Hi, there!
Newbie question here: basically, the title. Perhaps what I’m asking is pretty obvious, but I’d like to double-check with the community on this.
I use Discover on my Debian KDE Plasma set-up, with Flatpaks enabled (but not Snaps). Sometimes, I come across apps (I did just yesterday, searching for translation apps to replace DeepL), that have according to its page, an unknown author and, sometimes, even an unkown licence, but which do require access permission to the whole system (this latter requirement applying specifically to Deb packages, from what I’ve seen).
Under these circumstances, is it safe to assume that such apps will still be safe because of the fact that they appear listed on Discover (in other words, is Discover a guarantee of safety for the apps it shows, as in, some type of checked or proved content), or should I still be wary of potentially malicious software included on it?
Thank you very much in advance :)
Discover itself doesn’t care about security - it’s the unerlying package manager(s) and repos that do.
Flatpak is perfectly safe IMO, as are the built-in repositories.
Both Flatpak reviewers and Debian maintaniers do their due diligence when auditing the software they distribute.
When using distros/repos which are less FOSS purist (such as Ubuntu), you could run primarily into privacy issues. When using smaller ones, the risk of a backdoor or vulnerability is a bit larger, as less eyes are on the code.
That being said, the only way to be immune to untargeted cyberattacks is to be fully offline, running antiquated-but-well-tested code. Which is entirely unreasonable in this day and age.
As long as you stick to your distro’s repo and Flatpak you should be perfectly fine. Even adding other repos isn’t a problem in and of itself, as long as you can reasonably trust the maintainers.
So yeah - you can assume Flatpaks and the Debian repos are safe. They have good security policies about adding stuff in and do do their due dilligence. Though this might change in the future, it changing doesn’t seem likely. So for now - you’ll be fine.
The only real risk is if a backdoor like the recent one in xz-utils does slip through the cracks, but then you’ll be one of millions of affected machines which, while not mitigating the vulnerabilities per se will at least mean the problem will get fixed sooner once it does get found.
Thank you! Honestly, it’s quite amazing that I can enjoy such complex pieces of software made by and taken care of by the community while not trying to sell me anything or sell my data in return. I love Debian and FLOSS in general.