How is it possible, that Signal still only provides a .deb package and no .rpm, or even better AppImage or Flatpak? There is an unofficial Flatpak but is it secure?

  • HoornseBakfiets@feddit.nl
    link
    fedilink
    arrow-up
    22
    ·
    edit-2
    5 months ago

    As a maintainer of another unofficial flatpak:

    You can always check the source code of the flatpak (code that downloads the dev then runs it inside the flatpak sandbox) here: https://github.com/flathub/org.signal.Signal

    Any of the current maintainers could add malicious code, but that would ruin their GitHub & by proxy:Twitter,LinkedIn credibility.

    Flathub have final say on what is built and hosted on their flatpak repository (Flathub != Flatpak) and are able to remove versions at will.

    • HoornseBakfiets@feddit.nl
      link
      fedilink
      arrow-up
      9
      ·
      5 months ago

      Personally I don’t understand the large warnings on flatpaks built by others, by that logic you should get a warning sign each time you download from the Ubuntu community apt repository.

      OSS is built out of love, and to me this warns guilty before proven innocent.

      • theorangeninja@lemmy.todayOP
        link
        fedilink
        arrow-up
        9
        ·
        5 months ago

        Well I think you have to distinguish between a messenger and other programms, because a messenger has a lot of sensitive data.

      • t3rmit3@beehaw.org
        link
        fedilink
        arrow-up
        7
        ·
        edit-2
        5 months ago

        Just because something is built out of love does not make it safe, and attestation is about safety. You wouldn’t trust an un-attested surgical device, just because there’s a really positive community around its design.

        Signal is a life-or-death app for some people.

        • Successful_Try543@feddit.de
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          The ‘appstore’ of some distributions, e.g. Linux Mint, displays a warning or hint for unofficial flatpaks. In Mint the display of unofficial flatpaks are toggled off by default and there is a warning or recommendation displayed against toggling on.

      • Lemongrab@lemmy.one
        link
        fedilink
        arrow-up
        12
        ·
        5 months ago

        I just read through the unofficial Flathub Flatpak for Signal and it is very simple. It fetches the .deb from Signal’s website, installs it in the sandbox, and uses a launcher script to tell the OS some basic toggles like should it start minimized or should it display a tray icon. In the script it makes use of zypak, which to my understanding is to tell electron (chromium) to allow sandboxing to be handled by Flatpak. Here is the repo and the build instructions is the .yaml file.

      • Lemongrab@lemmy.one
        link
        fedilink
        arrow-up
        7
        ·
        5 months ago

        Flatpaks are pretty easy to read through. Just go to the links section of Flathub and click the manifest, then read it to see what is done during building.