I’ve started using Signal messaging app. When I am using Whatsapp, I usually use Whatsapp web because I am not very good typing long sentences from Whatsapp mobile.
Same goes for Signal. I prefer to use the desktop version of Signal. But, Signal desktop installer for Linux is only available for Debian based systems (Link below)!!! Any idea how I can install Signal desktop app in a Fedora machine using rpm or yum repositories or any other way ?
Interestingly, no output for the above “flatpak remote-add” command. After I executed, all i got was a dollor prompt.
Step2. From Gnome software, I searched for Signal and clicked on Install. Well, I Signal was listed even before I ran step 1. Maybe because I had already configured the flatpack before and I forgot.
It can install flatpaks from the repos you have added, in this case Flathub; it can also install RPMs but it doesn’t use yum or dnf, it uses something called PackageKit as backend:
Y’all are comfortable with and have validated who has provided these alternate packages, snaps, and flatpaks (outside of the Signal repo) and that the binaries haven’t been tampered with, right?
You should consider that there is one person responsible for accepting the software you install on your system. YOU
What I accept may not be acceptable to you and vice versa.
The only thing I am comfortable saying in response to your question is that I trust what is stored on the fedora repos and on the rpmfusion repos for use with fedora. Anything else I evaluate on a case by case basis.
A good approach… the long term challenge though is around ongoing supply chain risk. What is safe today (ie, a Signal snap that Popey developed that pulls the deb directly from signal and verifies that hash for the file) may degrade in the future or be corrupted by a bad actor. Do you/we have the bandwidth to keep a constant eye on a package source that isn’t the source? Of course, we have to trust Signal and their ability to sign their packages, but what about downstream in the supply chain? For something as critical as Signal, you have to way the risks carefully…and consider the long term implications of your choice. Perhaps build in a process for validating the process/source for a Snap each time you update it? Lots of ways to solve this problem, but it involves more work and time as a system administrator and eventually, one gets lazy one update, and wouldn’t you know, that’s when the supply chain has been corrupted…
Do you know whether the compilation is official in any capacity? Slightly too much information is presented for me to ascertain whether it is trustworthy.
But network:im:signal apparently compiles all the dependencies from source, unlike the luminoso copr which used some binaries, so that increases trustworthiness.
I didn’t want to use the Flatpak or Snap, or manually update the RPM from openSUSE’s build service, or build Signal from source every time, so I tried Distrobox (sudo dnf install distrobox).
Now it appears in my launcher and I can launch Signal Desktop easily. It seems to work quite well for messaging. There are some dbus errors when you launch it from the terminal, but that doesn’t seem to affect anything.
And when I want to upgrade:
distrobox upgrade --all
I chose Arch Linux because I trust them, the package is a single install command away, and I never need to worry about the container image needing to upgrade to a new release like Ubuntu. For example, when 22.04 is EOL, Signal will stop releasing new versions of Signal for it. There’s not really an upgrade path for Distrobox containers; you just need to create a new container and set it up again. With the Arch Linux container, it’s a rolling release that’s always up-to-date and will always receive new versions of Signal quickly.
I do need to trust that the Docker image Distrobox uses is trustworthy. It’s an official image for Docker Hub maintained by an Arch developer and other Trusted Users, so that’s enough for me.
Here’s to hoping Signal Foundation claims ownership of the Flatpak in the future.