Remix clone Hacker News

new | show | ask | jobs Github

▲

LtWorf 14 hours ago

The best thing about unvetted app stores is that anyone can publish software!

The worst thing about unvetted app stores it that anyone can publish software!

▲

ndiddy 12 hours ago | parent | next [-]

Flathub is not unvetted. Every submission goes through human review. If a piece of software requires an unnecessary permission (i.e. if someone submits an alarm clock program that requires home folder access and internet access), it will get rejected. If a developer updates their software and changes the required permissions, the update won't get pushed to users until it goes through human review.

Besides this, for open source packages, the code gets built on Flathub's build servers without internet access. The source code associated with a given Flathub package version must be either a specific Git commit (verified with a commit hash) or a release tarball (verified with a sha256 hash). This means that it's always possible to verify that the code a developer publishes corresponds to the binaries being shipped to users. Closed source packages get a big warning on their Flathub pages saying that the program's code is proprietary and not auditable.

With the traditional distro packaging model, the requirements to become a maintainer are stringent and there's human review when a package is added, but there's typically no review after that point. If you'd like a recent example of the drawbacks of this system, see here: https://security.opensuse.org/2025/05/07/deepin-desktop-remo... . After the OpenSUSE security team rejected certain components of the Deepin DE for containing major security problems (including multiple root privilege escalation vulnerabilities), the Deepin maintainer smuggled them in anyway through an innocuous looking package called "deepin-feature-enable" and nobody in the security team noticed for several years. I'm not trying to call out the OpenSUSE security team here, I'm sure they don't have the resources to vet random packages. I'm saying that expecting maintainers to never ship malicious code because they went through the process to become a maintainer is a weakness of the traditional distro packaging model.

	▲	LtWorf 4 hours ago \| parent [-]
		Reading about all the crashes and stuff that generally doesn't work… doesn't seem too vetted to me.

▲

tempaccount420 14 hours ago | parent | prev [-]

Distro package maintainers are not security researchers, they don't audit the code they maintain.

▲

alkonaut 13 hours ago | parent | next [-]

They do to some extent in the larger distros, but for proprietary/binary packages they don't have much chance anyway unless they are willing to do some pretty time-consuming forensics.

	▲	tempaccount420 43 minutes ago \| parent [-]
		It'd be a gargantuan effort to do it for every package, most times it's just a version + hash update and maybe a test.

▲

LtWorf 8 hours ago | parent | prev | next [-]

I do, and I work at a security company. But thanks for knowing more about my life than myself, random internet person.

▲

goodpoint 13 hours ago | parent | prev | next [-]

This is false.

▲

flomo 13 hours ago | parent | prev [-]

Plus the app developers at least have some level of accountability. Like when JWZ got into it with Debian (can't link here). You might think you are running XScreensaver from the great Zawinski, but no you are actually running some weird fork from godknowswho, hopefully not Jia Tan.

	▲	ChocolateGod 12 hours ago \| parent \| next [-]
		XScreensaver is supposed to hide your desktop and Jia Tan is an expert at hiding things, so I think they'd be a perfect match.
	▲	tempaccount420 an hour ago \| parent \| prev [-]
		You got downvoted but yes, it's quite sad when distros release a package under the same name as the original but with their own set of patches. I think they should rename the package when they do that, even just a prefix/suffix with the distro name would be nice.