Setting the verified developer tick in GNOME Software

Simon McVittie smcv at collabora.com
Thu Aug 9 12:47:27 UTC 2018 

On Thu, 09 Aug 2018 at 13:04:57 +0100, Richard Hughes wrote:
> GNOME Software now has the ability[1] to show a little tick when we
> know the developer providing the Snap is verified and I wondered if we
> could do something like that for Flatpak.

What does this tick mean? Yes it means "verified", but what fact has
been verified? In particular, is it a fact about the software, or a fact
about the vendor?

The Google Play meaning for "verified" seems to be something like "the
uploading Google account has the name of a well-known company/vendor, and
we have verified that the company/vendor of that name really controls it".
It sounds as though that might also be the case in Snap, with developer
accounts used to upload to snapcraft.io replacing Google accounts. Is
that what you're aiming for here?

Thought experiment: Which of these should be considered verified?

* A build of OpenArena made by the owners of openarena.ws

* A build of OpenArena made by some random community member but
  somehow endorsed as "the official OpenArena Flatpak" by the owners
  of openarena.ws

* A build of OpenArena made by some random community member that has
  been endorsed/reviewed by the owners of Flathub, but not by the
  owners of openarena.ws

* A build of OpenArena made by its Debian maintainer, with the vendor
  set to "Debian" in the metadata (assume that Flathub or someone has
  verified that the uploader has been endorsed by Debian)

(OpenArena is perhaps an interesting example because the versions in
distros like Debian have tended to get more active security support
than the upstream version - in general, game developers seem to save
up bug fixes for their next "feature" release, and often don't do
security-fix-only point releases.)

> Really this is a way for the
> downstream user to know if the "Skype" really is from Microsoft of if
> it's been repackaged by someone as "Skype  " who inserted a backdoor.

Similarly, does the verification here attach to the metadata that says
Skype, or to the metadata that says Microsoft Corporation, or to the
app name com.skype.Client being matched to the owner of skype.com,
or what?

Another important question here is: who can we trust to mark something as
"verified"? For centralized ecosystems it's the central point of control
(Google or snapcraft.io or Twitter or whatever) but Flatpak is more like
a federated system. If honest-daves-totally-legit-packages.example.com
says their version of com.skype.Client has been verified, should I trust
them? If not, why should I trust Flathub more, when I've made the same
trust decision by adding their repository URLs either way?
(One possible answer to that last question is "because I got my
flatpak.deb from e.g. Debian, and the Debian maintainer of Flatpak
has included Flathub's known-good key in flatpak.deb".)

A related question: if Flatpak repository curators (like the Flathub team)
are trusted to set the verified flag, is there a need to have a way for
the same repository to publish things that they have not verified? In
centralized ecosystems, the centralized publisher publishes almost
everything they're given in order to get broader coverage and avoid
accusations of censorship/bias, but in a federated system any publisher
is free to publish as much or as little as they want to - for instance
everything published by Debian has been checked by a Debian Developer,
but people whose software is not acceptable to Debian or just hasn't been
checked yet can operate their own parallel apt repositories, so there
is no need for a "not actually verified by Debian" section in Debian's
apt repositories. I'd assumed Flatpak was also using an apt-like model.

(Counterexample: if I understand it correctly, Arch Linux has official
Arch packages, which are checked by the core Arch developers, analogous
to Debian, and should maybe get the verified tick in GNOME Software;
but it also has AUR, which is a free-for-all for unreviewed community
contributions and should presumably not have the verified tick in GNOME
Software.)

    smcv

More information about the Flatpak mailing list