[QUESTION] Flatpak or AUR?

Linux@lemmy.ml – 59 points – 4 months ago

I've been using arch for a while now and I always used Flatpaks for proprietary software that might do some creepy shit because Flatpaks are supposed to be sandboxed (e.g. Steam). And Flatpaks always worked flawlessly OOTB for me. AUR for things I trust. I've read on the internet how people prefer AUR over Flatpaks. Why? And how do y'all cope with waiting for all the AUR installed packages to rebuild after every update? Alacritty takes ages to build for me. Which is why I only update the AUR installed and built applications every 2 weeks.

You are viewing a single comment

View all comments Show the parent comment

No cryptographic signature verification, like most package managers have

That doesn't seem to be true? https://flatpak-testing.readthedocs.io/en/latest/distributing-applications.html#gpg-signatures

The link you sent says that its an option that can be turned on or off. Also, that's for uploading. Doesn't say anytbify about verification of downloads.

From the page:

It is recommended that OSTree repositories are verified using GPG whenever they are used. However, if you want to disable GPG verification, the --no-gpg-verify option can be used when a remote is added.

That is talking about downloading as well. Yes, you can turn it off, but so can you usually do it with native package managers, e.g. pacman: https://wiki.archlinux.org/title/Pacman/Package_signing

where does it say this applies to downloads too?

I'm confused why you think it would be anything else, and why you are so dead set on this. Repos include a signing key. There is an option to skip signature checking. And you think that signature checking is not used during downloads, despite this?

Ok, here are a few issues related to signatures being checked by default, when downloading: https://github.com/flatpak/flatpak/issues/4836 https://github.com/flatpak/flatpak/issues/5657 https://github.com/flatpak/flatpak/issues/3769 https://github.com/flatpak/flatpak/issues/5246 https://askubuntu.com/questions/1433512/flatpak-cant-check-signature-public-key-not-found https://stackoverflow.com/questions/70839691/flatpak-not-working-apparently-gpg-issue

Flatpak repos are signed and the signature is checked when downloading.

It's OK to be wrong. Dying on this hill seems pretty weird to me.

If its not documented, we shouldn't assume it has a security feature.

You know what else we shouldn't assume? That that it doesn't have a security feature. And we additionally then shouldn't go around posting that incorrect assumption as if it were a fact. You know, like you did.

Oh, we should absolutely assume that software does not have security features unless those features are clearly documented (and audited)...

Feel free to assume that, but don't claim an assumption as a fact.

You recommended using native package managers. How many of them have been audited?