-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
com.obsproject.Studio
Discontinued This repository is no longer used to build OBS. Issues should be reported at https://github.com/obsproject/obs-studio
Every app has its own github page where you can see every how the flatpak is being built, where it is sourcing from, and every update made to it. I sometimes check these pages just to be sure myself because I don't fully trust the security model either.
Reading Flathub's App Submission guide, it looks like new app submissions are managed with pull requests that are reviewed by Flathub admins, however...
Examples: Chrome, Brave. Both examples currently have a disclaimer that the package is not verified by, affiliated with, or supported upstream.
With official packages, I have even more questions. Example: OBS Studio. The publisher link points to this repo, which is currently archived, with the message "This repository is no longer used to build OBS. Issues should be reported at https://github.com/obsproject/obs-studio". After some digging, I found they're using Github Actions to automatically publish to Flathub on release, which is fine (and pretty cool), but I would still prefer that Flathub provide some kind of records on their end. What assurances do I have that the package installed on my machine from Flathub is the one that was built by upstream? Maybe they have something and I'm not looking in the right place.
With official packages, I have even more questions. Example: OBS Studio. The publisher link points to this repo, which is currently archived, with the message "This repository is no longer used to build OBS. Issues should be reported at https://github.com/obsproject/obs-studio". After some digging, I found they're using Github Actions to automatically publish to Flathub on release, which is fine (and pretty cool), but I would still prefer that Flathub provide some kind of records on their end. What assurances do I have that the package installed on my machine from Flathub is the one that was built by upstream? Maybe they have something and I'm not looking in the right place.
Here an (very simple) example manifest from something i patched together: https://github.com/flathub/io.github.igorlogius.scr2ppm/blob/master/io.github.igorlogius.scr2ppm.yml