{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiavpnzswlxcah2j3il2l2t5ktf35zldflx65olh5xzhmzn3tjw6l4",
    "uri": "at://did:plc:yrn4rbgwenb6lfhhzjegbtnc/app.bsky.feed.post/3mjbkxaqxmc22"
  },
  "path": "/t/security-of-unverified-flatpaks/11983#post_5",
  "publishedAt": "2026-04-11T23:11:10.000Z",
  "site": "https://discourse.flathub.org",
  "textContent": "I have asked three questions:\n\n  1. What measures does Flathub take to prevent a malicious, established Flathub contributor from updating the manifest with a malicious source?\n  2. What happens if a malicious contributor were to change the source URL to a malicious domain?\n  3. If (2) were to happen, would the users of the compromised flatpak be alerted somehow?\n\n\n\nI do not understand your answer in relation to any of these questions. Do you mean to say that it’s unreasonable for me to entertain the idea of Flathub employing supply-chain attack prevention measures and harm mitigation responses, in the case that the application package is not published by its developer?",
  "title": "Security of unverified flatpaks"
}