@pastermil @linux the attack surface for something that isn’t officially maintained by the developers, and that doesn’t have more vetting (e.g. distribution packages) opens up room for malicious actors.
e.g. #arch / #aur recommends verifying scripts manually before installing, and malicious scripts have been found and removed.
There are actors like #jiatan out there. An unofficial #flatpak needs manual verification before install - that’s why I just go with #snap if the flatpak isn’t official
@Bitrot @linux interesting, thank you for that information: I had been under the impression they did do manual verification of authors.
I did some checking: the closest I found to verification was this (so you’re right- no need to be the original author, but a bit of vetting does seem involved).
https://forum.snapcraft.io/t/manual-review-of-all-new-snap-name-registrations/39440
My takeaway here is to use whatever the authors recommend (assuming trusted authors)!