{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreibl5i37i5dvk7bltlahphptavg2je4pmzqhmlkwvmtk7fhdyxpywa",
    "uri": "at://did:plc:yrn4rbgwenb6lfhhzjegbtnc/app.bsky.feed.post/3mj7fmcjcgqb2"
  },
  "path": "/t/security-of-unverified-flatpaks/11983#post_1",
  "publishedAt": "2026-04-11T02:39:47.000Z",
  "site": "https://discourse.flathub.org",
  "tags": [
    "Flatpaks are flagged for human review when the following changes: app name, developer name, app summary, or license.",
    "Proton Pass"
  ],
  "textContent": "What measures does Flathub take to prevent a malicious, established Flathub contributor from updating the manifest with a malicious source? As far as I know, there is a first-time verification and security audit of the manifest when it is first submitted, but only certain audits after that Flatpaks are flagged for human review when the following changes: app name, developer name, app summary, or license. But no mention of review when URL or SHA1 changes.\n\nSo what happens if a malicious contributor were to change the source URL to a malicious domain? And if this were to happen, hypothetically, would the users of the compromised flatpak be alerted somehow?\n\nIn the case that the manifest is compromised, sandboxing would not prevent confidential data from being exfiltrated from within the application. For example, if you were to use Proton Pass, which is an unverified package for a password manager: a malicious actor could replace the source with their own malicious version and exfiltrate all user passwords in a smash and grab, until the package is corrected.\n\nWhat measures have been taken to prevent this scenario?",
  "title": "Security of unverified flatpaks"
}