Article doesn’t mention my biggest problem with flatpaks, that the packages are not digitally signed. All major Linux distros sign their packages, and flathub should too. I would prefer to see digital signatures from both flathub and the package’s maintainer. I don’t believe flathub has either one currently.
My problem with that theme is that it doesn’t highlight any buttons. I believe all buttons should have borders, especially the ones the titlebar. This helps distinguish a noninteractive label from an interactive clickable button.
This survey doesn’t distinguish between levels of cloud service provider, so I was a little confused.
Virtual private servers, cloud virtual servers (like AWS), cloud-based software where you provide code or a program and the cloud system runs it on a server of its choosing, and cloud-based systems where someone else provides the software (like Google Docs).
Mozilla, for example, would sign Firefox’s flatpak with a PGP key that they would disclose on their website. You verify the signature using the RSA algorithm (or any other algorithm for digital signatures. There are a bunch.) Or, you could just trust that your connection wasn’t tampered the first time, then you would have the public key, and it would verify each time that the package came from that same person. Currently, you have to trust every time that your connection isn’t tampered.
Major flatpak providers (Flathub at the very least) would include their PGP public key in the flatpak software repo, and operating system vendors would distribute that key in the flatpak infrastructure for their operating system, which itself is signed by the operating system’s key.