How is it possible, that Signal still only provides a .deb package and no .rpm, or even better AppImage or Flatpak? There is an unofficial Flatpak but is it secure?

  • HoornseBakfiets@feddit.nl
    link
    fedilink
    arrow-up
    22
    ·
    edit-2
    5 months ago

    As a maintainer of another unofficial flatpak:

    You can always check the source code of the flatpak (code that downloads the dev then runs it inside the flatpak sandbox) here: https://github.com/flathub/org.signal.Signal

    Any of the current maintainers could add malicious code, but that would ruin their GitHub & by proxy:Twitter,LinkedIn credibility.

    Flathub have final say on what is built and hosted on their flatpak repository (Flathub != Flatpak) and are able to remove versions at will.

    • HoornseBakfiets@feddit.nl
      link
      fedilink
      arrow-up
      9
      ·
      5 months ago

      Personally I don’t understand the large warnings on flatpaks built by others, by that logic you should get a warning sign each time you download from the Ubuntu community apt repository.

      OSS is built out of love, and to me this warns guilty before proven innocent.

      • theorangeninja@lemmy.todayOP
        link
        fedilink
        arrow-up
        9
        ·
        5 months ago

        Well I think you have to distinguish between a messenger and other programms, because a messenger has a lot of sensitive data.

      • t3rmit3@beehaw.org
        link
        fedilink
        arrow-up
        7
        ·
        edit-2
        5 months ago

        Just because something is built out of love does not make it safe, and attestation is about safety. You wouldn’t trust an un-attested surgical device, just because there’s a really positive community around its design.

        Signal is a life-or-death app for some people.

        • Successful_Try543@feddit.de
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          The ‘appstore’ of some distributions, e.g. Linux Mint, displays a warning or hint for unofficial flatpaks. In Mint the display of unofficial flatpaks are toggled off by default and there is a warning or recommendation displayed against toggling on.

      • Lemongrab@lemmy.one
        link
        fedilink
        arrow-up
        12
        ·
        5 months ago

        I just read through the unofficial Flathub Flatpak for Signal and it is very simple. It fetches the .deb from Signal’s website, installs it in the sandbox, and uses a launcher script to tell the OS some basic toggles like should it start minimized or should it display a tray icon. In the script it makes use of zypak, which to my understanding is to tell electron (chromium) to allow sandboxing to be handled by Flatpak. Here is the repo and the build instructions is the .yaml file.

      • Lemongrab@lemmy.one
        link
        fedilink
        arrow-up
        7
        ·
        5 months ago

        Flatpaks are pretty easy to read through. Just go to the links section of Flathub and click the manifest, then read it to see what is done during building.

  • thesmokingman@programming.dev
    link
    fedilink
    arrow-up
    11
    ·
    5 months ago

    I mean it’s FOSS. Have you considered opening a PR to contribute what’s missing? You can be the change you want to see. I wouldn’t normally comment something like this. Your emphasis on “still” raised my hackles a little bit and led me to ask why you still haven’t made your own.

      • thesmokingman@programming.dev
        link
        fedilink
        arrow-up
        4
        ·
        5 months ago

        All of these packaging systems have plenty of tutorials. Speaking from experience, many maintainers were not developers when they started maintaining packages for distros other than the official distros. I have worked with several maintainers who do work in tech and know socially several who had no background. This could be a great place for you to start!

        You bother because FOSS is as much paying it forward as it is getting shit for free.

  • Hirom@beehaw.org
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    5 months ago

    Some projects of Signal-compatible clients and forks received a message from a Signal representrive requesting they stop distributing unofficial clients that connect to their servers.

    That probably has on shilling effect on Linux distribution that may be considering building and distributing Signal in their repository.

      • Hirom@beehaw.org
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        5 months ago

        They can’t possibly provide a package for every distro.

        Signal’s model, ie keep tight control over development and distribution of the client, and the absence of federation, it well suited for Apple/Google’s stores, but not at all for open-source and Linux’ ecosystem.

