Is it safe to assume that all apps from the software store (Discover in my case) are safe? (lemmy.org)

submitted 3 weeks ago by Cekan14@lemmy.org to c/linux@lemmy.ml

37 comments fedilink hide all child comments

Hi, there!

Newbie question here: basically, the title. Perhaps what I'm asking is pretty obvious, but I'd like to double-check with the community on this.

I use Discover on my Debian KDE Plasma set-up, with Flatpaks enabled (but not Snaps). Sometimes, I come across apps (I did just yesterday, searching for translation apps to replace DeepL), that have according to its page, an unknown author and, sometimes, even an unkown licence, but which do require access permission to the whole system (this latter requirement applying specifically to Deb packages, from what I've seen).

Under these circumstances, is it safe to assume that such apps will still be safe because of the fact that they appear listed on Discover (in other words, is Discover a guarantee of safety for the apps it shows, as in, some type of checked or proved content), or should I still be wary of potentially malicious software included on it?

Thank you very much in advance :)

top 37 comments

sorted by: hot top controversial new old

[-] ardorhb@discuss.tchncs.de 25 points 3 weeks ago

Stuff from the repository of your distribution generally can be considered save but everything involving a third party might not be.

This counts for both other Apt repositories as well as Flatpak. You likely have Flathub as an Flatpak source and while they have some checks and controll instances it is possible for untrusted third parties to upload packages including non-free ones there. I do not now of any incidents but some suspicion for packages with full system access can't harm.

[-] Cekan14@lemmy.org 3 points 3 weeks ago

Thank you for your insightful comment. If I may incur once again in noobieness, what precisely do you mean when you say the "repository" of my distribution? Do you mean the pieces of software than come preinstalled with the OS itself?

[-] banazir@lemmy.ml 6 points 3 weeks ago* (last edited 3 weeks ago)

A repository (or repo) is a server that hosts program files for your distribution. Distributions host their own repositories from which you can install software with your package manager, like APT or DNF or others. If you only install software from your distribution's repository, there's likely no clashes with software versioning and dependencies, and the packages are about as reliable as they can be (which doesn't mean there's never malware). If you add third party repositories for software not available from your distribution's repository, it's more likely there will be issues, because the distribution doesn't guarantee the packages work well together.

For example, Debian and Arch don't retrieve and install their software from the same source. They have their own servers (repositories) hosting software compiled to work with their particular distro and to be used by their chosen package manager.

Flatpak (or Snap or Guix) is a separate package manager that handles it's own dependencies and doesn't clash with your distribution's own software manager.

Does this help?

[-] Cekan14@lemmy.org 4 points 3 weeks ago

Hi! Thank you for your reply. So, if I understood correctly, whenever I click on "Install from Debian/GNU Linux" on Discover I am getting software directly from Debian's repository (thus, a "repository" in the sense that it's a place where this software is stored and can be retrieved); same thing when clicking on "Install from Flathub" for a Flatpak from Flathub. This does seem like the safest approach in the sense that it's the less risky one and, if malware did slip through, such as the XZ backdoor, at least it would not have been due to a personal mistake of mine, but a general one which would've affected much more people too.

This, in turn, is different from APT, which is not Debian's repository, but Debian's package manager. So, technically, I could write "sudo apt install (anything)" to get any piece of software from Debian's repository indeed, but I could also use that command to get software from somewhere else also in the form of a Deb package but which would not have come from Debian itself.

Did I get this right?

Thanks a bunch.

[-] banazir@lemmy.ml 5 points 3 weeks ago

It may be a lot to take in at first, but seems to me you've got it!

[-] Cekan14@lemmy.org 3 points 3 weeks ago

Thanks to you all for helping me understand it :)

[-] ozymandias117@lemmy.world 2 points 3 weeks ago* (last edited 3 weeks ago)

Maybe to help, you can see where you've enabled "repositories" that APT can download from in /etc/apt/sources.list and /etc/apt/sources.list.d

As long as you haven't manually installed a .dpkg package, or manually modified it, they should be something like

deb.debian.org security.debian.org

Some things like Slack may try to add their own repositories down there

When you type "sudo apt install" it is allowed to install from any configured repos down there

[-] IsoKiero@sopuli.xyz 3 points 3 weeks ago

This, in turn, is different from APT, which is not Debian’s repository, but Debian’s package manager. So, technically, I could write “sudo apt install (anything)” to get any piece of software from Debian’s repository indeed, but I could also use that command to get software from somewhere else also in the form of a Deb package but which would not have come from Debian itself.

