Flatpak, Snap are containerized apps … in Ubuntu you have Microsoft apps in snaps like Visual Studio Code or simply .rpm in Fedora. You can mix them up as you like. The initial idea seems to put apps in a closed environment moving away from weak opensource dependencies but Fedora is backed by Red Hat so …
What precautions should I take when downloading via flatpak or snap? What is the way to know if there is no malicious code embedded in an app that I download?
If it is FOSS you can actually look at the code.
If you trust the developer/source then that is one factor.
if it is packaged and from a trusted source then it usually has been signed and the key provided.
Lots of factors and you have to decide what is acceptable risk for you.
Flatpak was developed by Red Hat way back in 2009 followed by Canonical in 2014 with Click and Snap in 2016. Canonical is the commercial entity behind Ubuntu, Fedora is really close to Red Hat. The original idea is contenerized apps reducing dependencies on outdated, obsolete or unreliable libraries. You can mix them with ease, same app is probably a huge problem, look up Wikipedia about Red Hat, Debian the two sole active original Linux distributions, Ubuntu, Fedora, Flatpak, Snap … interesting …
Fundamentally, whenever you are using any binary package regardless of format, you are trusting the packager. You are basically giving the packager the ability to install whatever they want to your machine.
With snap and flatpak the packager can be anyone so the first thing you should check is who the packager is. If it is the maker of the software then that is fairly safe if you trust the software itself.
Keep in mind that both snap and flatpak give you the ability to limit the amount of system resources the application can access via sandboxing. However, the defaults are set by the packager so make sure you review them before running the application. Further, even a fully sandboxed application can take malicious actions.
For Flathub, probably the most popular repository of flatpak applications, you can view the manifest files of any* of their application on their github page. Learn how the manifest document (.yml/.json) is used to construct the flatpak. Usually the source of the application is pulled straight from the project’s git repository. You can also view any additional scripts that are used in the construction of that particular flatpak. As for other flatpak repositories or snaps, I don’t know.
* Any application, with the exception of special apps that they host that are built directly by the source developer (e.g. Firefox).
For example, this app is published by collaborators right? That is, it is not directly from the source developer, correct? So this is the type of app that could have malicious code in its source?
You can click on the link under Publishers to see who is maintaining the flatpak. But from there, it’s hard to tell if any of them are actually from Postman. So I would assume it’s all third party.
On the GitHub page, you can look at the application manifest file. From that you can see that the source for the application is from the developer’s download page: