Also, there is already a PR waiting for review.

There are two interesting ones I don’t really know what to do with: for google-test and swig, the cleanup clause removes all files. Those are build-time only dependencies. Question is, if we don’t distribute any of their files, but needed them to build the software, do we then also have to include the license in the distributed package ?

Source: Missing license file: libunistring · Issue #113 · flathub/org.gnucash.GnuCash · GitHub

This is problematic. My time on Fluxer was pleasant up until it started to feel like I am dealing with a bunch of mentally unstable kids. whom shouldn’t be online because they are not mentally ready for the world. they are going to face things that might hurt them. But we need to be able to realize there are bigger fish to fry. This has led to them breaking their own rules. That being dogpiling, and harassment. Which was excused because I said an obvious joke. I would like to highly recommend that if this app doesn’t receive a take down from Flathub. then, I recommend that you do not use it. I was also given the impression that people were high and mighty and way too smug for their own good. I felt extremely vile toxic vibes. I tried to be civil and make it known to fluxer HQ that this was a problem. but they said they intend for this place to be an adult day care center. And thats when I knew that was a red flag for me. After that it didn’t take long for my account to be banned from the whole app. A lot of immature people are running this platform. If you value your stress and happiness. And you are looking for a discord alternative. Use Kloak. i spoke to the moderator from the main Kloak community. He was really down to earth and he didn’t judge me. It was really refreshing for once.

Kodi installs and works fine (via software manager), everything working OK except no hardware acceleration. The options do not even appear in settings (expert), and it’s not used during playback; viewing “o” playback info confirms this.

Installing the “from debian” Kodi version (again from software manager) HW accel works as normal, but as the PPA is no longer maintained, I am stuck on Nexus, where I would like to be current for various reasons, the main one being stability. HW accel also works everywhere else on the machine.

I am not confident to build from source myself.

I have tried various methods to make kodi see GPU- it has been hit and miss, occasionally working, but mostly not working.

• Forcing kodi start with i965 driver
• Using Flatseal to open GPU access (seemed to work initially but then failed)

Any ideas? I was always happy with LibreELEC, but I need a web browser hence the move to a desktop.

Thankyou

System:
Kernel: 6.17.0-20-generic arch: x86_64 bits: 64 compiler: gcc v: 13.3.0 clocksource: tsc
Desktop: Xfce v: 4.18.1 tk: Gtk v: 3.24.41 wm: xfwm4 v: 4.18.0 with: xfce4-panel
tools: light-locker vt: 7 dm: LightDM v: 1.30.0 Distro: Linux Mint 22.3 Zena
base: Ubuntu 24.04 noble
Machine:
Type: Desktop Mobo: Intel model: NUC5CPYB v: H61145-404 serial:
uuid: UEFI: Intel v: PYBSWCEL.86A.0043.2015.0904.1904 date: 09/04/2015
CPU:
Info: dual core model: Intel Celeron N3050 bits: 64 type: MCP smt: arch: Airmont
rev: 3 cache: L1: 112 KiB L2: 2 MiB
Speed (MHz): avg: 2160 min/max: 480/2160 cores: 1: 2160 2: 2160 bogomips: 6400
Flags: ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
Device-1: Intel Atom/Celeron/Pentium Processor x5-E8000/J3xxx/N3xxx Integrated Graphics
driver: i915 v: kernel arch: Gen-8 ports: active: HDMI-A-2 empty: DP-1,DP-2,HDMI-A-1
bus-ID: 00:02.0 chip-ID: 8086:22b1 class-ID: 0300
Display: x11 server: X.Org v: 21.1.11 with: Xwayland v: 23.2.6 compositor: xfwm4 v: 4.18.0
driver: X: loaded: modesetting unloaded: fbdev,vesa dri: crocus gpu: i915 display-ID: :0.0
screens: 1
Screen-1: 0 s-res: 1920x1080 s-dpi: 96 s-size: 508x285mm (20.00x11.22") s-diag: 582mm (22.93")
Monitor-1: HDMI-A-2 mapped: HDMI-2 model: Samsung res: 1920x1080 hz: 60 dpi: 305
size: 160x90mm (6.3x3.54") diag: 184mm (7.2") modes: max: 1920x1080 min: 640x480
API: EGL v: 1.5 hw: drv: intel crocus platforms: device: 0 drv: crocus device: 1 drv: swrast
gbm: drv: crocus surfaceless: drv: crocus x11: drv: crocus inactive: wayland
API: OpenGL v: 4.6 compat-v: 4.5 vendor: intel mesa v: 25.2.8-0ubuntu0.24.04.1 glx-v: 1.4
direct-render: yes renderer: Mesa Intel HD Graphics 400 (BSW) device-ID: 8086:22b1
API: Vulkan v: 1.3.275 layers: 3 surfaces: xcb,xlib device: 0 type: integrated-gpu driver: N/A
device-ID: 8086:22b1 device: 1 type: cpu driver: N/A device-ID: 10005:0000
Audio:
Device-1: Intel Atom/Celeron/Pentium Processor x5-E8000/J3xxx/N3xxx Series High Definition Audio
driver: snd_hda_intel v: kernel bus-ID: 00:1b.0 chip-ID: 8086:2284 class-ID: 0403
Device-2: NAD USB Audio 2.0 driver: snd-usb-audio type: USB rev: 2.0 speed: 480 Mb/s lanes: 1
bus-ID: 1-4:3 chip-ID: 17ae:0005 class-ID: fe01 serial:
API: ALSA v: k6.17.0-20-generic status: kernel-api
Server-1: PipeWire v: 1.0.5 status: active with: 1: pipewire-pulse status: active
2: wireplumber status: active 3: pipewire-alsa type: plugin
Network:
Device-1: Intel Wireless 3165 driver: iwlwifi v: kernel pcie: speed: 2.5 GT/s lanes: 1
bus-ID: 02:00.0 chip-ID: 8086:3165 class-ID: 0280
IF: wlp2s0 state: down mac:
Device-2: Realtek RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet
vendor: Intel RTL8111/8168/8411 driver: r8169 v: kernel pcie: speed: 2.5 GT/s lanes: 1 port: e000
bus-ID: 03:00.0 chip-ID: 10ec:8168 class-ID: 0200
IF: enp3s0 state: up speed: 1000 Mbps duplex: full mac:
Bluetooth:
Device-1: Intel Bluetooth wireless interface driver: btusb v: 0.8 type: USB rev: 2.0
speed: 12 Mb/s lanes: 1 bus-ID: 1-5.1:8 chip-ID: 8087:0a2a class-ID: e001
Report: hciconfig ID: hci0 rfk-id: 0 state: up address: bt-v: 4.2 lmp-v: 8 sub-v: 1000
hci-v: 8 rev: 1000 class-ID: 7c0104
Drives:
Local Storage: total: 111.79 GiB used: 68.86 GiB (61.6%)
ID-1: /dev/sda vendor: Samsung model: SSD 850 EVO 120GB size: 111.79 GiB speed: 6.0 Gb/s
tech: SSD serial: fw-rev: 1B6Q scheme: GPT
Partition:
ID-1: / size: 108.98 GiB used: 68.86 GiB (63.2%) fs: ext4 dev: /dev/sda2
ID-2: /boot/efi size: 511 MiB used: 6.1 MiB (1.2%) fs: vfat dev: /dev/sda1
Swap:
ID-1: swap-1 type: file size: 4.41 GiB used: 16 KiB (0.0%) priority: -2 file: /swapfile
USB:
Hub-1: 1-0:1 info: hi-speed hub with single TT ports: 7 rev: 2.0 speed: 480 Mb/s lanes: 1
chip-ID: 1d6b:0002 class-ID: 0900
Hub-2: 1-3:2 info: Genesys Logic USB 2.0 Hub / D-Link DUB-H4 ports: 4 rev: 2.0 speed: 12 Mb/s
lanes: 1 power: 100mA chip-ID: 05e3:0606 class-ID: 0900
Device-1: 1-3.1:4 info: Logitech Unifying Receiver type: mouse,HID
driver: logitech-djreceiver,usbhid interfaces: 2 rev: 2.0 speed: 12 Mb/s lanes: 1 power: 98mA
chip-ID: 046d:c52f class-ID: 0300
Device-2: 1-3.2:5 info: Clay Logic flirc type: keyboard driver: hid-generic,usbhid
interfaces: 2 rev: 1.1 speed: 1.5 Mb/s lanes: 1 power: 100mA chip-ID: 20a0:0001 class-ID: 0300
Device-3: 1-3.3:7 info: Shenzhen Rapoo 2.4G Receiver type: mouse,keyboard,HID
driver: hid-generic,usbhid interfaces: 4 rev: 1.1 speed: 12 Mb/s lanes: 1 power: 70mA
chip-ID: 24ae:9db6 class-ID: 0300 serial:
Device-4: 1-4:3 info: NAD USB Audio 2.0 type: audio driver: snd-usb-audio interfaces: 6
rev: 2.0 speed: 480 Mb/s lanes: 1 power: 10mA chip-ID: 17ae:0005 class-ID: fe01 serial:
Hub-3: 1-5:6 info: Genesys Logic Hub ports: 4 rev: 2.0 speed: 480 Mb/s lanes: 1 power: 100mA
chip-ID: 05e3:0610 class-ID: 0900
Device-1: 1-5.1:8 info: Intel Bluetooth wireless interface type: bluetooth driver: btusb
interfaces: 2 rev: 2.0 speed: 12 Mb/s lanes: 1 power: 100mA chip-ID: 8087:0a2a class-ID: e001
Hub-4: 2-0:1 info: super-speed hub ports: 6 rev: 3.0 speed: 5 Gb/s lanes: 1 chip-ID: 1d6b:0003
class-ID: 0900
Sensors:
System Temperatures: cpu: 51.0 C mobo: N/A
Fan Speeds (rpm): N/A
Repos:
Packages: 2229 pm: dpkg pkgs: 2218 pm: flatpak pkgs: 11
No active apt repos in: /etc/apt/sources.list
Active apt repos in: /etc/apt/sources.list.d/google-chrome.list

