Given my experience with flathub packages when I have used “regular” Fedora Workstation in the past, I dont think it is good to install non-verified packages from flathub.
emacs is not verified on flathub, so I dont want to use that repo.
That leaves the option to install emacs from Fedora Linux - registry.fedoraproject.org. But that package is not verified either.
When I have used used “regular” Fedora Workstation in the past, I have installed packages from the fedora repos without concern about the package being verified, because I trust Fedora to put safe packages in the Fedora repos.
My questions:
Is it safe to install non-verified packages in Fedora Silverblue using Gnome Software from the Fedora Linux - registry.fedoraproject.org repo?
Am I correct in assuming that the package in the repo that would be used by regular Fedora, is the identical (version wise) package that is used in the Fedora Linux - registry.fedoraproject.org repo?
I see your dilemma while checking in flatpak that it says it is stable. No exact version.
You can see this details on the packages site:
You can not say that on registry.fedoraproject.org the versions are allways the same as the default rpm.
You can assume it. Exact details you find on the package site.
It would be probably by a good idea to add the link into the details of the flatpak. So it would be easier to find out the versions.
Another option is to use toolbox. It should be as simple as
# this should automatically create a fedora toolbox if one isn't already installed
toolbox enter
# install emacs from fedora repos
sudo dnf install emacs
# launch emacs
emacs
Though my recommendation would be to use the Flathub package unless it has some sort of sandbox issue. Then my recommendation would be toolbox. Although I have never tried installing an app directly using podman pull registry.fedoraproject.org/....
@ilikelinux - Thanks very much for your reply. I maybe should have explained further. My concern is not about whether a package is stable or not, either on the flathub or Fedora rpm repos.
To explain further:
From:
Verified apps
What is a verified app?
A verified app on Flathub is one whose developer has confirmed their ownership of the app ID using a uniquely generated token. This means either the app is maintained directly by the developer or a party authorised or approved by them.
More information for developers →
Why are some apps not verified?
Some apps are published on Flathub by the community or third parties and not directly maintained by the original developer. This means such apps are not eligible for verification.
How do I know if an app is verified?
Apps will have a blue tick on the Flathub app page indicating they are verified.
So in Fedora Silverblue > Gnome Software, each package, under its Name, shows whether it is verified or not, depending on which repo is selected for that package, and under the Install button, has a select list of which repo you can select to install from.
I see with eg emacs that if I select a Fedora (not flathub) repo, then the package is not verified.
To add more complexity to the matter, I just noticed there are three repos to choose from for emacs, while my previous post mentioned 2 repos.
My concern is that if I choose a Fedora repo, the package is not verified, and I may install a malicious package.
I hope this makes things more clear as to what I am trying to understand.
That what you mentioned is from the Flathub it selves. The other source is on fedora infrastructure. This means we do not have the same verification there. Because mostly this are application from other project just made a package on our location. Because the most apps are not “Fedora Owned” they are also not marked as they are on Flathub.
But I agree, make it unique the verification would make sense. It is just not so easy and it would mean you would have to oblige the dev to verify on more than one location. The packages on Fedora infrastructure are tested that they work as they should with Fedora. This verification has nothing direct todo with the dev it selves.
Neither the Fedora or Flathub Flatpak, nor the Fedora RPM, nor the Fedora RPM in a toolbox are “verified”.
Your entire core distro consists of packages that are very likely not packaged by the developers, but by separate people.
So using nonverified flatpaks is totally fine. Flathub is the only store where you have a traditional and good repo concept but also with apps directly from the devs.
That doesnt mean that unverified flatpaks are insecure. RPMs are often less secure, as they are not sandboxable that easily. And the trust is simply put in a different person, but well, that is how it works.