Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

flatpaks: rework handling of untrusted app vendors #427

Open
thetredev opened this issue Jul 13, 2024 · 3 comments
Open

flatpaks: rework handling of untrusted app vendors #427

thetredev opened this issue Jul 13, 2024 · 3 comments

Comments

@thetredev
Copy link

thetredev commented Jul 13, 2024

Having the global flatpak setting Show unverified Flatpaks (not recommended) in Mint 22 is generally a step in the right direction. However, I would much prefer handling untrusted app vendors (like the Google Chrome flatpak vendor) differently.

How about changing the behavior to the following?

  1. Replace the setting Show unverified Flatpaks (not recommended) with something like Show a warning before installing unverified Flatpaks (default: true)
  2. Display all apps in search results by default, no matter the vendor
  3. For flatpak apps, show Flatpak at the button of the app card in black, as it is the case at the moment
  4. For untrusted vendors of flatpak apps, show Untrusted Flatpak at the bottom of the app card in red, as it is the case currently when viewing the app and the setting is enabled
  5. When installing a flatpak from an untrusted vendor, show a pop up dialog and ask if that's really what the user wants to do
  6. Additionally to 5, add a Don't show this message again checkbox in step 5's dialog
  7. Additionally to 6, maybe even go as far as to show another dialog asking the user if they're really, really sure after they clicked Yes on step 5's dialog
  8. The checkbox of step 6 will set the setting Show a warning before installing unverified Flatpaks to false if checked

If steps 3 and 4 are negations of each other because there is no such thing as "trusted flatpak app vendors", then I'd also be very happy with Untrusted Flatpak in red for any flatpak app.

This way of doing it is what I believe to be the more traditional and much more intuitive way. Coming from Windows, new users might struggle to find applications and aren't really aware that such a setting could even exist in the first place (as the Microsoft Store only shows trusted apps no matter what). And those coming from an older version of mintinstall may be surprised about the current/new behavior as well.

Edit: This is coincidentally exaclty how Elementary OS does it. I didn't know that when I wrote this issue. But still, I think it's a much better solution.

@Zargess
Copy link

Zargess commented Jul 30, 2024

Also, it would be nice if we could have the ratings and comments back. As it is now, it is very hard to judge if an unverified flatpak is a useful, bad or actively harmful. Being able to review a flatpak and see the reviews of others would help with peace of mind and serve as a tool to warn others.

@mtwebster
Copy link
Member

I don't think the onus should be on us to make unverified flatpaks more convenient or less scary. It's on them to get their apps verified.

Yes I'm sure most if not all of these unverified Flatpaks are perfectly benign, but:

  • What if someone has an issue and tries to report a bug to an app developer who isn't managing the flatpak build and packaging? That developer says 'that's not us, you need to use our release'. This is what I do if someone reports on some custom or other unsupported build of one of our packages. A less experienced user might be frustrated and confused.
  • Why is it a bad thing that Windows hides unverified apps? Malware is prevalent in Windows.
  • Allowing reviews for unverified Flatpaks builds trust, which would make other users less wary as well. So now you trust the app because other people said so. Next version, malware is introduced to trusting users via this app. This isn't fantasy, it just happened a few months ago.
  • This sort of thing has happened at least twice with Snaps (Ubuntu's alternative to flatpaks).

@thetredev
Copy link
Author

thetredev commented Aug 1, 2024

I don't think the onus should be on us to make unverified flatpaks more convenient or less scary. It's on them to get their apps verified.

Good point.

  • What if someone has an issue and tries to report a bug to an app developer who isn't managing the flatpak build and packaging? That developer says 'that's not us, you need to use our release'. This is what I do if someone reports on some custom or other unsupported build of one of our packages. A less experienced user might be frustrated and confused.

How does my proposal affect the way how and where users report bugs? Not at all in my opinion. If they can see the app within mintinstall and have an issue, they would report the bug where they think is correct regardless of whether mintinstall opts for the setting Show unverified Flatpaks (not recommended) or something else.

So, invalid point.

  • Why is it a bad thing that Windows hides unverified apps? Malware is prevalent in Windows.

I never said that. I was coming from the place that the Microsoft Store (and Apple's App Store for that matter) do not show unverified applications at all, because they do not have the notion of such a thing. All applications there go through a verification process, regardless of the quality of said process.

With that in mind: Mac and Windows users alike, who are used to these app stores and never used Linux (Mint), will miss a bunch of applications because they are hidden away from them with the current behavior of mintinstall. If the changes of the OP would take effect, they would see all applications and only when they click Install they'd be warned about the application being unverified.

Users will be scared away not by "unverified", "untrusted", "insecure", or "unapproved" applications. Most people don't care. They will however be scared away by an app store which hides 60% of the applications they want from them and then go ahead and deem the whole app store "a bad user experience" because they did not (want to) figure out the respective setting. My proposal is just a much more intuitive way of achieving the same goal as the setting Show unverified Flatpaks (not recommended).

  • Allowing reviews for unverified Flatpaks builds trust, which would make other users less wary as well. So now you trust the app because other people said so. Next version, malware is introduced to trusting users via this app. This isn't fantasy, it just happened a few months ago.

Trust on the internet is generally only achieved by reviews and trusting others. By your argument, all TLS certification is invalid, because it all comes down to the TLS root certificate chain being trusted by your system. What's at the end of that root certificate chain? Some root certificate you don't know, but trust, because the whole chain trusts it, so your system trusts it.

If you want to buy a TLS certificate, who do you go to? Some company that has been reviewed by other companies stating that they do great service, or some random company that doesn't have any reviews at all, or worse, has less favorable reviews?

Only reviews will tell (new) users of mintinstall what is "good" and what is "bad" in my opinion. So let me ask you this: What do you propose instead of reviews?

  • This sort of thing has happened at least twice with Snaps (Ubuntu's alternative to flatpaks).

What thing exactly? I'm curious.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants