Security of unverified flatpaks

bobbo: > But no mention of review when URL or SHA1 changes. We attempted that but it was unrealistic. I’m working on some heuristic to flag “invasive” changes but as always, I can’t say if or when. bobbo: > So what happens if a malicious contributor were to change the source URL to a malicious domain? And if this were to happen, hypothetically, would the users of the compromised flatpak be alerted somehow? We would roll back a change like that, or yank the package altogether, combined with an announcement on the website. This is not really different to other Linux distributions by any means. As every open source project, we put a lot of trust into people maintaining apps. The unverified ProtonPass you mentioned in your initial post is a fairly old apps and submission process has been hugely tightened since. I don’t think it’s likely it would be accepted these days, that being said, it’s maintained by a long-term Flathub maintainer.