The Flatpak is already packaged and works well. It just needs to be maintained from a person that joins the Inkscape community.

This would allow further improvements like Portal support and making the app official on Flathub.

Update: One might have been found!

  • user
    link
    fedilink
    arrow-up
    8
    ·
    5 months ago

    Why is the flatpak not verified on flathub? Hmm

    • Daeraxa@lemmy.ml
      link
      fedilink
      arrow-up
      44
      ·
      edit-2
      5 months ago

      From the conversation it seems to be a similar situation to the project I’m with is in. The flatpak is essentially community maintained rather than being directly supported by the team. To become verified it needs to be done so by a representative of the maintainers of the software. To be verified it doesn’t have to have a team member involved in it but this is a requirement Inkscape seem to have imposed.

      For us we just aren’t in a position to want to support it officially just yet, we have some major upgrades coming to our underlying tech stack that will introduce a whole bunch of stuff that will allow various XDG portals etc. to work properly with the Flatpak sandboxing model. To support it now would involve tons of workarounds which would need to be removed later.

    • woelkchen@lemmy.world
      link
      fedilink
      arrow-up
      12
      ·
      5 months ago

      Why is the flatpak not verified on flathub? Hmm

      Because it’s not by upstream Inkscape, apparently.

      • corsicanguppy@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        5 months ago

        *'til

        But the lack of verification and validation is a huge risk to flatpaks. As someone formerly involved with securing OSes, this kind of thing was scary back then and doubly scary since it entered its “don’t confirm; just get in, loser” phase.

        • user
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          😱 so I guess install via appimage?? Package manager? 🤷 🤯 brain malfunction. Im thinking don’t download or install until you verify the download with a hash and hopefully signature if they exist 🤷 use fedora? Which has better security? 🤷🤯

      • Spectacle8011@lemmy.comfysnug.space
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        For checksums: https://github.com/flathub/flathub/issues/1498#issuecomment-649098123

        Flatpak does verify the integrity of files as it is downloading/installing them. For ostree remotes this is done using GPG signatures (which are better than mere checksums). If you want to see the commit ID (which is like a checksum) for something on flathub use e.g. flatpak remote-info -c flathub org.gnome.Builder and for the local copy flatpak info -c org.gnome.Builder. For OCI remotes we at least check SHA256 sums and there might be more integrity verification mechanisms I’m unaware of.

        But for signatures: https://github.com/flatpak/flatpak-builder/issues/435