Should I trust Flathub with important applications?

There are multiple applications that I’d like to use on Fedora, but some of the most important applications (such as Bitwarden and Standard Notes) I want to use are not officially available as Flatpaks or RPMs. However, they are still on Flathub, presumably built by Flathub developers or maybe random people in the community. So I’m left wondering if/what measures Flathub takes to ensure the validity and security of unofficially built packages like Bitwarden and Standard Notes so I can better determine whether or not I could use them safely as Flatpaks.

That being said, there are still some important applications which I might not be able to reasonably avoid on Flathub, such as Signal. Unfortunately, they only officially support Debian-based distributions, so it seems like I have no other choice but to use unofficial builds of Signal.

I did try asking this question on Flathub Discourse but I haven’t gotten a clear answer yet.


I am in the same boat, thinking about switching back to Ubuntu or other Debian-based system to be able to utilize officially supported applications.


Yeah, I’m considering giving Ubuntu a try or maybe just returning to Windows. My experience with trying Fedora 38 this past week has been pretty bad, to say the least. While I love the workflow and UI, I can’t get any answers to any of my questions. I wasn’t able to get a response from either the PrivacyGuides or Flathub communities on a fairly simple yet critical question. I couldn’t get a single response on whether it’s possible to get XWayland to play nicely with fractional scaling, even after asking on multiple forums. I also couldn’t get a response on how I should go about privately using web apps & PWAs which also seems like something that should’ve been figured out by now. Plus I’m still trying to solve audio issues I’m having. There are even more questions and issues I have, but I’m putting them on the back burner since I’m trying to focus on the 4 questions/issues I mentioned. However each day that passes where I’m not able to use my laptop, my hope that I can make this work dwindles.

I honestly kind of believed the hype that the “Linux desktop” was pretty much ready for the masses to adopt, but it doesn’t really hold true. Of course, if people buy devices made for Linux compatibility, are fine with being limited in what applications they can run easily, are fine with little to no tech support to fall back on, and completely disregard security for the sake of functionality (such as disabling Secure Boot, using legacy/unsafe software, trusting (potentially?) unsafe software sources, etc.) then I guess desktop Linux is usable… But I think that’s far from the majority of users.

We can debate the trustworthiness of unofficial Flatpaks, but I’m not here to do that.

A lot of Flatpaks are official, and most of those are now verified.

If you want to see which Flatpaks you use that are unverified, and thus, most likely unofficial, I have a script for you: · main · Julian / scripts · GitLab

I can empathize with your frustration (efficially with respect to finding help, this is one reason I think the Debian/Ubuntu family is the best place for most users) but apart from that, to me it seems like some of your frustrations are fair and relatable, but you are also (not intentionally) building up a bit of a strawman case against Linux:

  1. Why do you feel it necessary to disable secure boot?
  2. I don’t see software sources as more unsafe on Linux than Windows, the majority comes from your distro’s official repositories, or direct from the developer (I discourage people from referring on unoffical sources like the AUR unless they can do their own due diligence). Whereas with Windows (when I left it, most things were downloaded from the internet, or via torrents, etc).
  3. With respect to PWA those concerns would apply to every platform, right? I mean isn’t that the nature of PWAs, they’ll behave the same regardless of operating system?
  4. “if people buy devices for linux compatibility” is not a linux specific thing, with Windows, MacOS, iOS, or Android you also must buy devices compatible with those OSes, its just that this process is more straightforward with the larger corporate OSes because in the case of Apple they sell the software+hardware, and in the case of Android and Windows they have huge marketshare and incentivize hardware makers to ensure compatibility. But technically speaking whichever OS you choose, you must select hardware known to be compatible with it.

Would stay away from unofficial Flatpaks. Have seen too many of them with heavily delayed updates (or no updates at all), outdated dependencies, overly permissive permissions, and bad compilation settings. While these can also happen with official flatpaks, they are more common with unofficial ones. Especially if what you want to protect resides inside this Flatpak, like with Bitwarden, I would stay away from them. Also the Flatpak sandbox is not strong enough to hinder a dedicated attacker, so a malicious package can still hurt the rest of your system, especially if you don’t adjust permissions properly. Never use unofficial builds of something as important as your password manager.

1 Like

True, but unfortunately a lot of the most sensitive applications I use are unofficial builds on Flathub, some of which (like Signal) aren’t officially available in any other format that I could use on Fedora. That’s why my main question was about whether I could trust unofficial builds to begin with, since I already find myself in a situation where I’m only left with choosing between different unofficial builds, switching operating systems, or maybe trying to set up some containerized solution.