With apt (and discover which uses apt/dpkg at the background) you can install anything from repositories configured on your system. So, if you want to use apt to install packages not built by Debian team you'll need to add those repositories in your system, so they don't just appear out of nothing.

Some software vendors offers .deb packages you can install which then add their own repository on your system and then you can 'apt install' their product just like you would on native Debian software and the same upgrade process which keeps your system up to date will include that '3rd party' software as well. Also some offer instructions on how to add their repository manually, but with a downloaded .deb it might be a bit easier to add repository without really paying attention to it.

Spotify is one of the big vendors who have their own repository for Debian and Ubuntu and with Ubuntu there's "ppa" repositories, which are basically just random individuals offering their packages for everyone to use and they are generally not going trough the same scrutiny than official repositories.

[-] ardorhb@discuss.tchncs.de 3 points 3 weeks ago

I think others have answered your question here quit well, I hope you're not overwhelmed by all of this.

[-] jpicture@lemmy.zip 20 points 3 weeks ago

Just to clarify what others are saying: the 'software store' (Discover in your case) is just the graphical application that you use to manage the software installed on your computer. The repositories, aka 'repos' are the sources of that software. There are people whose job it is to vet the software in those repositories and make sure that it's safe. Flatpak is a packaging format. The biggest repository (and what you likely have enabled) for flatpaks is Flathub. If you're installing software from the Debian repo and Flathub you should be fine. You should be able to verify which repositories are enabled via the Discover app. You have the freedom to add other repositories too, but it will be your own responsibility to evaluate whether those sources are trustworthy if you do.

Long story short, if you just use Debian as it is, you are fine.

[-] Cekan14@lemmy.org 8 points 3 weeks ago

Thanks for joining the conversation and help make things clear. This does help; so, basically, not having manually enabled anything else than Flathub/Flatpaks on Discover, and having Debian's repository already, I am fine as long as I install programmes from either of those two.

[-] jpicture@lemmy.zip 5 points 3 weeks ago

Yes, you've got it 👍

You can basically just treat everything available in Discover as good, because everything there will either be from Debian or from Flathub.

I'm on Debian 13 too but have the GNOME desktop environmet.

[-] goldman60@lemmy.world 3 points 3 weeks ago

I would say you are more than likely fine, malicious code does occasionally sneak into Debian distributed apps but you'll likely never encounter something that is outright fraudulent or a scam.

[-] moonpiedumplings@programming.dev 1 points 3 weeks ago

malicious code does occasionally sneak into Debian distributed apps

Do you have an example of this? The xz utils backdoor did not make it into debian stable, only unstable.

Debian stable essentially forks every package, maintaining a custom codebase. They then cherry pick security updates only (ignoring feature updates or minor bugfixes), and applying those. This makes it extraordinarily resilient to any form of supply chain attack.

[-] goldman60@lemmy.world 1 points 2 weeks ago

I probably should have said "may/could" sneak in, I forgot the xz incident didn't quite make it to Debian (but would have had it not been caught)

[-] DataCrime@lemmy.dbzer0.com 16 points 3 weeks ago

Uhhhhhhhh…

Bruh. It’s not safe to assume any software from anywhere is safe… that’s kinda the essence of Zero Day exploits.

Even if you wrote it there have been Linux exploits that hid a root kit, and patched the gcc compiler and linker to create a level of persistence that is just other worldly. IIRC what that fucker was called, but it won’t be hard to find. You can probably still count Linux root kits on one hand.

Hell, I’ll look it up after I’m done with my morning duce… that shit was epic. And like, also, theoretically, you could be Mr. Robot, so… you know… it’s just a good idea not to trust yourself anyway.

[-] limelight79@lemmy.world 9 points 3 weeks ago

I think you are thinking of this.

But, more recently, this should make anyone who is concerned about security shudder. And it was only discovered because some guy in Germany noticed ssh logins were taking a bit longer than in previous versions.

[-] AnnaFrankfurter@lemmy.ml 3 points 3 weeks ago* (last edited 2 weeks ago)

Just for anyone who doesn't know or is too lazy to click article. "Little bit longer" in this case means 300-500 milliseconds

[-] DataCrime@lemmy.dbzer0.com 3 points 3 weeks ago

Spot on, thanks for finding that. I wonder if there was ever a proof of concept or something like that. I installed my first copy of Slackware some time in the early 90… Maybe late 80s… it’s getting a bit fuzzy, I want to say that the kernel was pre 0.9.

One of the scariest things I had ever done, but I learned so much more about computers than I would have otherwise. Point being there was definitely some years between Ken’s article… still very much the era of viruses for the same of proving you could create something novel and powerful. We kept collections of them like weirdos that keep poisonous snakes 🐍

Anyway, it’s past grandpas bed time. Thanks again for finding the article, I’ll definitely have to do a bit more research… It was a super fun time in my life and I enjoyed remembering.

[-] limelight79@lemmy.world 2 points 2 weeks ago

I thought he did do a proof of concept, but I could be wrong. It's been a while (many years) since I've read up on it.

My first Linux install was also Slackware, albeit Slackware 3.x, in the late 90s, while avoiding grad school work. I don't remember what kernel it used at that time. So if you're grampa, I guess I'm your son. :)

[-] DataCrime@lemmy.dbzer0.com 1 points 2 weeks ago

ROFL… I think there’s a quotable from Fight Club about his dad going around setting up “franchises…”

Honestly hoping to meet Patrick Vol… nope —not even going to take a swing at trying to spell his last name. But I seriously owe that guy a beer and pancakes.

On a semi related note, I think it took me a solid week of effort to get audio going (on Linux) just so I could be more confused about how to properly pronounce it. I want to say the file name was linux.au and it’s Linus saying something like “This is Linus Torvalds introducing UNIX as Linux.” Back in the day we had to spell UNIX with an asterisk because AT&T owned the trademark and aggressively enforced it.

All of this went down while I was working at a shitty little outfit called Los Gatos Computer Corporation. We built IBM PC clones in half the warehouse, the other half was full of old SGI computers. The scam there was that the business owners told SGI they were recycling the old hardware, but what they actually did was cobble together working systems from the broken bits. Basically one brilliant guy sat in a 10x10 room chain smoking and patching the busted SGI stuff back together. He hand soldered upwards of a hundred hair fine bodge wires, motherboards taped together… it was mental, but somehow they made enough cash to keep the whole crazy operation alive for a year or two.

[-] limelight79@lemmy.world 1 points 2 weeks ago

Volkerding, I think! checks Yep that's it!

I remember being an idiot and compiling my own kernel ("oh it's so much faster!"). Lol. I guess if that's the dumbest thing I've done, I'm doing well. I remember that sound clip, too.

Hey you were recycling them, just not into a dump!

[-] regedit@lemmy.zip 2 points 3 weeks ago

The YT channel Veritassium recently did a video going into more depth about the SSH thing. Was interesting!

[-] limelight79@lemmy.world 5 points 2 weeks ago

Yeah, I watched that. I mostly already knew the story, but it was a great video anyway. And...extremely disturbing. Whoever it was will learn from the mistakes of this attempt...

It can be frustrating, but Debian's policy against binary blobs was a smart decision. I've run into it for glances web interface, and it's easy enough to decide I'm okay with installing it (and hopefully glances revises their release to address the issue), but removing them by default is smart.

[-] Oinks@lemmy.blahaj.zone 10 points 3 weeks ago

Discover itself doesn't guarantee anything. Flathub (the Flatpak repository you are presumably using) requires a human review for new applications but not updates (and the human review doesn't include a full audit of the app). I'm not aware of malware being distributed via Flathub in the past, but that doesn't mean it can't happen.

[-] Cekan14@lemmy.org 3 points 3 weeks ago

Thank you; this helps me to better understand it.

[-] lemmyreader@lemmy.ml 6 points 2 weeks ago

With Deb packages you're safe. With Flatpak I would be a little careful because with Debian apps that have been abandoned get some maintainer love or will be removed, while with Flatpak you can install apps that have not been updated for years, not very often but I've seen a few of them. Because of that I prefer to check the Flathub page of a Flatpak app before installing.

[-] umbrella@lemmy.ml 4 points 2 weeks ago

flatpak marks packages as unmaintained, and at least gnome software will show it to users with a banner.

