On Tue, Jun 6, 2023 at 7:50 AM Leon Fauster via devel < devel@lists.fedoraproject.org> wrote:
> Is the Fedora OCI flatpak approach not about the trust into the chain of > flatpak creation? src -> signed rpm -> flatpak? So, even in an ideal world > where RHEL is immutable and the best workstation experience is based on > flatpaks - RPMs are the building block. This is completly different to the > Flathub approach ... > https://fedoraproject.org/wiki/Flatpak#Fedora_flatpaks > In both cases, the build is fixed to a cryptographic hash of the source tarball. For Flathub, that is done in the manifest file.. ( https://github.com/flathub/org.libreoffice.LibreOffice/blob/master/org.libreoffice.LibreOffice.json) In Fedora, by the SOURCES file. In both cases, the exact tools versions used to build the binary from the source are recorded. For Flathub, that is done by embedding an extended version of the manifest in the application (at /app/manifest.json). For Fedora, that information is recorded by the buildroot information saved by koji. You could look for more - does the hash in the SOURCES file actually correspond to the published upstream tarball? Is there a signature on that tarball? Do you trust that signature? But I don't see much of a difference in this aspect. Building an intermediate RPM doesn't make the source => Flatpak pipeline more secure. - Owen
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue