FlatPak as a Software Source / flathub as a source of software

Patrick · January 18, 2024, 1:48pm

Recent releases,

come with Flathub system-wide enabled by default.
do not come with Flathub per-user enabled by default.

References for Flathub system-wide:

Kicksecure/anon-apt-sources-list/blob/master/etc/flatpak/remotes.d/flathub.flatpakrepo

[Flatpak Repo]
Title=Flathub - Verified and Floss (Freedom Software) - --subset=verified_floss
Subset=verified_floss
Url=https://dl.flathub.org/repo/
Homepage=https://flathub.org/
Comment=Central repository of Flatpak applications
Description=Central repository of Flatpak applications
Icon=https://dl.flathub.org/repo/logo.svg
GPGKey=mQINBFlD2sABEADsiUZUOYBg1UdDaWkEdJYkTSZD68214m8Q1fbrP5AptaUfCl8KYKFMNoAJRBXn9FbE6q6VBzghHXj/rSnA8WPnkbaEWR7xltOqzB1yHpCQ1l8xSfH5N02DMUBSRtD/rOYsBKbaJcOgW0K21sX+BecMY/AI2yADvCJEjhVKrjR9yfRX+NQEhDcbXUFRGt9ZT+TI5yT4xcwbvvTu7aFUR/dH7+wjrQ7lzoGlZGFFrQXSs2WI0WaYHWDeCwymtohXryF8lcWQkhH8UhfNJVBJFgCY8Q6UHkZG0FxMu8xnIDBMjBmSZKwKQn0nwzwM2afskZEnmNPYDI8nuNsSZBZSAw+ThhkdCZHZZRwzmjzyRuLLVFpOj3XryXwZcSefNMPDkZAuWWzPYjxS80cm2hG1WfqrG0Gl8+iX69cbQchb7gbEb0RtqNskTo9DDmO0bNKNnMbzmIJ3/rTbSahKSwtewklqSP/01o0WKZiy+n/RAkUKOFBprjJtWOZkc8SPXV/rnoS2dWsJWQZhuPPtv3tefdDiEyp7ePrfgfKxuHpZES0IZRiFI4J/nAUP5bix+srcIxOVqAam68CbAlPvWTivRUMRVbKjJiGXIOJ78wAMjqPg3QIC0GQ0EPAWwAOzzpdgbnG7TCQetaVV8rSYCuirlPYN+bJIwBtkOC9SWLoPMVZTwQARAQABtC5GbGF0aHViIFJlcG8gU2lnbmluZyBLZXkgPGZsYXRodWJAZmxhdGh1Yi5vcmc+iQJUBBMBCAA+FiEEblwF2XnHba+TwIE1QYTdTZB6fK4FAllD2sACGwMFCRLMAwAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQQYTdTZB6fK5RJQ/+Ptd4sWxaiAW91FFk7+wmYOkEe1NY2UDNJjEEz34PNP/1RoxveHDt43kYJQ23OWaPJuZAbu+fWtjRYcMBzOsMCaFcRSHFiDIC9aTp4ux/mo+IEeyarYt/oyKb5t5lta6xaAqg7rwt65jW5/aQjnS4h7eFZ+dAKta7Y/fljNrOznUp81/SMcx4QA5G2Pw0hs4Xrxg59oONOTFGBgA6FF8WQghrpR7SnEe0FSEOVsAjwQ13Cfkfa7b70omXSWp7GWfUzgBKyoWxKTqzMN3RQHjjhPJcsQnrqH5enUu4Pcb2LcMFpzimHnUgb9ft72DP5wxfzHGAWOUiUXHbAekfq5iFks8cha/RST6wkxG3Rf44Zn09aOxh1btMcGL+5xb1G0BuCQnA0fP/kDYIPwh9z22EqwRQOspIcvGeLVkFeIfubxpcMdOfQqQnZtHMCabV5Q/Rk9K1ZGc8M2hlg8gHbXMFch2xJ0Wu72eXbA/UY5MskEeBgawTQnQOK/vNm7t0AJMpWK26Qg6178UmRghmeZDj9uNRc3EI1nSbgvmGlpDmCxaAGqaGL1zW4KPW5yN25/qeqXcgCvUjZLI9PNq3Kvizp1lUrbx7heRiSoazCucvHQ1VHUzcPVLUKKTkoTP8okThnRRRsBcZ1+jI4yMWIDLOCT7IW3FePr+3xyuy5eEo9a25Ag0EWUPa7AEQALT/CmSyZ8LWlRYQZKYw417p7Z2hxqd6TjwkwM3IQ1irumkWcTZBZIbBgrSOg6CcXD2oWydCQHWi9qaxhuhEl2bJL5LskmBcMxVdQeD0LLHd8QUnbnnIby8ocvWN1alPfvJFjCUTrmD22U1ycOzRw2lIe4kiQONbOZtdWrVImQQSndjFlisitbmlWHvHm2lOOYy8+GJB7YffVV193hmnBSJffCy4bvkuLxsI+n1DhOzc7MPV3z6HGk4HiEcF0yyt9tCYhpsxHFdBoq2h771HfAcS0s98EVAqYMFnf9em+4cnYpdI6mhIfS1FQiKl6DBAYA8tT3ggla00DurPo0JwX/zN+PaO5h/6O9aCZwV7G6rbkgMuqMergXaf8oP38gr0z+MqWnkfM63Bodq68GP4l4hd02BoFBbDf38TMuGQB14+twJMdfbAxo2MbgluvQgfwHfZ2ca6gyEY+9s/YD1gugLjV+S6CB51WkFNe1z4tAPgJZNxUcKCbeaHNbthl8Hks/pY9RCEseX/EdfzF18epbSjJMPh4DPQXbUoFwmyuYcoBOPmvZHNl9hK7B/1RP8w1ZrXk8qdupC0SNbafX7270B7lMMVImzZetGsM9ypXJ6llhp3FwW09iseNyGJGPsr/dvTMGDXqOPfU/9SAS1LSTY4K9PbRtdrBE318YX8mIk5ABEBAAGJBHIEGAEIACYWIQRuXAXZecdtr5PAgTVBhN1NkHp8rgUCWUPa7AIbAgUJEswDAAJACRBBhN1NkHp8rsF0IAQZAQgAHRYhBFSmzd2JGfsgQgDYrFYnAunj7X7oBQJZQ9rsAAoJEFYnAunj7X7oR6AP/0KYmiAFeqx14Z43/6s2gt3VhxlSd8bmcVV7oJFbMhdHBIeWBp2BvsUf00I0Zl14ZkwCKfLwbbORC2eIxvzJ+QWjGfPhDmS4XUSmhlXxWnYEveSek5Tde+fmu6lqKM8CHg5BNx4GWIX/vdLi1wWJZyhrUwwICAxkuhKxuP2Z1An48930eslTD2GGcjByc27+9cIZjHKa07I/aLffo04V+oMT9/tgzoquzgpVV4jwekADo2MJjhkkPveSNI420bgT+Q7Fi1l0X1aFUniBvQMsaBa27PngWm6xE2ZYvh7nWCdd5g0c0eLIHxWwzV1lZ4Ryx4ITO/VL25ItECcjhTRdYa64sA62MYSaB0x3eR+SihpgP3wSNPFu3MJo6FKTFdi4CBAEmpWHFW7FcRmd+cQXeFrHLN3iNVWryy0HK/CUEJmiZEmpNiXecl4vPIIuyF0zgSCztQtKoMr+injpmQGC/rF/ELBVZTUSLNB350S0Ztvw0FKWDAJSxFmoxt3xycqvvt47rxTrhi78nkk6jATKGyvP55sO+K7Q7Wh0DXA69hvPrYW2eu8jGCdVGxi6HX7L1qcfEd0378S71dZ3g9o6KKl1OsDWWQ6MJ6FGBZedl/ibRfs8p5+sbCX3lQSjEFy3rx6n0rUrXx8U2qb+RCLzJlmC5MNBOTDJwHPcX6gKsUcXZrEQALmRHoo3SrewO41RCr+5nUlqiqV3AohBMhnQbGzyHf2+drutIaoh7Rj80XRh2bkkuPLwlNPf+bTXwNVGse4bej7B3oV6Ae1N7lTNVF4Qh+1OowtGjmfJPWo0z1s6HFJVxoIof9z58Msvgao0zrKGqaMWaNQ6LUeC9g9Aj/9Uqjbo8X54aLiYs8Z1WNc06jKP+gv8AWLtv6CR+l2kLez1YMDucjm7v6iuCMVAmZdmxhg5I/X2+OM3vBsqPDdQpr2TPDLX3rCrSBiS0gOQ6DwN5N5QeTkxmY/7QO8bgLo/Wzu1iilH4vMKW6LBKCaRx5UEJxKpL4wkgITsYKneIt3NTHo5EOuaYk+y2+Dvt6EQFiuMsdbfUjs3seIHsghX/cbPJa4YUqZAL8C4OtVHaijwGo0ymt9MWvS9yNKMyT0JhN2/BdeOVWrHk7wXXJn/ZjpXilicXKPx4udCF76meE+6N2u/T+RYZ7fP1QMEtNZNmYDOfA6sViuPDfQSHLNbauJBo/n1sRYAsL5mcG22UDchJrlKvmK3EOADCQg+myrm8006LltubNB4wWNzHDJ0Ls2JGzQZCd/xGyVmUiidCBUrD537WdknOYE4FD7P0cHaM9brKJ/M8LkEH0zUlo73bY4XagbnCqve6PvQb5G2Z55qhWphd6f4B6DGed86zJEa/RhS

Patrick · September 25, 2024, 4:40am

The flathub repository is enabled by default system-wide. This means, by default:

flatpak install flathub org.mozilla.firefox

can be used.

