Open maltfield opened 2 years ago
Responsible Disclosure (who and how I can privately contact your security team if I find a dangerous, security-related bug)
This information is on https://flatpak.org/about/
@mwleeds thanks
For completeness, flatpak has a private mailing list (not public) where users can send emails to flatpak devs regarding security issues
To send an email to the list, you'd contact
flatpak-security at lists dot freedesktop dot org
But even if it's a private list, that's going to send emails. Emails do not provide end-to-end encryption, and email contents generally should be considered publicly available. Usually it's expected to be provided with a PGP key when contacting a security team to divulge a security-related bug.
Can you please update the above page with the PGP key for contacting your team?
Please add a
Security
section to your flatpak.org website or documentation that lists:I just learned of flatpak today. Package managers are great. IMHO, the most important reason why I choose a distro is because of the package manager. And I love package managers because of the security it provides.
For example, I feel very safe installing packages with
apt
because I know that every package in the repo is cryptographically authenicated after download because the apt repo's manifest is signed.However, I was very disappointed that I couldn't find any information about flatpak's security features from the website.
Generally, I want to know if flatpak's developers consider security at all (and lacking a security page with, at the very least, a responsible disclosure page suggests they don't; this look really, really bad).
Specifically, I want to know how packages downloaded with flatpak are cryptographically authenticated. Is it just relying on TLS? Does it pin a specific fingerprint? Does it pin a set of fingerprints? Does it use an additional cryptographic signature check (eg with PGP)? Would this apply to all packages or just some (and therefore all my dependencies? And what command would I run to confirm for a given package or flatpak file?) How are the private keys for signing releases stored? Who has access to them?
Please add a security section to your website that covers the security features present or absent in flatpak.