I’ve started using Signal messaging app. When I am using Whatsapp, I usually use Whatsapp web because I am not very good typing long sentences from Whatsapp mobile.
Same goes for Signal. I prefer to use the desktop version of Signal. But, Signal desktop installer for Linux is only available for Debian based systems (Link below)!!! Any idea how I can install Signal desktop app in a Fedora machine using rpm or yum repositories or any other way ?
Interestingly, no output for the above “flatpak remote-add” command. After I executed, all i got was a dollor prompt.
Step2. From Gnome software, I searched for Signal and clicked on Install. Well, I Signal was listed even before I ran step 1. Maybe because I had already configured the flatpack before and I forgot.
It can install flatpaks from the repos you have added, in this case Flathub; it can also install RPMs but it doesn’t use yum or dnf, it uses something called PackageKit as backend:
Y’all are comfortable with and have validated who has provided these alternate packages, snaps, and flatpaks (outside of the Signal repo) and that the binaries haven’t been tampered with, right?
You should consider that there is one person responsible for accepting the software you install on your system. YOU
What I accept may not be acceptable to you and vice versa.
The only thing I am comfortable saying in response to your question is that I trust what is stored on the fedora repos and on the rpmfusion repos for use with fedora. Anything else I evaluate on a case by case basis.
A good approach… the long term challenge though is around ongoing supply chain risk. What is safe today (ie, a Signal snap that Popey developed that pulls the deb directly from signal and verifies that hash for the file) may degrade in the future or be corrupted by a bad actor. Do you/we have the bandwidth to keep a constant eye on a package source that isn’t the source? Of course, we have to trust Signal and their ability to sign their packages, but what about downstream in the supply chain? For something as critical as Signal, you have to way the risks carefully…and consider the long term implications of your choice. Perhaps build in a process for validating the process/source for a Snap each time you update it? Lots of ways to solve this problem, but it involves more work and time as a system administrator and eventually, one gets lazy one update, and wouldn’t you know, that’s when the supply chain has been corrupted…
Do you know whether the compilation is official in any capacity? Slightly too much information is presented for me to ascertain whether it is trustworthy.
But network:im:signal apparently compiles all the dependencies from source, unlike the luminoso copr which used some binaries, so that increases trustworthiness.