Setting the verified developer tick in GNOME Software

[Richard Hughes]

Hi all,

GNOME Software now has the ability[1] to show a little tick when we
know the developer providing the Snap is verified and I wondered if we
could do something like that for Flatpak.

How you define "verified" is the sticking point I'm sure. Ideally we'd
have some kind of signature in the AppStream metadata (or flag in the
summary file) that could be used by the client software that the
author is actually the upstream vendor. Really this is a way for the
downstream user to know if the "Skype" really is from Microsoft of if
it's been repackaged by someone as "Skype  " who inserted a backdoor.
This is made harder as flathub is the "packager" perhaps choosing
extra patches or fixes that upstream might not contain. So the idea of
it being "verified" breaks down a little. This is really a question of
"this is not a fake" and I'm not completely sure how to quantify that.
Perhaps all apps from flathub (whitelisted by the remote URI) are
verified, based on the review process each application has to adhere
to?

As Allan pointed out, there probably needs to be a dispute resolution
mechanism when upstreams are less than ideal -- perhaps the developer
could check in a file into git (or include in the upstream tarball)
much like you'd do with letsencrypt or google adwords. It would be
weird for a developer-provided vanilla version to be marked as
non-verified and the flathub one with patches to be verified. Comments
and suggestions welcome.

Richard.

[1] https://gitlab.gnome.org/GNOME/gnome-software/merge_requests/71