| ▲ | michaelmrose 2 hours ago | |
Many flatpaks aren't actually maintained by the actual developer nor the normal way the package is normally used. You may have bugs that aren't present in the package that the dev isn't aware of or interested in fixing especially if they support a different channel and the bug relates to sandboxing. There is also a risk that the person may be malicious from the start, sell out, or simply get malware. Given the nature of the ecosystem a malicious release to a previously safe package could propagate incredibly quickly. Where there are multiple steps for a package to get from developers machine to yours and each is slow enough for malicious behavior to be noticed each step adds friction and decreases the chance of ultimate success. Where all steps are nearly simultaneous your risk multiplies with each step in which a different person has their hands in it and if any of them are malicious or compromised you are screwed. | ||