However, the flathub repository is not enabled by default yet per-user or for user user. Therefore,

flatpak --user install flathub org.mozilla.firefox

would fail. To make it work, the following command would be required.

flatpak --user remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo

Now, the obvious thing to suggest would be “enable flathub by default for per-user too”. But first, there are some Linux permission specific issues.

Also if flathub was enabled, both system-wide and per-user, once trying to install a flatpak, it would show the following confusing message.

Looking for matches…
Remote ‘flathub’ found in multiple installations:

   1) system
   2) user

Which do you want to use (0 to abort)? [0-2]:

Patrick · October 1, 2024, 7:05am

nurmagoz · October 17, 2024, 10:41am

Due to flatpak bad security design in mind, and require even more privileges, i suggest to have it ditched and rely on the old style of only having packages downloaded&installed from the distro main repos.

As a replacement, i suggest something more secure with the same upgraded packages, a stable and secure rolling distro.

e.g Tumbleweed:

extraextra · October 17, 2024, 1:39pm

What specifically?

nurmagoz · October 17, 2024, 5:58pm

One crazier than the other e.g: Downloading the binaries not the source code from the developers (firefox, vscodium…etc), doesnt pass TUF as it suffers from indefinite freeze attacks, blobs,…etc just garbage way to have newer software.

extraextra · October 17, 2024, 6:41pm

What kind of blobs?

nurmagoz · October 17, 2024, 7:08pm

" Flathub’s build process of downloading binaries poses certain risks. Since builds are automated, it is unlikely and not enforced that the packager verifies that the source code is complete, can be compiled, and is free of binary blobs, Embedded Code Copies of libraries, other software, or non-freedom software."

Patrick · October 18, 2024, 11:38am

Flathub feature request (written just now):

github.com/flathub/flathub

Indicate on flathub.org Whether a Flatpak is Built from Source or Binary During Build Process on Flathub

opened 11:30AM - 18 Oct 24 UTC

adrelanos

### Problem Statement: Flathub currently lacks transparency in showing whether …a Flatpak application is built from source code or if prebuilt binaries are used during the build process. Many users who care about software freedom, security, and reproducibility prefer source-built applications over precompiled binaries. While an application may be open-source, it could still be downloaded as a binary from upstream, bypassing the benefits of building from source. This distinction is especially important for those who value transparency and the integrity of software distribution. ### Importance of Source-built Applications: Reproducible builds, which are becoming a critical goal in software distribution, hold more value if the software is compiled from source, rather than being downloaded as a precompiled binary. While Flathub may eventually accomplish the goal of reproducible builds, its value would be diminished if many of the Flatpaks available are simply redistributed binaries from upstream. Transparency in this area would empower users to trust the builds more and make informed decisions. ### Comparison with Other Ecosystems: In the Debian community, the idea of removing embedded copies of code or binaries from upstream source packages is strongly encouraged to improve security and clarity in open-source software development. As the [Debian Wiki on Embedded Copies](https://wiki.debian.org/EmbeddedCopies) explains: > “Embedded copies (of code, data, fonts or other things) should be removed from the upstream VCS and source tarballs. Upstream might want to only embed the copies in the binary packages they distribute.” This concept is highly relevant to Flatpak's goals as well, as users expect the same level of scrutiny and transparency. ### Proposed Solution: 1. **Metadata Update**: Introduce a new field in the app metadata indicating whether a Flatpak is built from source or downloaded as a binary during the build process. 2. **UI Integration**: Display this information prominently on the Flathub website for each application, alongside existing metadata such as developer and license details. 3. **CLI Support**: Extend the Flatpak CLI to display this information when querying app details, such as using `flatpak info`. 4. **Automated Detection**: As part of the build process, have the build system automatically detect and log whether the build was from source or binary and update the metadata accordingly. 5. **Subset**: `verified_floss_source` ### Benefits: - **Increased Transparency**: Users can make more informed choices about the software they install, especially if they prioritize open-source and source-built applications. - **Support for Reproducible Builds**: Providing transparency into whether a build is from source or binary would add credibility to reproducible builds efforts on Flathub. - **Trust and Security**: Source-built applications reduce the risk of hidden vulnerabilities or proprietary code being introduced during the build process, improving trust in the ecosystem.

