To reproduce: add `distribute.kde.org/kderuntime.flatpakrepo`. The repo file, including the GPGKey, is by default retrieved over http, and could be tampered with. There are several problems here: 1. Discover supports adding http:// resources as flatpack repos and does not warn that that is insecure. 2. Discover supports adding repos without protocol and defaults those to http:// instead of https:// 3. distribute.kde.org is configured to support http://distribute.kde.org and answers to it (to reproduce — open http://distribute.kde.org in «private mode» or just curl it). HSTS does not redirect by itself. See https://www.troyhunt.com/understanding-http-strict-transport/ for more details The proposed fix would be: 1. Warn on http:// repos, perhaps with an additional confirmation box 2. Default protocol-less addresses to https:// instead of http:// 3. Properly configure HSTS and http->https redirects on distribute.kde.org, according to https://www.troyhunt.com/understanding-http-strict-transport/
*** This bug has been marked as a duplicate of bug 393987 ***
Sorry, I have no idea why this was submitted twice. Perhaps I could have accidentally double-tapped the submit button twice on the touchpad before the next page was loaded? Still strange that Bugzilla didn't prevent this though.