Which Flatpaks and other resources should be included in the "Downloads" section?

Continuing the discussion from Fedora is not a user friendly Linux Distro:

We are probably being inconsistent here, I think some contributors are adding as many downloads as they can find, while others are only adding downloads officially published by the developer.

I think whether or not a download is linked to on the developer’s own website is a good base criteria in this situation.

1 Like

I think flatpaks should be generally reccommended, except when they’re browsers as they weaken the sandbox (both on Firefox and Chromium).

Stuff like Electron is a bit tricky - it would probably be an improvement for stuff like Signal that disables the electron sandbox, but for apps like Element I genuinely have no clue.

6 posts were split to a new topic: Does Flatpak weaken Chromium/Firefox’s sandbox?

I think it should be only official sources and no experimental builds or beta/alpha builds or anything. If we only link to the developer’s downloads page, then we might as well just have that link and nothing else.

I’m still talking about making direct links, but sourcing those links from the developer’s downloads page.

Actually, I would even say we should link to unofficial downloads if they are endorsed by the developer. For example, I think we could link to these downloads listed on Brave’s download page. Lots of projects have community builds.

Having a verified check on Flathub seems to be a more straightforward and easy to understand mark of trust?

If I see that the developer of “App X” is on GitHub list of developers (on the right side of the page) and the same is seen also in the maintainers of “App X” on flatpak, does that lend a certain degree of credibility that more or less the maintainers are the same enough, even without the verified mark on Flathub?

Hello,

I am interested in Silverblue\Kinoite for home use of ordinary people.

There are several applications recommended in this guide that contain a flatpak version.

Is there a reliable way for the average, non-tech person to know if the community maintained packages maintain the security and privacy levels of the official distributions of these apps?

Example: ProtonVPN, Brave, Mullvad Browser, Bitwarden, etc.

Immutable systems appear to be more secure than normal distributions. I intend to install on computers to distribute in communities, for older people, who would certainly not install anything outside the Flathub store or official repository available on the system.

Another question, regarding the use for games, what do they say on the privacy and security aspect of the Ublue-OS images?

It is listed on the Fedora website as recommended for users with a NVIDIA card.

Best regards,

Preferred Flapaks that are ones maintained by Fedora itself, as well as the ones in Flathub that have the verified check.

Followed by the ones endorsed, but not officially maintained by the original software devs.

I draw a hard line here. The rest are community maintained and should be treated like your AURs, PPAs and COPRs. They could be safe to use too but if you dont have the capability to check/audit, you should probably use toolbox/distrobox or keep a small amount of installed .rpm apps on top of Silverblue.

1 Like

I don’t think packages being community maintained is that big of a deal, as it has been the case for years without issues. For example, Fedora RPMs are arguably mostly community maintained and so is most other distros.

Fedora Packages are maintained collectively by a community of both Red Hat members and volunteers.

Take bitwarden for example, we all know people complained that bitwarden flatpak ain’t maintained officially by bitwarden itself. But so what? You can easily see the package manifest yourself . It beats going to the official website and getting an appimage. Isn’t the good thing of linux (aside from privacy) when compared to windows the package management system? Going to the website of every publisher and manually downloading things is just trying to recreate windows distribution system on linux. Which will likely lead to a mess of appimages and apps needing to update itself (look how that went on windows)

Or take our beloved firefox for example, nowhere in the website lists the flatpak repo. Do you want the user to download a tar.bz2 file and figure out how to install it themselves?

Software being packaged by a third party is not a problem as long as the process is transparent and verifiable

Is there a reliable way for the average, non-tech person to know if the community maintained packages maintain the security and privacy levels of the official distributions of these apps?

It shouldn’t be an issue, flathub most likely vets their software and not allow random stuff willy nilly. Failing all that you can also just check the manifests

Even a lot of fedora RPMs are community maintained, the issue is honestly overblown.

Another question, regarding the use for games, what do they say on the privacy and security aspect of the Ublue-OS images?

privacy should be the same, security is just the typical immutable benefits. I’ve personally tried ublue and can vouch for it (still using it rn)