Flatpak verification for Mint 22

[mistermint]

Hi, I have Mint 21.1 (Vera) installed on my old labtop and Mint 22 (Wilma) on my new one. Mint 21.1 has MakeMKV (Flatpak) listed in the Repository, but Mint 22 has not. To be precise, it is listed when you select 'unverified' Flatpaks.
I was told that it is the developers that have to verify it.
What are the chances of a verified version of Mint 22 in the foreseeable future?

[mistermint]

OK, maybe I just found my answer: "MakeMKV is free while in beta"

Does this mean that the Flatpak version I found in the Mint 22 Repository is also a beta version of MakeMKV? Is this why it is 'unverified'?
Can somebody enlighten me please.

[Woodstock]

The official version of MakeMKV is available here, and it's an install file. Any version that is on a particular distribution's site is one that MAY be made from an official version, but it was made by someone other than the author.

As for whether or not it's a beta version, the difference between "beta" and "regular" is whether or not you've purchased a key. My registered version says "MakeMKV BETA", but it doesn't expire.

[mistermint]

I'm still confused. Does the following command not have any connection with the official version of MakeMKV?

flatpak install flathub com.makemkv.makemkv

[Woodstock]

No, it does not. Mike has not created a flatpak version, someone else has. That's the people that you need to verify they've updated versions.

Anyone can decide to make a flatpak; that's one of the beauties of it. Making an "OFFICIAL" version means defining what "official" means. For Mint, it would be approval of the creators of Mint, and they probably want to make sure it works with an official install of Mint. If they haven't put out a "Mint 22" version yet, that is something you can ask them about.

If Mike were creating flatpak distributions, I would personally assume they'd be integrated to not care what version of Linux they were being installed on (kind of the reason for doing it), so a "certified for Mint 21.1" should work on v22.x as well. But that means integrating into the archive things not directly part of MakeMKV, to make sure you get compatible versions.

[mistermint]

Thanks for your patience. I think it finally sunk in.
Much appreciated.

[georgesgiralt]

Hello,
MakeMkv is only officially distributed as source code you have to compile yourself and install. It is not that difficult once done it the first time (you have to check and install the required dependencies).
I do not know of any Linux distribution providing a version of MakeMkv officially compiled as there is none prepared by the official maker of MakeMkv.
This means that as you do not know who was the packager of the version you get on flatpack or snap or deb, you implicit ly trust her/him for not having added nasty things into the package you install...
As this risk is very serious and making your proper version of MakeMkv is quite easy, I won't trust anybody but the official maker of MakeMkv and compile it myself...
But as the saying goes, YMMV .......

[eang91]

Hello,
MakeMkv is only officially distributed as source code you have to compile yourself and install. It is not that difficult once done it the first time (you have to check and install the required dependencies).
I do not know of any Linux distribution providing a version of MakeMkv officially compiled as there is none prepared by the official maker of MakeMkv.
This means that as you do not know who was the packager of the version you get on flatpack or snap or deb, you implicit ly trust her/him for not having added nasty things into the package you install...
As this risk is very serious and making your proper version of MakeMkv is quite easy, I won't trust anybody but the official maker of MakeMkv and compile it myself...
But as the saying goes, YMMV .......

That's an exaggeration. Flathub is community maintained, there is no easy way to actually inject some malware in the makemkv flatpak without anyone noticing it.

And if you really don't trust the flathub version, you can always build a flatpak package on your own. Just take the manifest and pass it to flatpak-builder: https://github.com/flathub/com.makemkv. ... keMKV.yaml

[mistermint]

@georgesgiralt

Thank you for your reply.
There is a Flathub version in the Repository of Linux Mint 21.1 Cinnamon, but I guess, when you are referring to an officially compiled version of MakeMkv, you aren't talking about Flathub.
I'm afraid I have to admit from the start that I am no geek. My mileage varies in regards to knowledge. My Terminal use is pretty much limited to copy/paste. And compiling equals know-how, which again, I have to admit to my lack of.
But if you can point me to a 'How-To compile MakeMkv for Dummies' I'll be happy to give it a read.

