{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreibkf2ddzdfinmfyjtbzitlfyjt5b7d3jzyh3vi6o5hv5ybpmlxg4m",
    "uri": "at://did:plc:yrn4rbgwenb6lfhhzjegbtnc/app.bsky.feed.post/3mjiluxjdsuv2"
  },
  "path": "/t/security-of-unverified-flatpaks/11983#post_9",
  "publishedAt": "2026-04-13T14:27:05.000Z",
  "site": "https://discourse.flathub.org",
  "tags": [
    "github.com/flathub-infra/website",
    "Review source domain changes in Flatpak manifests",
    "sonnyp"
  ],
  "textContent": "github.com/flathub-infra/website\n\n####  Review source domain changes in Flatpak manifests\n\nopened 12:19AM - 21 Feb 24 UTC\n\n\n\n          sonnyp\n        \n\nThis is a follow up from a conversation around https://popey.com/blog/2024/02/ex…odus-bitcoin-wallet-490k-swindle/ and how Flathub is vulnerable. We already do pretty well with * All new submissions are reviewed * All permission updates are reviewed For practical purpose we don't review all manifest changes. However, reviewing domain changes would go a long way in preventing malware from making their way in via manifest updates. Consider the following scenario * Actor submits a legit https://github.com/flathub/io.exodus.Exodus/ which download sources from exodus.com * Submission gets reviewed and approved * Actor updates the manifest to download sources from ex0dus.com * The update is automatically approved and the malware makes its way into Flathub I propose to add manual reviews for new domains in source download urls. Domains is used loosely here and we should consider also reviewing changes in well known source providers such as `github.com/*/*` Something to watch out for is IDN homograph attacks. One possible optimization would be to remove manual reviews if a verified app only downloads from its verified domain.",
  "title": "Security of unverified flatpaks"
}