How secure are verified flatpaks?

I syncronize for example sensitive information with SyncThingy which is a verified app made by a volunteer developer to use syncthing as a flatpak

An app being verified only demonstrates that it’s endorsed its developer. In this case that means the developer of SyncThingy, not SyncThing.

The flatpak manifest has filesystem=host, so the sandbox is trivially escapable. In essence, it’s the same as if you installed it directly from github from a trust perspective. The flatpak packaging is more convenient, more reliable, and is less vulnerable to innocent packaging errors, but it doesn’t really protect against a bad actor.


Maybe my memory has failed me, I used to run SyncThing and I had a tray icon for it that came with the application. I did use the SyncThing Flatpak before the blocker which halted it’s development. . . From a security perspective,if you have not inscpected the code yourself, you place that trust on the Developers.

For something as critical ( because it sync’s and backs up your data ) I would only install the one published by the developer themselves, keeping 3rd party plugins out of the mix. Everyone’s threat model is different.

Flatpak’s “security” is only in play when you can use an application that has very few arguments, using Portals properly, or is completely isolated from the host system which a Sync tool would be useless for.

Would you trust syncthing built by Fedora?

Name        : syncthing
Version     : 1.27.7
Release     : 1.fc40
Architecture: x86_64
Install Date: Thu 23 May 2024 08:50:00 CEST
Group       : Unspecified
Size        : 25069360
License     : MPL-2.0 AND Apache-2.0 AND BSD-2-Clause AND BSD-2-Clause-Views AND BSD-3-Clause AND CC-BY-3.0 AND ISC AND MIT AND OFL-1.1
Signature   : RSA/SHA256, Tue 14 May 2024 21:48:04 CEST, Key ID 0727707ea15b79cc
Source RPM  : syncthing-1.27.7-1.fc40.src.rpm
Build Date  : Tue 14 May 2024 17:03:53 CEST
Build Host  :
Packager    : Fedora Project
Vendor      : Fedora Project
URL         :
Bug URL     :
Summary     : Continuous File Synchronization
Description :
Syncthing replaces other file synchronization services with something
open, trustworthy and decentralized. Your data is your data alone and
you deserve to choose where it is stored, if it is shared with some
third party and how it's transmitted over the Internet. Using syncthing,
that control is returned to you.

This package contains the syncthing client binary and systemd services.

I would. With Fedora, there’s a trust level for me because we understand the undertaking, the process in place for the package. A Random Verified Developer on Flathub :thinking: Not as much. . .

Well, the Krita flatpak isn’t maintained by anyone who works on Krita, but it’s Verified.

If you are referring to flatpaks which come from flathub, it really depends what you mean by “secure”.

A verified flatpak just means it is packaged by the developer and not a 3rd party. However, believing that all developers understand how to properly package software and that they are properly maintaining any bundled libraries simply because they are the developer would be flawed.

Ultimately, regardless of the package format, it comes down to “do you trust the packager?”. In most cases, you don’t know the packager so it is hard to trust them.

I would argue that it is better to get packages from a distro whenever you can. Most distros have packaging standards and multiple eyes on packages.

1 Like

The source for Fedora syncthing is at The flathub syncthingy has its own gitbub page with a different release version and it is unclear how this repository is related to the syncthing gitbub page, if at all related.


Thank you all for your answers, I have never had such support when I used Ubuntu forums in the past :grinning:


I never liked the approach of the Verification on Flathub, this is a good point. . .

Syncthingy is a Tray Icon. . . :thinking:

Well verified is good welk it should be used more on the bigger picture like trusted providers gnome project has verified status, but then again inkscape or blender dosent or darktable sobthere should be some more how it wctually works to get veried/trusted