You can get official builds of Signal for all Debian based and Arch based distros. So Ubuntu or EndeavourOS might be an option with better support. On Arch you might still need some unofficial AUR packages in general, but the PKGBUILD files are relatively easy to read and check.

I don’t, I just know that the “just works” distributions (Pop!_OS, Linux Mint, Zorin OS, etc) all have it disabled. Some people include Ubuntu and Fedora as “just works” distributions and they have secure boot enabled by default, however Fedora isn’t really as noob-friendly as the others in my experience. As for Ubuntu, Canonical is known to make controversial or anti-consumer decisions when it comes to their operating system. Not to say Ubuntu can’t be a “just works” distro, just that it’s not well-liked among a good portion of the Linux community.

I agree that the way people commonly install software on Windows is pretty bad, but it’s sort of irrelevant to how secure it is on Linux. A can be worse than B, but that doesn’t mean B is good or ideal.

That’s true. I didn’t mean to insinuate it was a Linux-specific problem and I should’ve been clearer with my wording.

I totally agree. But in practice, the issue of hardware compatibility being especially poor on Linux still holds true since many PC’s will have some issue or other with running Linux. Of course, the blame doesn’t really lie with the developers of Linux distributions, at least not entirely. But it doesn’t change the unfortunate reality that it’s comparatively more difficult to get or use hardware compatible with Linux, especially considering that many users bought their PC before they considered switching to Linux and might be left with something that doesn’t work well on Linux.

I didn’t realize Signal also supported Arch since they don’t list it on their website, but that’s good to know. In any case, I might try out Ubuntu or EndeavourOS, I’m just not a big fan of either and it’d suck to have to change my whole operating system just to use an official build of Signal.

It’s not like my Signal conversations are super duper important to keep private, so I’m still sort of open to using an unofficial build. However, I’d like to see some sort of security guarantee in place that the application is legitimate. Whether it be some automated system or a trusted person at Flathub, I’d like to see something. Unfortunately, Flathub has yet to demonstrate that they can provide any sort of assurance that unofficial builds are safe and unmodified.

I’d be willing to give EndevourOS a go, but I’ve heard lots of conflicting information about whether Arch-based distributions should be considered “just works” distros given their instability. From what I’ve heard, staying away from the AUR and updating your system every few days should be enough to keep it stable, but I’ve also heard conflicting information about that as well. As for Ubuntu… well, I’m sure you know all about the downsides that come with Ubuntu. (Older software, forced Snaps, privacy-invasions in the past, etc.)

Arch based distros are absolutely not “just works” distros, and Arch was never intended to be (in fact it is intended to be the opposite of a ‘just works’ distro). Arch is quite clear in its documentation that it is intended for DIY minded, experienced users, who want control, flexibility, and like maintaining their own system. Arch has the smallest official software repositories of any major distro (roughly 1/10th the size of Ubuntu or Debian’s repos) meaning you will be forced to use unofficial sources more frequently, and if you found Fedora not beginner friendly enough you really shouldn’t be considering any Arch based distro.

1 Like

In my experience any Linux desktop distro can break at some point. So always do backups. And consider doing snapshots to quickly roll back updates. My EndeavourOS setup has been rock-solid so far and no instabilities. But you definitely need to change a few defaults (e.g. to use Wayland). Installation is easy and you will get a working system with EndeavourOS, but a few changes should be done.

Depending on your software stack, this might not be possible. So checking PKGBUILD files of the AUR packages on installs/updates is recommended.

Most controversies about Ubuntu have been overblown and easily fixable. But yes, it’s not as close to upstream as Fedora or Arch.

1 Like

The claim of ‘privacy invasions’ stems back to a single controversy in 2012, I used Ubuntu at that time and was not happy with that decisions, but the people complaining about that still (most of whom weren’t even Ubuntu (or Linux) users back then and have no first hand knowledge) have laregely blown that out of proportion, and continue repeating it as if its current.

“Forced Snaps” This is an overblown claim. Ubuntu is embracing snaps, for reasons that make sense for them, and for many of their customers. Many linux hobbiests/enthusiasts are resistant to this, and I think its caused people to not be totally rational when it comes to snaps. Snaps are not really forced any more than any other default. Personally I feel that while there are legitimate criticisms of Canonical, people hold canonical to double standards that they don’t apply in other contexts because of their own biases.

“outdated software” – compared with a rolling distro, but we are talking about a distro with a 6 month release cycle. It is not ancient software by any stretch of the imagination. It is solidly middle of the road in this respect (Less current than rolling distros and Fedora, as current or more current than basically every other major mainstream distro including popular distros like Debian, RHEL, Mint, Pop!_OS, OpenSUSE Leap, etc).

I don’t think that’s the only problem people have had regarding privacy concerns. For example, their privacy policy doesn’t seem to be great. (Admittedly, I haven’t read the full current privacy policy, so it’s possible that it has improved since 2021 or that erotavlas made an unfair assessment of their privacy policy.) Furthermore, it just leaves a bad taste in my mouth considering Canonical could even make such a decision to begin with. After all, I’m trusting them with my entire operating system, it’s not something I wanna take lightly. The only mitigating factor is that it happened long ago. I’m not saying this makes Ubuntu entirely untrustworthy, I just think it’s worth mentioning when trying to decide which operating systems people should use.

Ubuntu secretly replaces APT for Snap. Canonical also recently stepped in to stop Flatpak from being shipped on flavors of Ubuntu. Ubuntu intentionally and covertly disobeys the user and Canonical has influenced flavors of Ubuntu to stop shipping Flatpak, all in the pursuit of promoting their centralized and proprietary software store. You might not care too much about it, but at that point, it just becomes a disagreement on what we value or where we draw the line on things, and honestly, I’d rather just agree to disagree so we don’t get too sidetracked.

I don’t recall seeing Fedora covertly replacing DNF with Flatpak under the hood, for example. But if I’m wrong, let me know.

It’d be worth specifying if we’re talking exclusively about using the latest versions of Ubuntu, or if we’re including LTS releases. From what I’ve seen (both anecdotally as well as from some data), most people use LTS releases which go on for much longer than 6 months. But yes, if we’re talking about exclusively using the latest Ubuntu releases, it’s not as bad as it could be, though it’s still not ideal. But considering that more up-to-date alternatives like Fedora and OpenSUSE Tumbleweed are probably not an option, (given the context of this discussion) I suppose using the latest versions of Ubuntu would be the best option if I had to switch operating systems.

All of that being said, I’m open to using Ubuntu. I was just pointing out some problems it has. In any case, we’ve gotten way off-topic. I’m just curious to see if Flathub does anything to ensure the safety/integrity of unofficial builds. I did get a response on the Flathub Discourse, so hopefully we could reach a conclusion soon.

You might want to overthink your priorities for choosing an OS. Many distros are pretty bad OOTB, so you don’t have many options to begin with. If you exclude distros for minor things like in the case of Ubuntu, you won’t have anything left.

Is Ubuntu perfect? No. Unfortunately every Linux distro has major shortcomings (especially in terms of security) and you need to choose the least worst which is suited for your main criterias. If you want better official software support than Fedora, Debian-based distros are your best (and maybe only) choice and Ubuntu is still one of the most sane Debian based distros.

I don’t see why snaps are a problem. For most users switching more and more to snaps isn’t a problem. The snap store verifies if the source is official, and at least you get some easy to use (although suboptimal) sandboxing. Many apps which aren’t officially available for Flatpak are available through Snaps.

That’s a lot of files to check on each update for a user. Checking AUR pkgbuild files would be easier.

Didn’t we already regarding unofficial Flatpaks?

Yes. The vast majority of users does. If you do, enroll to Ubuntu Pro. It’s free for home use. You will get better security update support and live kernel patching. You could apply CIS hardening. I am not sure if the Ubuntu Pro benefits outweigh the longer release cycle though, since many security bugs don’t receive CVEs and thus won’t get backported.

Not everyone has to review it. I think the idea is just that it’s reasonable enough that at least a few people will check it out, especially with popular applications. I still don’t find that solution to be acceptable, so I won’t be trusting Flathub with extremely important applications. But I might use it for Signal… I haven’t really decided yet. I’m wondering if maybe there’s a more trustworthy unofficial build of Signal or if I should bother with learning how to use containers.

Using a stable operating system would be easier. :person_shrugging:
I might look into Arch in the future when I have time to learn and tinker with things, but for now, I just need something that’ll work. God knows I’ve already done enough digging and made enough forum posts just trying to get a “just works” distribution to work.

I suppose so. I was just interested in whether Flathub had implemented some solution that allows them to verify the integrity/safety of unofficial builds. From the answer I got, it looks like they have none and are just relying on strangers to check on apps once in a while. I’m thinking something bad could come of this in the future and I don’t want to put myself at risk just to find out.

In that case, wouldn’t it just be best to keep up-to-date with the latest Ubuntu releases?

Yes, to check it you just need to take a minute and look at the manifest