[mistermint]

@eang91

I did think that Flatpak was supposed to be reasonably save to use, but as I mentioned in my first post, MakeMKV is only listed in Mint 22 when you select 'unverified' Flatpaks. And it does have a kind of a red flag because of that.

[eang91]

@eang91

I did think that Flatpak was supposed to be reasonably save to use, but as I mentioned in my first post, MakeMKV is only listed in Mint 22 when you select 'unverified' Flatpaks. And it does have a kind of a red flag because of that.

"Unverified" just means that the package is not provided/acked by the official makemkv developer. It does not mean that the package is "dangerous".

If you don't know how to compile from source, I'd suggest to use the flatpak package without worries.

[georgesgiralt]

Hello,
MakeMkv is only officially distributed as source code you have to compile yourself and install. It is not that difficult once done it the first time (you have to check and install the required dependencies).
I do not know of any Linux distribution providing a version of MakeMkv officially compiled as there is none prepared by the official maker of MakeMkv.
This means that as you do not know who was the packager of the version you get on flatpack or snap or deb, you implicit ly trust her/him for not having added nasty things into the package you install...
As this risk is very serious and making your proper version of MakeMkv is quite easy, I won't trust anybody but the official maker of MakeMkv and compile it myself...
But as the saying goes, YMMV .......

That's an exaggeration. Flathub is community maintained, there is no easy way to actually inject some malware in the makemkv flatpak without anyone noticing it.

And if you really don't trust the flathub version, you can always build a flatpak package on your own. Just take the manifest and pass it to flatpak-builder: https://github.com/flathub/com.makemkv. ... keMKV.yaml

Hi !
Do you remember the last year vulnerability on XZ-Tools package ? This package included a backdoor to be planted on SSH server... And had to do with tampered code ... Carefully planned and implemented... So in my view, the fact that packages be community maintained is no warranty, security wise.
If the maintainer of the package only provide source code, I _do_ prefer to do the compiling and installing myself. And get rid of the absurd limitations of snap or flatpack.
But your mileage may vary..

[eang91]

Hello,
MakeMkv is only officially distributed as source code you have to compile yourself and install. It is not that difficult once done it the first time (you have to check and install the required dependencies).
I do not know of any Linux distribution providing a version of MakeMkv officially compiled as there is none prepared by the official maker of MakeMkv.
This means that as you do not know who was the packager of the version you get on flatpack or snap or deb, you implicit ly trust her/him for not having added nasty things into the package you install...
As this risk is very serious and making your proper version of MakeMkv is quite easy, I won't trust anybody but the official maker of MakeMkv and compile it myself...
But as the saying goes, YMMV .......

That's an exaggeration. Flathub is community maintained, there is no easy way to actually inject some malware in the makemkv flatpak without anyone noticing it.

And if you really don't trust the flathub version, you can always build a flatpak package on your own. Just take the manifest and pass it to flatpak-builder: https://github.com/flathub/com.makemkv. ... keMKV.yaml

Hi !
Do you remember the last year vulnerability on XZ-Tools package ? This package included a backdoor to be planted on SSH server... And had to do with tampered code ... Carefully planned and implemented... So in my view, the fact that packages be community maintained is no warranty, security wise.
If the maintainer of the package only provide source code, I _do_ prefer to do the compiling and installing myself. And get rid of the absurd limitations of snap or flatpack.
But your mileage may vary..

That's not really comparable. What happened with xz-tools was even worse: the backdoor in xz-tools was in the upstream code, as the attacker managed to become an official maintainer of the project! Even if you manually compiled xz-tools from source, you still would have gotten the backdoor in your system.

[georgesgiralt]

Yes, actually it is. You have to be very aware of where your software comes from. Even official packages are at risk.
So I would only trust original software either from the official packager or my distribution team (hoping they have audited the code).
In the case of MakeMkv, compiling it is very easy so getting the original stuff is the better method to prevent as many risks as one can.
But of course, it is your data, your money and you can do as you please !