If there's one thing you can always count on in the Linux world it's that packaging can be a nightmare. The OBS Studio team are not happy with the Fedora folks due to Flatpak problems and threatened legal action.
            • M.int@lemm.ee
              8·
              3 months ago

              This seems to be blatant misinformation.
              The default seems to require a gpg signature. It can be disabled for a remote with --no-gpg-verify, but the default for installing and building definitely requires a signature.
              You keep talking about the docs, so please show me where is says that in the Flatpak Documentation.

                • M.int@lemm.ee
                  8·
                  3 months ago

                  You have not provided a single link.

                  I’m am no expert on flatpak and just did some basic searching.
                  From reading the command reference it seems GPG-Verification is enabled for each remote and can’t be disabled/enabled for each install. I can just find some issues where gpg verification fails

                  Error: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)
error: Failed to install bundle fr.handbrake.ghb: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)

                  Documentation seems to be more user oriented and not developer oriented maybe someone more knowledgeble can go in the source code and tell us how it actually works.

                • ms5K8oWx@programming.devEnglish
                  91·
                  3 months ago

                  The burden of proof is on you.

                  You accused flatpak of being insecure. The burden to prove that is totally on you.