Hi, there!
Newbie question here: basically, the title. Perhaps what I’m asking is pretty obvious, but I’d like to double-check with the community on this.
I use Discover on my Debian KDE Plasma set-up, with Flatpaks enabled (but not Snaps). Sometimes, I come across apps (I did just yesterday, searching for translation apps to replace DeepL), that have according to its page, an unknown author and, sometimes, even an unkown licence, but which do require access permission to the whole system (this latter requirement applying specifically to Deb packages, from what I’ve seen).
Under these circumstances, is it safe to assume that such apps will still be safe because of the fact that they appear listed on Discover (in other words, is Discover a guarantee of safety for the apps it shows, as in, some type of checked or proved content), or should I still be wary of potentially malicious software included on it?
Thank you very much in advance :)
All Discover is is a graphical front end to your repositories, so the real question is “is everything in my repositories safe?”.
There are no guarantees in life, but if you’re using only the default official Debian repos you’re just about as safe as you can get. If you add extra repos, whether deb based or flatpak, Discover will only be as safe as whatever you’ve hooked it up to.
First-party stuff from your system package manager (things you install from the official repos with APT) are pretty much guaranteed to be safe. But the Snap Store (which uses snaps instead of flatpaks and is not installed by default on Debian) has unknowingly allowed and distributed malicious apps before. Flathub with flatpaks (which I think is enabled by default on Debian) hasn’t had such issues to this day AFAIK, but I would still be skeptical of stuff I install from there, and just not install apps with the Unverified badge on Flathub.
In the case of flatpaks, Flathub shows what permissions an app requests and gives it a kind of arbitrary safety level on its page:
You can click on it to see more information:
You can also use Flatseal to disallow any flatpak app from having certain permissions that you think it doesn’t deserve having.Just to clarify what others are saying: the ‘software store’ (Discover in your case) is just the graphical application that you use to manage the software installed on your computer. The repositories, aka ‘repos’ are the sources of that software. There are people whose job it is to vet the software in those repositories and make sure that it’s safe. Flatpak is a packaging format. The biggest repository (and what you likely have enabled) for flatpaks is Flathub. If you’re installing software from the Debian repo and Flathub you should be fine. You should be able to verify which repositories are enabled via the Discover app. You have the freedom to add other repositories too, but it will be your own responsibility to evaluate whether those sources are trustworthy if you do.
Long story short, if you just use Debian as it is, you are fine.
Stuff from the repository of your distribution generally can be considered save but everything involving a third party might not be.
This counts for both other Apt repositories as well as Flatpak. You likely have Flathub as an Flatpak source and while they have some checks and controll instances it is possible for untrusted third parties to upload packages including non-free ones there. I do not now of any incidents but some suspicion for packages with full system access can’t harm.
Thank you for your insightful comment. If I may incur once again in noobieness, what precisely do you mean when you say the “repository” of my distribution? Do you mean the pieces of software than come preinstalled with the OS itself?
A repository (or repo) is a server that hosts program files for your distribution. Distributions host their own repositories from which you can install software with your package manager, like APT or DNF or others. If you only install software from your distribution’s repository, there’s likely no clashes with software versioning and dependencies, and the packages are about as reliable as they can be (which doesn’t mean there’s never malware). If you add third party repositories for software not available from your distribution’s repository, it’s more likely there will be issues, because the distribution doesn’t guarantee the packages work well together.
For example, Debian and Arch don’t retrieve and install their software from the same source. They have their own servers (repositories) hosting software compiled to work with their particular distro and to be used by their chosen package manager.
Flatpak (or Snap or Guix) is a separate package manager that handles it’s own dependencies and doesn’t clash with your distribution’s own software manager.
Does this help?
Uhhhhhhhh…
Bruh. It’s not safe to assume any software from anywhere is safe… that’s kinda the essence of Zero Day exploits.
Even if you wrote it there have been Linux exploits that hid a root kit, and patched the gcc compiler and linker to create a level of persistence that is just other worldly. IIRC what that fucker was called, but it won’t be hard to find. You can probably still count Linux root kits on one hand.
Hell, I’ll look it up after I’m done with my morning duce… that shit was epic. And like, also, theoretically, you could be Mr. Robot, so… you know… it’s just a good idea not to trust yourself anyway.
I think you are thinking of this.
But, more recently, this should make anyone who is concerned about security shudder. And it was only discovered because some guy in Germany noticed ssh logins were taking a bit longer than in previous versions.
Spot on, thanks for finding that. I wonder if there was ever a proof of concept or something like that. I installed my first copy of Slackware some time in the early 90… Maybe late 80s… it’s getting a bit fuzzy, I want to say that the kernel was pre 0.9.
One of the scariest things I had ever done, but I learned so much more about computers than I would have otherwise. Point being there was definitely some years between Ken’s article… still very much the era of viruses for the same of proving you could create something novel and powerful. We kept collections of them like weirdos that keep poisonous snakes 🐍
Anyway, it’s past grandpas bed time. Thanks again for finding the article, I’ll definitely have to do a bit more research… It was a super fun time in my life and I enjoyed remembering.
I thought he did do a proof of concept, but I could be wrong. It’s been a while (many years) since I’ve read up on it.
My first Linux install was also Slackware, albeit Slackware 3.x, in the late 90s, while avoiding grad school work. I don’t remember what kernel it used at that time. So if you’re grampa, I guess I’m your son. :)
ROFL… I think there’s a quotable from Fight Club about his dad going around setting up “franchises…”
Honestly hoping to meet Patrick Vol… nope —not even going to take a swing at trying to spell his last name. But I seriously owe that guy a beer and pancakes.
On a semi related note, I think it took me a solid week of effort to get audio going (on Linux) just so I could be more confused about how to properly pronounce it. I want to say the file name was linux.au and it’s Linus saying something like “This is Linus Torvalds introducing UNIX as Linux.” Back in the day we had to spell UNIX with an asterisk because AT&T owned the trademark and aggressively enforced it.
All of this went down while I was working at a shitty little outfit called Los Gatos Computer Corporation. We built IBM PC clones in half the warehouse, the other half was full of old SGI computers. The scam there was that the business owners told SGI they were recycling the old hardware, but what they actually did was cobble together working systems from the broken bits. Basically one brilliant guy sat in a 10x10 room chain smoking and patching the busted SGI stuff back together. He hand soldered upwards of a hundred hair fine bodge wires, motherboards taped together… it was mental, but somehow they made enough cash to keep the whole crazy operation alive for a year or two.
Volkerding, I think! checks Yep that’s it!
I remember being an idiot and compiling my own kernel (“oh it’s so much faster!”). Lol. I guess if that’s the dumbest thing I’ve done, I’m doing well. I remember that sound clip, too.
Hey you were recycling them, just not into a dump!
With Deb packages you’re safe. With Flatpak I would be a little careful because with Debian apps that have been abandoned get some maintainer love or will be removed, while with Flatpak you can install apps that have not been updated for years, not very often but I’ve seen a few of them. Because of that I prefer to check the Flathub page of a Flatpak app before installing.
flatpak marks packages as unmaintained, and at least gnome software will show it to users with a banner.
