Hi, there!
Newbie question here: basically, the title. Perhaps what I’m asking is pretty obvious, but I’d like to double-check with the community on this.
I use Discover on my Debian KDE Plasma set-up, with Flatpaks enabled (but not Snaps). Sometimes, I come across apps (I did just yesterday, searching for translation apps to replace DeepL), that have according to its page, an unknown author and, sometimes, even an unkown licence, but which do require access permission to the whole system (this latter requirement applying specifically to Deb packages, from what I’ve seen).
Under these circumstances, is it safe to assume that such apps will still be safe because of the fact that they appear listed on Discover (in other words, is Discover a guarantee of safety for the apps it shows, as in, some type of checked or proved content), or should I still be wary of potentially malicious software included on it?
Thank you very much in advance :)
Just to clarify what others are saying: the ‘software store’ (Discover in your case) is just the graphical application that you use to manage the software installed on your computer. The repositories, aka ‘repos’ are the sources of that software. There are people whose job it is to vet the software in those repositories and make sure that it’s safe. Flatpak is a packaging format. The biggest repository (and what you likely have enabled) for flatpaks is Flathub. If you’re installing software from the Debian repo and Flathub you should be fine. You should be able to verify which repositories are enabled via the Discover app. You have the freedom to add other repositories too, but it will be your own responsibility to evaluate whether those sources are trustworthy if you do.
Long story short, if you just use Debian as it is, you are fine.
Thanks for joining the conversation and help make things clear. This does help; so, basically, not having manually enabled anything else than Flathub/Flatpaks on Discover, and having Debian’s repository already, I am fine as long as I install programmes from either of those two.
Yes, you’ve got it 👍
You can basically just treat everything available in Discover as good, because everything there will either be from Debian or from Flathub.
I’m on Debian 13 too but have the GNOME desktop environmet.
I would say you are more than likely fine, malicious code does occasionally sneak into Debian distributed apps but you’ll likely never encounter something that is outright fraudulent or a scam.
malicious code does occasionally sneak into Debian distributed apps
Do you have an example of this? The xz utils backdoor did not make it into debian stable, only unstable.
Debian stable essentially forks every package, maintaining a custom codebase. They then cherry pick security updates only (ignoring feature updates or minor bugfixes), and applying those. This makes it extraordinarily resilient to any form of supply chain attack.
I probably should have said “may/could” sneak in, I forgot the xz incident didn’t quite make it to Debian (but would have had it not been caught)
Discover itself doesn’t guarantee anything. Flathub (the Flatpak repository you are presumably using) requires a human review for new applications but not updates (and the human review doesn’t include a full audit of the app). I’m not aware of malware being distributed via Flathub in the past, but that doesn’t mean it can’t happen.
Thank you; this helps me to better understand it.
With Deb packages you’re safe. With Flatpak I would be a little careful because with Debian apps that have been abandoned get some maintainer love or will be removed, while with Flatpak you can install apps that have not been updated for years, not very often but I’ve seen a few of them. Because of that I prefer to check the Flathub page of a Flatpak app before installing.
deleted by creator
Discover itself doesn’t care about security - it’s the underlying package manager(s) that do.
Flatpak is perfectly safe IMO, as are the built-in repositories.
Both Flatpak reviewers and Debian maintaniers do their due diligence when auditing the software they distribute.
When using distros/repos which are less FOSS purist (such as Ubuntu), you could run primarily into privacy issues. When using smaller ones, the risk of a backdoor or voulnerability is a bit larger, as less eyes are on the code.
That being said, the only way to be immune to untargeted cyberattacks is to be offline, which isn’t reasonable in this day and age. As long as you stick to your distro’s repo and Flatpak you should be perfectly fine, save for the “normal” voulnerability or two that unfortunately slip through every now and then. You could think of this as a kind of digital “herd immunity”.
As long as you don’t add repos willy-nilly but think about who you trust, you should be fine.
So yeah - you can assume Flatpaks and the Debian repos are safe. They have good security policies about adding stuff in and do do their due dilligence. Though, this might change in the future, alrhough it doesn’t seem likely. But for now - you’ll be fine.
The only real risk is if a backdoor like the recent one in xz-utils does slip through the cracks, but then you’ll be one of millions of affected machines which, while not mitigating the vulnerabilities per se will at least mean the problem will get fixed sooner once it does get found.
Thank you! Honestly, it’s quite amazing that I can enjoy such complex pieces of software made by and taken care of by the community while not trying to sell me anything or sell my data in return. I love Debian and FLOSS in general.
First-party stuff from your system package manager (things you install from the official repos with APT) are pretty much guaranteed to be safe. But the Snap Store (which uses snaps instead of flatpaks and is not installed by default on Debian) has unknowingly allowed and distributed malicious apps before. Flathub with flatpaks (which I think is enabled by default on Debian) hasn’t had such issues to this day AFAIK, but I would still be skeptical of stuff I install from there, and just not install apps with the Unverified badge on Flathub.
In the case of flatpaks, Flathub shows what permissions an app requests and gives it a kind of arbitrary safety level on its page:
You can click on it to see more information:
You can also use Flatseal to disallow any flatpak app from having certain permissions that you think it doesn’t deserve having.Debian repos are basically guaranteed safe: https://programming.dev/comment/22863237
Flathub is much, much safer than say, the google play store, but it ultimately does follow a model of app developers submitting packages which get reviewed and approved. In theory, someone could sneak malware past that, although there haven’t been any incidents (perhaps flathub’s review is very effective?). But the snap store, which follows a similar model has had malware. But canonical hasn’t been the best steward of that one.
In addition to this, not all stuff on flathub is open source, which is definitely concerning.
Thankfully, flatpak has a built in sandboxing system, which lets you limit what the appps have access to. KDE has a UI for it, and there is also the GUI app flatseal.
