Document Security #520
Description
Please add a Security section to your flatpak.org website or documentation that lists:
- What security systems flatpak currently employs,
- What security systems flatpak does not employ (compared to other package managers), and
- What security systems are on the roadmap for flatpak
- Responsible Disclosure (who and how I can privately contact your security team if I find a dangerous, security-related bug), with PGP public key
I just learned of flatpak today. Package managers are great. IMHO, the most important reason why I choose a distro is because of the package manager. And I love package managers because of the security it provides.
For example, I feel very safe installing packages with apt because I know that every package in the repo is cryptographically authenicated after download because the apt repo's manifest is signed.
However, I was very disappointed that I couldn't find any information about flatpak's security features from the website.
Generally, I want to know if flatpak's developers consider security at all (and lacking a security page with, at the very least, a responsible disclosure page suggests they don't; this look really, really bad).
Specifically, I want to know how packages downloaded with flatpak are cryptographically authenticated. Is it just relying on TLS? Does it pin a specific fingerprint? Does it pin a set of fingerprints? Does it use an additional cryptographic signature check (eg with PGP)? Would this apply to all packages or just some (and therefore all my dependencies? And what command would I run to confirm for a given package or flatpak file?) How are the private keys for signing releases stored? Who has access to them?
Please add a security section to your website that covers the security features present or absent in flatpak.