Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the Flathub verify token #2200

Open
BigmenPixel0 opened this issue Oct 17, 2023 · 5 comments
Open

Add the Flathub verify token #2200

BigmenPixel0 opened this issue Oct 17, 2023 · 5 comments
Labels
💬 discussion

Comments

@BigmenPixel0
Copy link

Add this token 0a1ae4b2-3a4b-4f2d-bcd7-c9ff261e0f05 into /.well-known/org.flathub.VerifiedApps.txt to verify the application on Flathub.
@plowsof
Copy link
Collaborator

plowsof commented Oct 17, 2023

Example: https://fedoraproject.org/.well-known/org.flathub.VerifiedApps.txt

This is for the Monero GUI Flatpak. We need the verified status to (in part) obtain a stable API key for this workflow which is using a beta key: https://github.com/monero-project/monero-gui/blob/master/.github/workflows/flatpak.yml

context: flathub/flathub#3905 (comment)

bigmenpixels in-progress CCS proposal - Maintaining Flatpak package

@erciccione
Copy link
Contributor

The best way to do this is probably through the web server. I'll ping pigeons.

@plowsof plowsof mentioned this issue Oct 17, 2023
Open
@erciccione
Copy link
Contributor

erciccione commented Oct 17, 2023
edited
Loading

Maybe this should be discussed first. Verifying the flatpak from getmonero will mean that an effort completely run by a volunteer is "guaranteed" by the core team as trusted. Not sure if this should be the case, as nothing in the community is "official". Might be better to leave the flatpak "unverified". Asking for an input from core.

@Victor239
Copy link

Agreed, only do this if you're given commit control over the repo and the current maintainer has to instead submit PRs for any changes so that core can review them for malicious changes first.

@plowsof
Copy link
Collaborator

plowsof commented Oct 17, 2023
edited
Loading

Edit* the flatpak workflow is now being reviewed. i think we can re-discuss/hold off until thats complete

some discussion can be seen in this comment and others on the proposal: https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/381#note_21079

originally i agreed that its never going to be verified (as its clearly ripe for supply chain attacks - we don't control the flathub servers), however, i now support this "checkmark" for these reasons:

  • the flatpak workflow which pushes binaries to flathub displays hashes at the end of the build process which can be verified on your local machine. it resides on the monero-gui repo which we control.
  • we've made best efforts to remove control from our 3rd party volunteer* (sponsored by the CCS) by moving the flatpak repo to our core repo and had the api key pgp encrypted for luigis eyes only* ('best effort')
  • an actual third party desktop app which supports monero can be "verified" instead. while the Monero-GUI not and people may be inclined to switch to that instead.
  • it's open source for people to build at home (or verify the hashes from the workflow run on our core repo)

@BigmenPixel0 BigmenPixel0 mentioned this issue Oct 21, 2023
Open
@plowsof plowsof mentioned this issue Jul 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
💬 discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Victor239 @erciccione @BigmenPixel0 @plowsof