          • Hirom@beehaw.org
            link
            fedilink
            arrow-up
            4
            ·
            5 months ago

            Yes, AppImage can run on more distro.

            Still AppImage has disadvantages over DEB: No auto-update, No/less system integration, Bigger install packages.

        • ulkesh@beehaw.org
          link
          fedilink
          English
          arrow-up
          8
          ·
          5 months ago

          You are right. They can’t for every distro.

          But fedora/rhel, Ubuntu/debian, and arch-based distros are the most commonly used. So they can provide official packages for those, and/or as the OP said, provide an official flatpak.

          And to be fair, it’s a nice-to-have to have a better sense of trust, but given the unofficial ones are open source, it’s quite likely any maliciousness would be rooted out very quickly.

          • TimLovesTech (AuDHD)(he/him)@badatbeing.social
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 months ago

            Or, if you are running one of those distros you could just take the .deb and repackage it for whatever distro you’re running. Expecting a project to package for every distro, and then be required to support them for every release is a lot of work. And unfortunately some people have no issues expecting from others, but baulk at the idea of doing it themselves.

  • TimLovesTech (AuDHD)(he/him)@badatbeing.social
    link
    fedilink
    English
    arrow-up
    7
    ·
    5 months ago

    Could always do what looks like the Arch AUR package is doing and build it yourself from source. Or if you are running a Fedora/OpenSuse distro you could find a package on COPR or something that converts a package from a .deb to .rpm and just change source and stuff to match signal.

      • ericjmorey@programming.dev
        link
        fedilink
        arrow-up
        13
        ·
        edit-2
        5 months ago

        Building from source is the opposite of hacky. It’s the recommended way to deal with things like this where you are concerned about trust and security. I understand that it’s not something you’ve done before, but it not as complicated as it sounds. There are many tutorials on how to build programs from source.

        I understand that providing official packages for fedora/rhel, Ubuntu/debian, and arch-based distro packages along with a flatpack and Appimage would make a lot of sense, but for whatever reason, signal has decided not to. Perhaps you can message the signal team to ask why they choose not to do this.

    • Petter1@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      5 months ago

      That is why I recommend arch based distros that are build on AUR (using yay) Like EndeavourOS

  • Hellfire103@lemmy.ca
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    5 months ago

    You could try running the .deb through alien(1p), although it can be hit-and-miss if the package has a lot of scripts or dependencies.

      • Hellfire103@lemmy.ca
        link
        fedilink
        English
        arrow-up
        7
        ·
        5 months ago

        It’s an old program that converts between .deb (Debian), .rpm (RedHat), .tgz (Slackware), .slp (Stampede), .pkg (Solaris), and LSB packages.

        I don’t use it much, but it can be handy in a pinch for installing software that isn’t packaged for your distribution. Just don’t use it for anything low-level or that’s already packaged natively, or you’ll break stuff.

  • lorgo_numputz@beehaw.org
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    5 months ago

    AppImages, ~~which have no automated update facility, are terrible idea for software that is based on the security of the messaging syatem.

    AppImage for The Powder Toy (a great game) - no problem.

    For Signal? Bad idea.~~

    I’m looking at you, SimpleX.

    rpm? Yeah, you’ve got a very valid point.

    Update: I’m wrong - see replies to this message.

  • Rimu@piefed.social
    link
    fedilink
    English
    arrow-up
    4
    ·
    5 months ago

    I have the official Signal Desktop flatpak installed through Discover. It exists.

  • TimLovesTech (AuDHD)(he/him)@badatbeing.social
    link
    fedilink
    English
    arrow-up
    2
    ·
    5 months ago

    OP, what distro are you running? You mention a whole bunch of package formats they don’t provide, but never mention what format you require. Depending on the distro, making a build script (or converting the .deb) really isn’t Rocket Surgery ™.

    • theorangeninja@lemmy.todayOP
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      Signal aims to be the messenger you can tell your grandma to use. To live up to that promise they have to provide more packages.