The problem is trust. Sandboxing is all well and good, but what of the data I give the app directly and the resources it has access to?
If a person installs the Steam client from FlatHub and logs in to it with their account credentials, how will they know the app wasn’t actually published by a third party who modified it to act as a man in the middle to steal account credentials. They’d need to be vigilant and follow a flathub link provided by Valve themselves. The app could also be a crypto miner, capped to use 10% CPU to avoid suspicion… now I’m searching the internet why steam is constantly using 10% of my CPU…
I don’t actually know if flathub does checks or anything so this isn’t a jab at them specifically. I personally distrust all package distribution platforms by default and don’t use sandboxed packages on any of my installs.
I guess we all have to define where the lines are and how far we’re prepared to go. Technically, you should read the actual source code fetched from AUR and only build once you’ve confirmed it does what you expect it to… for every thing you install and for every update. Maybe thats good for Richard Stallman, but the general populace will look for trust outside of only trusting themselves.
The problem is trust. Sandboxing is all well and good, but what of the data I give the app directly and the resources it has access to?
If a person installs the Steam client from FlatHub and logs in to it with their account credentials, how will they know the app wasn’t actually published by a third party who modified it to act as a man in the middle to steal account credentials. They’d need to be vigilant and follow a flathub link provided by Valve themselves. The app could also be a crypto miner, capped to use 10% CPU to avoid suspicion… now I’m searching the internet why steam is constantly using 10% of my CPU…
I don’t actually know if flathub does checks or anything so this isn’t a jab at them specifically. I personally distrust all package distribution platforms by default and don’t use sandboxed packages on any of my installs.
I guess we all have to define where the lines are and how far we’re prepared to go. Technically, you should read the actual source code fetched from AUR and only build once you’ve confirmed it does what you expect it to… for every thing you install and for every update. Maybe thats good for Richard Stallman, but the general populace will look for trust outside of only trusting themselves.
by the yellow unverified box on the flathub page: https://flathub.org/en/apps/com.valvesoftware.Steam
but, it does not show that at all in KDE discover.