[-] moonpiedumplings@programming.dev 6 points 3 weeks ago

Debian repos are basically guaranteed safe: https://programming.dev/comment/22863237

Flathub is much, much safer than say, the google play store, but it ultimately does follow a model of app developers submitting packages which get reviewed and approved. In theory, someone could sneak malware past that, although there haven't been any incidents (perhaps flathub's review is very effective?). But the snap store, which follows a similar model has had malware. But canonical hasn't been the best steward of that one.

In addition to this, not all stuff on flathub is open source, which is definitely concerning.

Thankfully, flatpak has a built in sandboxing system, which lets you limit what the appps have access to. KDE has a UI for it, and there is also the GUI app flatseal.

[-] unwarlikeExtortion@lemmy.ml 5 points 3 weeks ago* (last edited 3 weeks ago)

Discover itself doesn't care about security - it's the underlying package manager(s) that do.

Flatpak is perfectly safe IMO, as are the built-in repositories.

Both Flatpak reviewers and Debian maintaniers do their due diligence when auditing the software they distribute.

When using distros/repos which are less FOSS purist (such as Ubuntu), you could run primarily into privacy issues. When using smaller ones, the risk of a backdoor or voulnerability is a bit larger, as less eyes are on the code.

That being said, the only way to be immune to untargeted cyberattacks is to be offline, which isn't reasonable in this day and age. As long as you stick to your distro's repo and Flatpak you should be perfectly fine, save for the "normal" voulnerability or two that unfortunately slip through every now and then. You could think of this as a kind of digital "herd immunity".

As long as you don't add repos willy-nilly but think about who you trust, you should be fine.

So yeah - you can assume Flatpaks and the Debian repos are safe. They have good security policies about adding stuff in and do do their due dilligence. Though, this might change in the future, alrhough it doesn't seem likely. But for now - you'll be fine.

The only real risk is if a backdoor like the recent one in xz-utils does slip through the cracks, but then you'll be one of millions of affected machines which, while not mitigating the vulnerabilities per se will at least mean the problem will get fixed sooner once it does get found.

[-] Cekan14@lemmy.org 3 points 3 weeks ago

Thank you! Honestly, it's quite amazing that I can enjoy such complex pieces of software made by and taken care of by the community while not trying to sell me anything or sell my data in return. I love Debian and FLOSS in general.

[-] Patch@feddit.uk 5 points 2 weeks ago* (last edited 2 weeks ago)

All Discover is is a graphical front end to your repositories, so the real question is "is everything in my repositories safe?".

There are no guarantees in life, but if you're using only the default official Debian repos you're just about as safe as you can get. If you add extra repos, whether deb based or flatpak, Discover will only be as safe as whatever you've hooked it up to.

[-] DataCrime@lemmy.dbzer0.com 4 points 3 weeks ago

Also… not that any risk mitigation strategy is going to save you 100% of the time. But a translation app sounds like something you could run in a VM to effectively isolate. Hell, if it’s lightweight enough and you have $100 you could run it on a light weight SBC like a Pi and physically air gap it.

[-] bootleg@sh.itjust.works 3 points 2 weeks ago

First-party stuff from your system package manager (things you install from the official repos with APT) are pretty much guaranteed to be safe. But the Snap Store (which uses snaps instead of flatpaks and is not installed by default on Debian) has unknowingly allowed and distributed malicious apps before. Flathub with flatpaks (which I think is enabled by default on Debian) hasn't had such issues to this day AFAIK, but I would still be skeptical of stuff I install from there, and just not install apps with the Unverified badge on Flathub.

In the case of flatpaks, Flathub shows what permissions an app requests and gives it a kind of arbitrary safety level on its page:
You can click on it to see more information:
You can also use Flatseal to disallow any flatpak app from having certain permissions that you think it doesn't deserve having.

[-] captain_aggravated@sh.itjust.works 2 points 3 weeks ago

I look at it this way: The repository is hosted by, or endorsed by, the developers of the distro. If you don't trust their software repository, why would you trust the distro itself?

[-] moonpiedumplings@programming.dev 2 points 3 weeks ago

Flatpak's show up in discover, and aren't by the distro. Usually it's flathub.

[-] captain_aggravated@sh.itjust.works 1 points 2 weeks ago

Which is why I said "or endorsed by". Fedora's Discover points to their own .rpm repo, their own flatpak repo, and Flathub. Including Flathub out of the box says "We the distro maintainers trust Flathub."

this post was submitted on 21 Mar 2026

47 points (98.0% liked)

Linux

63789 readers

200 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz