Open thetredev opened 4 months ago
Zargess
commented
3 months ago Also, it would be nice if we could have the ratings and comments back. As it is now, it is very hard to judge if an unverified flatpak is a useful, bad or actively harmful. Being able to review a flatpak and see the reviews of others would help with peace of mind and serve as a tool to warn others.
mtwebster
commented
3 months ago I don't think the onus should be on us to make unverified flatpaks more convenient or less scary. It's on them to get their apps verified.
Yes I'm sure most if not all of these unverified Flatpaks are perfectly benign, but:
thetredev
commented
3 months ago I don't think the onus should be on us to make unverified flatpaks more convenient or less scary. It's on them to get their apps verified.
Good point.
- What if someone has an issue and tries to report a bug to an app developer who isn't managing the flatpak build and packaging? That developer says 'that's not us, you need to use our release'. This is what I do if someone reports on some custom or other unsupported build of one of our packages. A less experienced user might be frustrated and confused.
How does my proposal affect the way how and where users report bugs? Not at all in my opinion. If they can see the app within mintinstall and have an issue, they would report the bug where they think is correct regardless of whether mintinstall opts for the setting Show unverified Flatpaks (not recommended) or something else.
So, invalid point.
- Why is it a bad thing that Windows hides unverified apps? Malware is prevalent in Windows.
I never said that. I was coming from the place that the Microsoft Store (and Apple's App Store for that matter) do not show unverified applications at all, because they do not have the notion of such a thing. All applications there go through a verification process, regardless of the quality of said process.
With that in mind: Mac and Windows users alike, who are used to these app stores and never used Linux (Mint), will miss a bunch of applications because they are hidden away from them with the current behavior of mintinstall. If the changes of the OP would take effect, they would see all applications and only when they click Install they'd be warned about the application being unverified.
Users will be scared away not by "unverified", "untrusted", "insecure", or "unapproved" applications. Most people don't care. They will however be scared away by an app store which hides 60% of the applications they want from them and then go ahead and deem the whole app store "a bad user experience" because they did not (want to) figure out the respective setting. My proposal is just a much more intuitive way of achieving the same goal as the setting Show unverified Flatpaks (not recommended).
- Allowing reviews for unverified Flatpaks builds trust, which would make other users less wary as well. So now you trust the app because other people said so. Next version, malware is introduced to trusting users via this app. This isn't fantasy, it just happened a few months ago.
Trust on the internet is generally only achieved by reviews and trusting others. By your argument, all TLS certification is invalid, because it all comes down to the TLS root certificate chain being trusted by your system. What's at the end of that root certificate chain? Some root certificate you don't know, but trust, because the whole chain trusts it, so your system trusts it.
If you want to buy a TLS certificate, who do you go to? Some company that has been reviewed by other companies stating that they do great service, or some random company that doesn't have any reviews at all, or worse, has less favorable reviews?
Only reviews will tell (new) users of mintinstall what is "good" and what is "bad" in my opinion. So let me ask you this: What do you propose instead of reviews?
- This sort of thing has happened at least twice with Snaps (Ubuntu's alternative to flatpaks).
What thing exactly? I'm curious.
Having the global flatpak setting Show unverified Flatpaks (not recommended) in Mint 22 is generally a step in the right direction. However, I would much prefer handling untrusted app vendors (like the Google Chrome flatpak vendor) differently.
How about changing the behavior to the following?
true)falseif checkedIf steps 3 and 4 are negations of each other because there is no such thing as "trusted flatpak app vendors", then I'd also be very happy with Untrusted Flatpak in red for any flatpak app.
This way of doing it is what I believe to be the more traditional and much more intuitive way. Coming from Windows, new users might struggle to find applications and aren't really aware that such a setting could even exist in the first place (as the Microsoft Store only shows trusted apps no matter what). And those coming from an older version of
mintinstallmay be surprised about the current/new behavior as well.Edit: This is coincidentally exaclty how Elementary OS does it. I didn't know that when I wrote this issue. But still, I think it's a much better solution.