Bug 484275

Summary: Warn and confirm installation of Flatpaks with potentially dangerous permissions and when permissions change
Product: [Applications] Discover Reporter: Neal Gompa <ngompa>
Component: Flatpak BackendAssignee: Plasma Bugs List <plasma-bugs-null>
Status: RESOLVED MOVED    
Severity: wishlist CC: aleixpol, jgrulich, nate, travier
Priority: NOR    
Version First Reported In: 6.0.2   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
See Also: https://invent.kde.org/plasma/discover/-/issues/16
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Neal Gompa 2024-03-22 20:32:59 UTC 
SUMMARY
I've noticed over time that when installing and updating Flatpaks, Discover does not appear to warn when installing Flatpaks that have potentially dangerous permissions (e.g. general filesystem access, session bus access, etc.) or when permissions change on update.

This can lead to situations where the user is not fully aware of the consequences of the action, potentially around hijacks or malware installations.


STEPS TO REPRODUCE
1. Open Discover
2. Enable Flathub
3. Install "Podman Desktop" or "TeXstudio"

OBSERVED RESULT
Discover just installs the app.

EXPECTED RESULT
Discover prompts with a confirmation dialog warning about some permissions that can allow outsized impact with malicious applications.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora Linux 40 (KDE Plasma)
(available in About System)
KDE Plasma Version: 6.0.2
KDE Frameworks Version: 6.0.0
Qt Version: 6.6.2

ADDITIONAL INFORMATION
The idea here is to harden the installation process a little around Flatpaks in response to what happened recently with Snaps[1][2].

[1]: https://www.youtube.com/watch?v=kzB6fHL_2Pg
[2]: https://popey.com/blog/2024/03/exodus-wallet-part-three/
Comment 1 Nate Graham 2024-03-22 20:54:07 UTC 
This might be nice, but the lack of it isn't a bug, and I'm not necessarily sure it's even problem. For apps that come from distro repos or Flathub or whatever, we rely on various factors to keep users safe:
1. Sandboxing
2. Some amount of review from the distributors
3. The developers themselves being known and trustworthy.

Having #1 being nonexistent or compromised isn't actually a real problem as long as #2 and #3 are true; if this wasn't the case, then every distro-packaged app would be dangerous. I've noticed that GNOME Software makes this judgment and I don't think it's the right call. So many apps have these warnings that they become meaningless visual noise, and the user can't tell what's *actually* dangerous vs what *might be* dangerous.

There's an existing discussion of this in https://invent.kde.org/plasma/discover/-/issues/16; let's keep the convesation there.
Comment 3 Neal Gompa 2024-03-23 02:05:54 UTC 
Based on a discussion with Michael Catanzaro, he pointed me to this merge request to GNOME Software that contains the list of permissions it considers potentially dangerous: https://gitlab.gnome.org/GNOME/gnome-software/-/merge_requests/1712

This could help with figuring out how to do this.