• wiki_me@lemmy.ml
    link
    fedilink
    English
    arrow-up
    31
    ·
    8 months ago

    How is that not a security theater? , you just need to :

    • publish a good snap
    • change it to malware after it is approved
    • profit

    The extra cost added to override this is fairly small, i don’t think it will help.

    • progandy@feddit.de
      link
      fedilink
      arrow-up
      17
      ·
      8 months ago

      At least this prevents impersonation of well-known publishers or their software. Maybe all changes to metadata like the description should require a manual review even for established packages.

      • wiki_me@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        At least this prevents impersonation of well-known publishers or their software

        how?

        • progandy@feddit.de
          link
          fedilink
          arrow-up
          5
          ·
          edit-2
          8 months ago

          That depends on the depth of the review, e.g. verifying the submitter is a member of the project, the software name does not conflict with a well known name,…

          • wiki_me@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            verifying the submitter is a member of the project

            That’s a different requirement as far as i can tell (When you do that you get the “plus” sign next to the name on the store).

            the software name does not conflict with a well known name,…

            It should conflict, the point is that some random dude can create a package and people could use it.

            They can review and check that the URL in the manifest used to build or install the package is from upstream, but that can later be changed, it would be better to have some system where you need to whitelist URL’s i think.