I just installed Debian with the KDE desktop and I’m looking to see what kind of packages are available in the Discover store by default as they are not labeled i.e., Snaps/Flatpak. Should I install Flatpak? Thanks I don’t to break anything
There is no flatpak installed by default on Debian, so by default you get the regular stuff in the apt repositories. But you can install flatpak and then the corresponding plugin for Discover
if you haven’t added the flathub repository to your new debian kde desktop install, discover will only show you packages from debian’s repositories that were automatically configured during installation… even if you’ve added the flatpak ‘backend’ from inside discover–flathub still has to be added to your sources (see step 3 in link above).
once you have multiple sources of an application (for instance, ‘vlc’), discover will add a ‘sources’ pulldown (top right, next to the ‘install’ button) where you can choose debian system package or flatpak (or snap, if configured).
which source you use is entirely up to you. on my own debian desktop, i usually stick with debs if it has what i’m looking for, as i’ve chosen debian and have accepted their pace at which new software is added. if i wanted ‘bleeding edge’ i would have installed something else entirely on it. but you can certainly go ‘all flatpak’ if you wanted to.
Okay thanks. I’m thinking of sticking with deb packages also at the moment because a lot of apps on the flathub website say “Unverified”
a lot of apps on the flathub website say “Unverified”
Those are usually either wrappers for proprietary stuff, for example the Chrome flatpak is unverified because it’s not from Google themselves but rather somebody grabbing the official deb/rpm and rebuilding it into a flatpak (this is also how a lot of e.g. AUR packages on Arch work, basically), or open source stuff for which the dev/packager simply didn’t care enough to do the verification stuff that Flathub wants you to do (doesn’t actually seem that hard, but one might simply not have been aware of it or something).
Don’t recall people particularly complaining about the unverified badges before Mint started hiding unverified flatpaks by default, though; suddenly after that “everybody” started noticing them.
Yeah true, but if you’re choosing Debian then I can see why there is caution about “unverified” flatpaks.
Ultimately if they’re not verified then you’re taking it on trust that they’ve been repackaged by a good actor and not a bad actor. We have no reason to believe there are malicious flatpaks are on flathub and verified only really meansnit was packaged by the originating project itself. But it is still a separate chain of packaging and security from the official one in a distro.
And Flathub doesnt need to be the repo used. Fedora for example created its own repo so it could verify its own flatpaks in the same way as its other system repos. Other distros do not seem to be following that path.
Personally I take the risk on flatpaks in the same way I will take risks on the opensuse OBS (or AUR in arch) - if i need/want the software and it’s not in the main repos for my distro I will generally take it off flathub rather than add an OBS source I dont know well. (If its small software I might build from source myself).
