search

flatpak / flatpak.github.io

Flatpak website
55 stars 99 forks source link

Document Security #520

Open maltfield opened 2 years ago

maltfield commented 2 years ago

Please add a Security section to your flatpak.org website or documentation that lists:

  1. What security systems flatpak currently employs,
  2. What security systems flatpak does not employ (compared to other package managers), and
  3. What security systems are on the roadmap for flatpak
  4. Responsible Disclosure (who and how I can privately contact your security team if I find a dangerous, security-related bug), with PGP public key

I just learned of flatpak today. Package managers are great. IMHO, the most important reason why I choose a distro is because of the package manager. And I love package managers because of the security it provides.

For example, I feel very safe installing packages with apt because I know that every package in the repo is cryptographically authenicated after download because the apt repo's manifest is signed.

However, I was very disappointed that I couldn't find any information about flatpak's security features from the website.

Generally, I want to know if flatpak's developers consider security at all (and lacking a security page with, at the very least, a responsible disclosure page suggests they don't; this look really, really bad).

Specifically, I want to know how packages downloaded with flatpak are cryptographically authenticated. Is it just relying on TLS? Does it pin a specific fingerprint? Does it pin a set of fingerprints? Does it use an additional cryptographic signature check (eg with PGP)? Would this apply to all packages or just some (and therefore all my dependencies? And what command would I run to confirm for a given package or flatpak file?) How are the private keys for signing releases stored? Who has access to them?

Please add a security section to your website that covers the security features present or absent in flatpak.

maltfield commented 2 years ago

See also https://security.stackexchange.com/questions/259088/does-flatpak-enforce-cryptographic-authentication-and-integrity-validation-by-de

maltfield commented 2 years ago

See also https://github.com/flatpak/flatpak/issues/4031

maltfield commented 2 years ago

See also https://github.com/flatpak/flatpak-builder/issues/435

mYnDstrEAm commented 2 years ago

And https://github.com/flathub/flathub/issues/1498

mwleeds commented 2 years ago

Responsible Disclosure (who and how I can privately contact your security team if I find a dangerous, security-related bug)

This information is on https://flatpak.org/about/

maltfield commented 2 years ago

@mwleeds thanks

For completeness, flatpak has a private mailing list (not public) where users can send emails to flatpak devs regarding security issues

To send an email to the list, you'd contact

flatpak-security at lists dot freedesktop dot org

But even if it's a private list, that's going to send emails. Emails do not provide end-to-end encryption, and email contents generally should be considered publicly available. Usually it's expected to be provided with a PGP key when contacting a security team to divulge a security-related bug.

Can you please update the above page with the PGP key for contacting your team?