flatpak.github.io icon indicating copy to clipboard operation
flatpak.github.io copied to clipboard
verified publisher icon flatpak

Document Security

Open maltfield opened this issue 3 years ago • 6 comments

Please add a Security section to your flatpak.org website or documentation that lists:

  1. What security systems flatpak currently employs,
  2. What security systems flatpak does not employ (compared to other package managers), and
  3. What security systems are on the roadmap for flatpak
  4. Responsible Disclosure (who and how I can privately contact your security team if I find a dangerous, security-related bug), with PGP public key

I just learned of flatpak today. Package managers are great. IMHO, the most important reason why I choose a distro is because of the package manager. And I love package managers because of the security it provides.

For example, I feel very safe installing packages with apt because I know that every package in the repo is cryptographically authenicated after download because the apt repo's manifest is signed.

However, I was very disappointed that I couldn't find any information about flatpak's security features from the website.

Generally, I want to know if flatpak's developers consider security at all (and lacking a security page with, at the very least, a responsible disclosure page suggests they don't; this look really, really bad).

Specifically, I want to know how packages downloaded with flatpak are cryptographically authenticated. Is it just relying on TLS? Does it pin a specific fingerprint? Does it pin a set of fingerprints? Does it use an additional cryptographic signature check (eg with PGP)? Would this apply to all packages or just some (and therefore all my dependencies? And what command would I run to confirm for a given package or flatpak file?) How are the private keys for signing releases stored? Who has access to them?

Please add a security section to your website that covers the security features present or absent in flatpak.

maltfield avatar Jan 25 '22 12:01 maltfield

See also https://security.stackexchange.com/questions/259088/does-flatpak-enforce-cryptographic-authentication-and-integrity-validation-by-de

maltfield avatar Jan 25 '22 12:01 maltfield

See also https://github.com/flatpak/flatpak/issues/4031

maltfield avatar Jan 25 '22 12:01 maltfield

See also https://github.com/flatpak/flatpak-builder/issues/435

maltfield avatar Jan 25 '22 12:01 maltfield

And https://github.com/flathub/flathub/issues/1498

mYnDstrEAm avatar Feb 03 '22 23:02 mYnDstrEAm

Responsible Disclosure (who and how I can privately contact your security team if I find a dangerous, security-related bug)

This information is on https://flatpak.org/about/

mwleeds avatar Feb 07 '22 02:02 mwleeds

@mwleeds thanks

For completeness, flatpak has a private mailing list (not public) where users can send emails to flatpak devs regarding security issues

  • https://lists.freedesktop.org/mailman/listinfo/flatpak-security

To send an email to the list, you'd contact

flatpak-security at lists dot freedesktop dot org

But even if it's a private list, that's going to send emails. Emails do not provide end-to-end encryption, and email contents generally should be considered publicly available. Usually it's expected to be provided with a PGP key when contacting a security team to divulge a security-related bug.

Can you please update the above page with the PGP key for contacting your team?

maltfield avatar Feb 07 '22 10:02 maltfield