[AppStream] Appstream ID and Flatpak
Alexander Larsson
alexl at redhat.com
Tue Jan 16 07:23:29 UTC 2018
Well, the appstream id is not really tied to the dns name in any way
but the hope that all people play ball to avoid unintentional
conflicts. So, even on the year of the linux desktop, anyone can
intentionally be evil and confusing by using someone elses id.
Things are *somewhat* more obvious for flatpak:ed apps, as the
appstream id matches the name which is at least a visible thing to the
user, but in e.g. an rpm your appstream could have whatever appstream
id and nobody would see it.
On Mon, Jan 15, 2018 at 4:54 PM, Bastien Nocera <hadess at hadess.net> wrote:
> On Mon, 2018-01-15 at 16:41 +0100, Alexander Larsson wrote:
>> I think ch.x29a.playitslowly is fine as long as its also used
>> upstream. It doesn't quite folow the convention, which is
>> unfortunate,
>> but it is not a huge problem. In practice the dns conflict on x29a.ch
>> is unlikely.
>
> It's unlikely, but fast-forward a couple of years to the "Year of the
> Linux desktop", and it would be a way to hijack an application ID,
> similarly to how some Google Play apps and Google Chrome extensions
> change hands to folks with nefarious purposes.
>
> I think it needs to be fixed properly.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl at redhat.com alexander.larsson at gmail.com
More information about the AppStream
mailing list