On Tue, Jun 6, 2023 at 7:50 AM Leon Fauster via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Is the Fedora OCI flatpak approach not about the trust into the chain of flatpak creation? src -> signed rpm -> flatpak? So, even in an ideal world where RHEL is immutable and the best workstation experience is based on flatpaks - RPMs are the building block. This is completly different to the Flathub approach ... https://fedoraproject.org/wiki/Flatpak#Fedora_flatpaks
In both cases, the build is fixed to a cryptographic hash of the source tarball. For Flathub, that is done in the manifest file.. (https://github.com/flathub/org.libreoffice.LibreOffice/blob/master/org.libreoffice.LibreOffice.json) In Fedora, by the SOURCES file. In both cases, the exact tools versions used to build the binary from the source are recorded. For Flathub, that is done by embedding an extended version of the manifest in the application (at /app/manifest.json). For Fedora, that information is recorded by the buildroot information saved by koji.
You could look for more - does the hash in the SOURCES file actually correspond to the published upstream tarball? Is there a signature on that tarball? Do you trust that signature? But I don't see much of a difference in this aspect. Building an intermediate RPM doesn't make the source => Flatpak pipeline more secure.
- Owen
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue