Setting the verified developer tick in GNOME Software
Michael Hall
mhall119 at gmail.com
Fri Aug 10 13:44:06 UTC 2018
I agree with Allan, with Flatpaks you are placing your trust in the
owner of the remote repo you install, so that's the level where
verification information should come from.
FWIW, this is philosophically the same as how the badge is being used
for Snaps, it's the snap store that you trust, and it's the snap store
that's telling you which packages are verified.
I've always held a position of "verify the developer, not the app" as a
way for Flathub to better support 3rd party developers who just want to
distribute their app through a well-known store, and this would be a
good step in that direction.
Michael Hall
mhall119 at gmail.com
On 08/10/2018 06:00 AM, Allan Day wrote:
> Simon McVittie <smcv at collabora.com> wrote:
> ...
>> On Thu, 09 Aug 2018 at 13:04:57 +0100, Richard Hughes wrote:
>>> GNOME Software now has the ability[1] to show a little tick when we
>>> know the developer providing the Snap is verified and I wondered if we
>>> could do something like that for Flatpak.
>> What does this tick mean?
> ...
>> The Google Play meaning for "verified" seems to be something like "the
>> uploading Google account has the name of a well-known company/vendor, and
>> we have verified that the company/vendor of that name really controls it"
> ...
>
> I'm not sure it makes sense to think about verification in a
> Flatpak-wide sense: it is probably only relevant to Flathub.
>
> With Flathub, we've historically wanted app developers to be the
> publishers, so that they manage the distribution of their own apps. We
> already have an informal rule that an app developer has the right to
> manage their own app in Flathub, should they want to, and we already
> have a basic resolution mechanism for situations where an app
> developer wants to take control of an app that's already being
> distributed. In this respect, we already have the concept of a
> "verified" app. Here "verified" can include someone managing the
> Flatpak on the developer's behalf. What matters is that the developer
> knows about it, has authorized it, and that Flatpak is to some extent
> supported.
>
> This sounds like a different use of the verified badge than what Snap
> is using it for, and this could create UI issues if we both tried to
> use the same badge: if you're showing these badges in an app center,
> they probably ought to mean the same thing, and the UI should probably
> have an explanation of what the badge means somewhere.
>
> The wider question we have to answer, I think, is how much we want to
> promote the model where app developers manage their own apps. If we do
> want to promote it, then showing these badges is probably a good thing
> to do, since it's an encouragement to app developers to "own" their
> apps.
>
> It's not entirely clear to me whether we need a special mechanism in
> order to do this: we already have a developer and a publisher field.
> Perhaps we could just show a badge on app tiles when those two fields
> are identical?
>
> Allan
> _______________________________________________
> Flatpak mailing list
> Flatpak at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/flatpak
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 2456 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20180810/abb52bd9/attachment.key>
More information about the Flatpak
mailing list