Avoid claiming all PackageKit apps to be verified (!971) · Merge requests · Plasma / Discover

Ilya Bizyaev requested to merge ilyabizyaev/discover:fix/packagekit-checkmark into master Nov 14, 2024

There seems to be general agreement that the verification checkmark should be understood as "comes directly from the developer". The absence of said checkmark does not indicate that the application source is not to be trusted — only that we were not able to automatically confirm whether the build originates from the developer/publisher.

In the future, we might be able to verify origins of more apps, e.g. by maintaining a registry of repository URLs that are known to be first-party. Until then, we err on the side of caution and avoid accidentally providing guarantees that we do not have ourselves.

Note that this concept has nothing to do with security: distribution repositories, while not developer-led, are already trusted by the user regardless, and some verified apps can actually be malicious.

See !755 (comment 1061572) for the past discussion.

Avoid claiming all PackageKit apps to be verified

Merge request reports