How is it possible, that Signal still only provides a .deb package and no .rpm, or even better AppImage or Flatpak? There is an unofficial Flatpak but is it secure?

23 points
*
Deleted by creator
permalink
report
reply
10 points
*
Deleted by creator
permalink
report
parent
reply
8 points

Well I think you have to distinguish between a messenger and other programms, because a messenger has a lot of sensitive data.

permalink
report
parent
reply
7 points
*

Just because something is built out of love does not make it safe, and attestation is about safety. You wouldn’t trust an un-attested surgical device, just because there’s a really positive community around its design.

Signal is a life-or-death app for some people.

permalink
report
parent
reply
2 points
*
Deleted by creator
permalink
report
parent
reply
1 point

The ‘appstore’ of some distributions, e.g. Linux Mint, displays a warning or hint for unofficial flatpaks. In Mint the display of unofficial flatpaks are toggled off by default and there is a warning or recommendation displayed against toggling on.

permalink
report
parent
reply
1 point

I’m not a developer so I can’t really check myself

permalink
report
parent
reply
12 points

I just read through the unofficial Flathub Flatpak for Signal and it is very simple. It fetches the .deb from Signal’s website, installs it in the sandbox, and uses a launcher script to tell the OS some basic toggles like should it start minimized or should it display a tray icon. In the script it makes use of zypak, which to my understanding is to tell electron (chromium) to allow sandboxing to be handled by Flatpak. Here is the repo and the build instructions is the .yaml file.

permalink
report
parent
reply
7 points

Flatpaks are pretty easy to read through. Just go to the links section of Flathub and click the manifest, then read it to see what is done during building.

permalink
report
parent
reply
10 points

I mean it’s FOSS. Have you considered opening a PR to contribute what’s missing? You can be the change you want to see. I wouldn’t normally comment something like this. Your emphasis on “still” raised my hackles a little bit and led me to ask why you still haven’t made your own.

permalink
report
reply
7 points

Not everyone is a developer and they closed issues on github so why bother?

permalink
report
parent
reply
4 points

All of these packaging systems have plenty of tutorials. Speaking from experience, many maintainers were not developers when they started maintaining packages for distros other than the official distros. I have worked with several maintainers who do work in tech and know socially several who had no background. This could be a great place for you to start!

You bother because FOSS is as much paying it forward as it is getting shit for free.

permalink
report
parent
reply
3 points

I will not bother because issues are closed and pull requests rejected left and right from signal for years.

permalink
report
parent
reply
8 points
*

Some projects of Signal-compatible clients and forks received a message from a Signal representrive requesting they stop distributing unofficial clients that connect to their servers.

That probably has on shilling effect on Linux distribution that may be considering building and distributing Signal in their repository.

permalink
report
reply
5 points

They should provide an app for other distros then!

permalink
report
parent
reply
2 points
*

They can’t possibly provide a package for every distro.

Signal’s model, ie keep tight control over development and distribution of the client, and the absence of federation, it well suited for Apple/Google’s stores, but not at all for open-source and Linux’ ecosystem.

permalink
report
parent
reply
9 points

AppImages run on nearly every distro. Why arw they not providing that instead of a .deb?

permalink
report
parent
reply
8 points

You are right. They can’t for every distro.

But fedora/rhel, Ubuntu/debian, and arch-based distros are the most commonly used. So they can provide official packages for those, and/or as the OP said, provide an official flatpak.

And to be fair, it’s a nice-to-have to have a better sense of trust, but given the unofficial ones are open source, it’s quite likely any maliciousness would be rooted out very quickly.

permalink
report
parent
reply

Could always do what looks like the Arch AUR package is doing and build it yourself from source. Or if you are running a Fedora/OpenSuse distro you could find a package on COPR or something that converts a package from a .deb to .rpm and just change source and stuff to match signal.

permalink
report
reply
3 points

Sounds like a hacky way to do things, I don’t think I’m comfortable with that.

permalink
report
parent
reply
13 points
*

Building from source is the opposite of hacky. It’s the recommended way to deal with things like this where you are concerned about trust and security. I understand that it’s not something you’ve done before, but it not as complicated as it sounds. There are many tutorials on how to build programs from source.

I understand that providing official packages for fedora/rhel, Ubuntu/debian, and arch-based distro packages along with a flatpack and Appimage would make a lot of sense, but for whatever reason, signal has decided not to. Perhaps you can message the signal team to ask why they choose not to do this.

permalink
report
parent
reply
4 points

Appreciated, maybe I’ll try it in the future.

permalink
report
parent
reply

Sometimes it comes down to support. For every distro specific format you build and package for, the more you need to do with every release (and need the proper config and to be comfortable packaging for each).

permalink
report
parent
reply
2 points
*

That is why I recommend arch based distros that are build on AUR (using yay) Like EndeavourOS

permalink
report
parent
reply
6 points

been using the flatpack for months and had no issues so far

permalink
report
reply

Free and Open Source Software

!foss@beehaw.org

Create post

If it’s free and open source and it’s also software, it can be discussed here. Subcommunity of Technology.


This community’s icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

Community stats

  • 799

    Monthly active users

  • 810

    Posts

  • 9.9K

    Comments