flathub
flathub copied to clipboard
flathub
Possible abuse of the app update system.
There are two main incentives to abuse the system for updating apps:
- Bump the app on the front page updated list
- To track active users, if your force an update every week you get a weekly updated metric which will give you a weekly insight of active users.
These are solvable, not huge problems, but probably could do with fixing. Adding an active user metric to the stats would prevent people abusing it to obtain this metric, otherwise people who realise they can abuse it will probably do so as this metric can be quite valuable.
As for bumping on the front page, who really cares I guess, not the end of the world but maybe a bump limit per week or something can be added if not already in place so people can only bump their app on the front page once a week with an update, even if they update multiple times in a week.
Do we know how many People are actually doing this?
I haven't checked tbh but it would only be a matter of time before people would abuse this if no one is already abusing it.
https://klausenbusk.github.io/flathub-stats/#ref=com.jagex.RuneScape&interval=90&downloadType=updates
Here you can see five almost perfectly timed updates in 90 days, these are probably totally legitimate, but Jagex is a company that makes a profit, if they really are making this many legitimate updates to their client then they don't need to abuse the system but, it's tricky, because they make a profit any insights they can get from distribution platforms is a valuable insight, so we don't really know how superficial these updates actually are.
But I can bet you they (Jagex) are not stupid and know that having less frequent updates is going to give them less accurate statistics on active users, while also giving them less front page exposure. (monthly as they seem to be doing now is adequate for a relatively low volume platform such as FlatHub, ~600 active a month) No offence btw Flathub is the highest volume platform for Linux but in the grand scheme of things for a game like Runescape those are low volume figures.
FOSS software is probably less likely to abuse this, but it just depends how ruthless the publisher is, a lot of people desire to be successful and it's human nature to look for advantages to put yourself above others in competitive environments.
Maybe commercial software should be more scrutinised on FlatHub as commercial entities are more likely to be looking for ways to gain a competitive advantage - and the ethos of FlatHub I assume is to give power to the independent FOSS developers more than to serve corporate entities.
I think it's quite inadequate example as mentioned app doesn't look official, is broken and the company is killing the Linux support according to the comment. The updates are done by flathub bot.
I seriosuly doubt this is relevant example of abusing flathub.
I think it's quite inadequate example as mentioned app doesn't look official, is broken and the company is killing the Linux support according to the comment. The updates are done by flathub bot.
I seriosuly doubt this is relevant example of abusing flathub.
Wow Jagex are killing Linux support? Well honestly it's not too much of a surprise to me as they seemed to deliberately push broken updates to Linux users on DXP events every time without fail - I started to assume most bot clients must be using Linux and this was a technique they used to reduce botting during DXP events.
Either way their Linux support has always been bad. Intentional or unintentional lol. (I have not played in 3 years now so consider it was bad 3 years ago, so they probably wont be killing Linux support any time soon they will most likely just continue offering the shoddy second-class Linux support they always have lol)
It's probably not a good example sure, and I don't really have any examples, but it's something that is possible, I haven't really looked for a real-world example currently active on Flathub but my point was just to illustrate such a technique is currently possible and there are very real incentives to exploit it.
What is done about it, if anything, is not my decision ultimately, but the fact that I have potentially made people more aware of it means that if people do start abusing it in the future or it is discovered someone is currently abusing it that hopefully someone who had read my post will identify it quickly and consider penalisation or similar of the publisher.
My main concern is not so much people exploiting it but the strain that fictitious updates would potentially put on the Flathub bot build system. If people want to bump their app that's pretty unfair to other people who are legitimately updating their apps but it's the equivalent to spilt milk to me in comparison to creating fictitious load on the build system which is quite serious and can affect many more publishers in a much worse way.
Since we are all forced to approve updates and new submissions via the Flathub bot before they go live and some times this build system can be very slow or seemingly offline or non functional which can be very inconvenient to everyone who relies on its functionality.
My main concern is not so much people exploiting it but the strain that fictitious updates would potentially put on the Flathub bot build system. If people want to bump their app that's pretty unfair to other people who are legitimately updating their apps but it's the equivalent to spilt milk to me in comparison to creating fictitious load on the build system which is quite serious and can affect many more publishers in a much worse way.
This will hopefully change a bit with build tokens, when some apps will start to build on their own build servers
Hi, is this related somehow to the fact that some builds are getting cancelled for no apparent reason right not?
No - but the buildbot was restarted today, to try to fix the builds not setting github status promptly
My main concern is not so much people exploiting it but the strain that fictitious updates would potentially put on the Flathub bot build system.
All build requests go through the queue system in order of when they are requested. Unless you bypass GitHub's rate limits or get private tokens, there would be no way to put extra strain that a legitimate PR cannot.
If you have specific cases of these fictitious updates/updates with malicious intent please report it via the email listed in the GitHub homepage.
Apps can have legitimate dependency updates many times a day with how the current x-checker workflow works, for example if they have x-checkers set up for a bunch of python packages. There is no generic way to recognise such fictitious updates over legitimate ones without going through each on a case-by-case basis.
And I don't know why anyone would go through the trouble of doing all that just to get some usage metrics which they can easily do by implementing it in the app or staying up in the recently updated list which seems to be an even weaker reason and then get easily caught because the builds are monitored.
I'm closing this as this seems to be a non-existent problem right now.
And I don't know why anyone would go through the trouble of doing all that just to get some usage metrics which they can easily do by implementing it in the app or staying up in the recently updated list which seems to be an even weaker reason and then get easily caught because the builds are monitored.
That would mean the app needs network access which lowers its trust rating.
