There are big wishes for Signal to adopt the perfectly working Flatpak.

This will make Signal show up in the verified subsection of Flathub, it will improve trust, allow a central place for bug reports and support and ease maintenance.

Flatpak works on pretty much all Distros, including the ones covered by their current “Linux = Ubuntu” .deb repo.

To make a good decision, we need to have some statistics about who uses which package.

  • clever_banana
    link
    fedilink
    arrow-up
    5
    arrow-down
    14
    ·
    edit-2
    10 months ago

    I don’t use signal because I care about anonymity. I dont use flat pak because I care about security

    • sudneo@lemmy.world
      link
      fedilink
      arrow-up
      16
      arrow-down
      2
      ·
      10 months ago

      Flatpak is generally very good for security. Especially considerino you can override some defaults, you can have fairly tight isolation.

      • clever_banana
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        10 months ago

        No, it doesn’t even cryptographicly check signatures on packages when it downloads them lol

        • sudneo@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          10 months ago

          That is one security aspect only, and signature checking is done by OStree, but the only key used is the one from flathub, from what I understand. So you don’t verify the key of the application author, but solely the one from flathub, which means if the flathub distribution pipeline is compromised, you will not notice it and install a malicious package.

          That said, the isolation that provides is great, and things should be evaluated in context. I will consider much much more likely that a package I install has bugs/cves/is outright malicious, compared to the risk that the publisher pipeline gets compromised (this is essentially what the signature verification would protect from). This means that it is a huge net gain in terms of security, from my PoV, to have an “unverified” package running in flatpak, under the isolation that it provides, if we compare it to having it running in the native system, but verified.

          In other words, there is not a specific scale that if you “don’t even do…”, then it means you are not secure at all.