSED

There's no way to verify individual builds.

You're looking for direct uploads, which should be made available sometime this year https://discourse.flathub.org/t/flathub-in-2023/3808#direct-uploads-12. With this you can generate a token from Flathub and build and push the app from your repo/CI to flathub.

Only Flathub admins can add or remove people from this Github-Org. We won't add someone who isn't a previous contributor or has some relationship with upstream or is trusted in Flathub/Flatpak community. Also new people are added upon the previous maintainer's wish or if the package is lacking maintenance. So it isn't exactly "random".

Right now, if you wish, you can be added to https://github.com/flathub/net.runelite.RuneLite as a collaborator, which gives you all write access except repo settings.

which instructs me to email the "flathub admins" at [email protected].

The list is inactive, it really should be removed.

the link on the page 404s.

I’ll fix it.

from flathub.

Only Flathub admins can add or remove people from this Github-Org. We won't add someone who isn't a previous contributor or has some relationship with upstream. So it isn't exactly "random".

Right now, if you wish, you can be added to https://github.com/flathub/net.runelite.RuneLite as a collaborator, which gives you all write access except repo settings.

I am a collaborator on the repository already, which someone set up some years ago for me (I did not request it directly, I am not sure the process for it). However there are at least 2 other people who have collaborator access I know of to the repo that I do not know at all and definitely have no relationship to upstream.

You're looking for direct uploads, which should be made available sometime this year https://discourse.flathub.org/t/flathub-in-2023/3808#direct-uploads-12. With this you can generate a token from Flathub and build and push the app from your repo/CI to flathub.

This looks promising. I may then just wait until this is completed and then migrate my project to that, and hold off verifying for now.

from flathub.

They were involved with the original submission of the flatpak #489, submitters get access.

from flathub.

I see. Can you remove everyone which isn't on https://github.com/orgs/runelite/people and then also add abextm and Nightfirecat?

from flathub.

Here is who has write access to that repository:

trusted-maintainers are Flathub. Includes me and bbht. And this is not an option.

As for the verification process you remain mistaken in what it does. It is just a verification the indicate the origin, ie the maintainers upstream verified the relation with the package.

There is no "per build verification". But build are reproducible (mostly) so you can check that the manifest produce the same thing on both.

I have invited the two users you requested, since they are on the list of the org. (due diligence, sounds reasonable).

from flathub.

As for the verification process you remain mistaken in what it does. It is just a verification the indicate the origin, ie the maintainers upstream verified the relation with the package.

We do not want to verify the package with third parties (non RuneLite or Flathub) having write access since we cannot ensure they will not include code not of our origin.

from flathub.

The manifest is a source of truth. It uses checksum for the tarballs and other sources, or git. All the patches (there are none here) are clearly visible. As for the extra appstream file, .desktop and icon (that are necessary) you could manage them upstream (like they should).

from flathub.

The manifest is a source of truth. It uses checksum for the tarballs and other sources, or git. All the patches (there are none here) are clearly visible. As for the extra appstream file, .desktop and icon (that are necessary) you could manage them upstream (like they should).

The concern is what if someone changes the manifest, not whether or not the manifest itself is secure. Right now the manifest is correct, but we can't show that it will be in the future.

from flathub.

A good intermediate step would be to remove the two people in this screenshot, Steve and AsciiWolf, since they are not in my org.

from flathub.

The only way to change the manifest is by committing to the repository. It is visible, public, and probabl easier to spot that on a big code base that also has dependencies.

from flathub.

Hey @AsciiWolf @rushsteve1, I have removed your write permissions as per Adam's request. Thank you for contributing and maintaining the app thus far, it's much appreciated!

Adam, we're still working on the point 2 to make the point 1 possible. You're right it's somewhat private for now; there will be an announcement on Discourse and our blog when it's generally available

from flathub.

Thank you!

from flathub.