Anyone can do all that if they have time, knowledge, and patient.
Correct. Similar to Arch and the AUR, this is only an option for people that are knowledgeable enough and willing to do so. But the knowledge barrier isn’t tha high (for doing basic due diligence/harm reduction).
Where I disagree is that I don’t believe it is correct that “If security is concerned, there’s no alternative to official packages”. There are alternatives, they are not right for everyone, but they do exist.
This is exactly why it is important to check the source (which in the the case of a flatpak can be checked in less than a minute. Take a peak at the example of the Signal Manifest I gave in my previous comment you’ll see that the flatpak is built from the .deb package directly from Signals website, and I believe this is cryptographically verifiable). Even if you have never ever viewed a manifest file before I think you’ll still be able to easily identify the source the package is built from.
I think we probably agree that it is crucial to to either:
- (Ideally) get the software from a trusted source (usually the developer themselves, or your distro who you are already putting trust in)
- (and/OR) vet the software yourself if you source it from an unofficial source and you feel capable of doing so).
Flatpak (nor any other Linux package format can protect you if the source of the software itself is malicious, if you install malware, from an untrustworthy malicious source, you’ve installed malware regardless of whether that is a .deb, .rpm, snap or flatpak (from what I’ve heard snap’s sandboxing is a bit better but still not on par with some other OS’s sandboxing). I do hope that eventually we get more robust, granular, and mandatory sandboxing in Linux, I do know that this is something Flatpak’s developers are conscious of and working towards.
also as an aside, you can sidestep the issue of unofficial software with flatpaks completely by choosing a repo that doesnt’ include unofficial software. You can use flathub-verified instead of flathub to exclude all software that is not packaged by its developer, or if you use Fedora you can use Fedora’s flatpak repo to get software packaged only by the Fedora team (Gnome and KDE Plasma have their own flatpak repos as well). So one can absolutely use flatpak without ever exposing themselves to unofficial packages if they choose to do so.
The issue of unofficial software isn’t related to flatpak, it is related to the flathub repo, it is also not limited to flatpak (if you use RPMfusion or COPR with Fedora/RHEL, PPAs or Snap with Ubuntu, OBS with OpenSUSE, or the AUR with Arch, (or appimage, snap, or flatpak with any distro), you’ve got to be conscious that some or all software in those repos is not vetted or vouched for by your distro and may or may not be packaged by the developer of the software.