this post was submitted on 08 Jul 2026
105 points (99.1% liked)

Linux

14248 readers
1229 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
top 24 comments
sorted by: hot top controversial new old
[–] AcornTickler@sh.itjust.works 12 points 2 days ago

Can't wait for them to adopt the community-maintained Flathub version.

[–] victorz@lemmy.world 10 points 2 days ago (1 children)

Is that preferred over other types of distributions of the application?

[–] als@lemmy.blahaj.zone 12 points 2 days ago (1 children)

The flatpak has always been unofficial so many people distrust it for that reason

[–] victorz@lemmy.world 1 points 2 days ago (1 children)

The signal-desktop package on Arch Linux isn't official either, I'm guessing — should that not be trusted either?

[–] AcornTickler@sh.itjust.works 9 points 2 days ago (2 children)

If you don't trust your distro packages, you should not use that distro. In my mind Arch Linux maintainers are way more trustworthy than a random guy maintaining the Flathub version.

[–] victorz@lemmy.world 1 points 2 days ago

If you don't trust your distro packages, you should not use that distro.

Kind of my point. How high should my trust fence be before I can't install anything at all. 😅

[–] Vincent@feddit.nl -1 points 2 days ago (2 children)

Didn't Arch just have a major security issue due to their packages essentially being random guys too? (And I think the same thing could theoretically happen to most distributions?)

[–] AcornTickler@sh.itjust.works 11 points 2 days ago (2 children)

No, that was AUR. Those were user-generated packages with nearly no vetting.

[–] AngryPancake@sh.itjust.works 3 points 2 days ago

To add to that, the wiki also makes it pretty clear users should be careful. It's nice to have for packages that aren't in the main repos, so it makes sense to have it somewhat part of the distro, but it does take manual effort to install aur packages, so in my mind, that's the best way to do it.

Big red label at the top: https://wiki.archlinux.org/title/Arch_User_Repository

Windows users are out there downloading random exe files...

[–] Vincent@feddit.nl 2 points 2 days ago

Ah gotcha, that is different indeed!

[–] Ooops@feddit.org 3 points 2 days ago (1 children)

No. Their "here's also this unofficial repository of builds completely maintained by random community users... USE AT YOUR OWN RISK - You have been warned!" ArchUserRepository got the least used (often long abandoned) packages hijacked by some bad actors.

But "Less than 1% of the least used packages in the unofficial repository you were explicitly warned about got hijacked by people trying to infect oyur PC" would not have been an interesting headline gathering attention.

[–] Vincent@feddit.nl 1 points 2 days ago

Ah, gotcha! Well, if it's any consolation, clearly I didn't click on the clickbaity headline to read the actual low-quality article :P

[–] Marija_@programming.dev 4 points 2 days ago (1 children)

Nice move. AppImage makes distribution much simpler, especially for people who don't want to depend on a specific package manager.

[–] KSPAtlas@sopuli.xyz 11 points 2 days ago (1 children)

IMO flatpaks are a better option, appimages are just bringing people back to the insecure "find it on a website and download it" method of package management

This is also one of the reasons why I dislike curl sh

[–] lukalix98@programming.dev 3 points 2 days ago (3 children)

Flatpaks can be unsafe too though.

Same goes for .debs from Debian stable. There is no absolute safety. But downloading unsigned code from a random website is far down the safe list.

[–] spectrums_coherence@piefed.social 3 points 1 day ago* (last edited 1 day ago)

AppImage defended and used grossly outdated core component like FUSE2 for a long time, and comes with zero sandboxing by default.

IMO, flatpak needs to improve in terms of security, but it is a strict improvement over AppImage.

[–] Marija_@programming.dev 2 points 1 day ago

I still prefer repositories, but official AppImages beat unofficial downloads.

[–] Kalon@feddit.online 3 points 2 days ago

I'll stick to Session anyways.

[–] garbage_world@lemmy.world 2 points 2 days ago

Did they publish source?