This shows that a Linux distribution or any software delivery mechanism is also a curator that performs a software quality review. For example,

in Debian embedded code copies are prohibited, source code is scanned for binaries are build servers have no network access.
on Flathub, some flatpaks are a simpler a wrapper around the binaries from the original developers, where no such checks are performed.

Both approaches have advantages and disadvantages. Flathub provides often more recent software than Debian but Debian performs a more stringent quality review and always buils all software in its main repository component from source code.

nurmagoz · October 20, 2024, 5:50pm

I think its game over, they just dont want to take the effort and do it correctly. Happy with the stupid mechanism they have.

nurmagoz · October 5, 2025, 5:04am

Here are examples

Search regex in github that will show packages built from .deb, .rpm,..:

https://github.com/search?q=org%3Aflathub+%22type%3A+extra-data%22+AND+%28path%3A*.yaml+OR+path%3A*.yml%29+-path%3A.github%2F&type=code

https://github.com/search?q=org%3Aflathub+%22%5C%22type%5C%22%3A+%5C%22extra-data%5C%22%22+AND+path%3A*.json+-path%3A.github%2F&type=code

https://github.com/search?q=org%3Aflathub+%22.rpm%22+AND+%28path%3A*.json+OR+path%3A*.yaml+OR+path%3A*.yml%29&type=code

https://github.com/search?q=org%3Aflathub+%22.appimage%22+AND+%28path%3A*.json+OR+path%3A*.yaml+OR+path%3A*.yml%29&type=code

https://github.com/search?q=org%3Aflathub+%22.deb%22+AND+%28path%3A*.json+OR+path%3A*.yaml+OR+path%3A*.yml%29&type=code

https://github.com/search?q=org%3Aflathub+rpm2cpio+AND+%28path%3A*.json+OR+path%3A*.yaml+OR+path%3A*.yml%29+-path%3A.github%2F&type=code

https://github.com/search?q=org%3Aflathub+%28%22buildsystem%3A+simple%22+OR+%22%5C%22buildsystem%5C%22%3A+%5C%22simple%5C%22%22%29+AND+%28%22dpkg+-x%22+OR+rpm2cpio+OR+%22appimage-extract%22+OR+%22ar+x%22%29+AND+%28path%3A*.json+OR+path%3A*.yaml+OR+path%3A*.yml%29+-path%3A.github%2F&type=code

Quick search about Source code VS Binary for some packages:

Note: These are Verified and Free Software on flathub.

Browsers

Binary

https://github.com/flathub/zone.dos.Browser/blob/master/zone.dos.Browser.yaml

https://searchfox.org/firefox-main/source/python/mozbuild/mozbuild/repackaging/flatpak.py

https://github.com/flathub/net.mullvad.MullvadBrowser/blob/master/net.mullvad.MullvadBrowser.yml

https://github.com/flathub/app.zen_browser.zen/blob/master/app.zen_browser.zen.yml

https://github.com/flathub/one.ablaze.floorp/blob/master/one.ablaze.floorp.yml

https://github.com/flathub/org.garudalinux.firedragon/blob/master/org.garudalinux.firedragon.yml

https://github.com/flathub/io.gitlab.librewolf-community/blob/master/io.gitlab.librewolf-community.json

https://github.com/flathub/com.brave.Browser/blob/master/com.brave.Browser.yaml

Source Code

https://github.com/flathub/io.github.ungoogled_software.ungoogled_chromium/blob/master/io.github.ungoogled_software.ungoogled_chromium.yaml

https://github.com/flathub/org.gnome.Epiphany/blob/master/org.gnome.Epiphany.json

https://github.com/flathub/engineer.atlas.Nyxt/blob/master/engineer.atlas.Nyxt.yaml

https://github.com/flathub/org.kde.falkon/blob/master/org.kde.falkon.json

https://github.com/flathub/org.catacombing.kumo/blob/master/org.catacombing.kumo.json

https://github.com/flathub/org.kde.angelfish/blob/master/org.kde.angelfish.json

Email Clients

Binary

https://hg-edge.mozilla.org/releases/comm-esr140/file/34b243658c31506d293b13d67238ccca56c290e0/taskcluster/docker/tb-flatpak/repack.sh

https://github.com/flathub/eu.betterbird.Betterbird/blob/master/eu.betterbird.Betterbird.yml

Source Code

https://github.com/flathub/org.gnome.Evolution/blob/master/org.gnome.Evolution.json

…

Its a mess when flathub doesnt enforce source code only (and verified only which is another issue).

Conclusion:

Unless you use gnome software from flathub, its all over the place.

Patrick · November 2, 2025, 11:44am

security-misc:

Configures flatpak to require authentication for all software installation
and management tasks including updates. Ships
/usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc,
diverts/hides /usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules.