@Mer__edith Yet, the flatpak is said to be published...

@Mer__edith
Yet, the flatpak is said to be published "by Signal Foundation". If that's not the case, the package is usurping Signal Foundation identity and people using Flatpak oriented distros are targeted by this usurper. Can you request a takedown, please?
@apicultor @briankrebs

Like 16 September at 16:26 | Wall-to-wall | Open on infosec.exchange

4 comments

Aral Balkan

@x_cli @apicultor @briankrebs Oh, damn, I’m using the Flatpak package on Fedora because of that (I thought it was the official package).

Better than a takedown, would Signal be able to take it over and make it official, please, @Mer__edith? We can’t run apt packages on Fedora, etc.

Barring that, yeah, it should either be taken down or marked as unofficial.

16 September at 16:34 | Open on mastodon.ar.al

F. Maury ⏚

@aral
I suppose we can try and run a debian version in a pod, by exposing the wayland socket but that's a bit convoluted... Let's not do that 😅

16 September at 16:38 | Open on infosec.exchange

Alex Haydock

@aral @x_cli @apicultor @briankrebs @Mer__edith

It's marked as unofficial quite clearly on Flathub but this is a confusion point I've seen before with store fronts like GNOME Software & co, which don't pass through that clear visual to the end-user.

I definitely echo the suggestion though. It would be good if Signal would officially take over the Flatpak maintenance. It would help make Signal more (officially) accessible on distros other than Debian/Ubuntu.

16 September at 18:22 | Open on infosec.exchange

Aral Balkan

@alexhaydock @x_cli @apicultor @briankrebs @Mer__edith Yeah, I almost never hit the Flathub site. GNOME software not displaying the verification state at the top is quite a security issue. As is having Signal Foundation as the owner. All this time I thought I was using the official Signal flatpak.

16 September at 19:03 | Open on mastodon.ar.al