(Removed packages here as I could not post more than 4 links as a new user)

Memory: total: 8 GiB note: est. available: 7.18 GiB used: 2.22 GiB (30.8%)
Processes: 238 Power: uptime: 19h 33m states: freeze,mem,disk suspend: deep wakeups: 2
hibernate: platform Init: systemd v: 255 target: graphical (5) default: graphical
Compilers: gcc: 13.3.0 Client: Unknown python3.12 client inxi: 3.3.34

Project information:

• Name: Frog

• Homepage: https://github.com/TenderOwl/Frog

• License: MIT

• Upstream has been contacted: Yes. I have opened a Pull Request to update the Flatpak manifest. However, the PR is currently blocked: it requires an approving review from a maintainer with write access and a maintainer must manually approve the GitHub Actions workflow to run.

Description of the issue: I am trying to provide an update for Frog, but the CI/CD pipeline is stalled. I am reaching out to the Flathub community to see if a maintainer can review the changes and trigger the necessary build workflows, as the application hasn’t seen an update on the store for some time.

Project information:

• Name: Simplenote

• Homepage: https://simplenote.com/

• License: GPL-2.0

• Upstream has been contacted: Yes, this request is to merge a pending Pull Request that updates the app after 4 years of inactivity on Flathub.

Additional Information: I have submitted a PR to update the package to the latest stable version. There is another PR open from a month ago, but it lacks activity. My PR ensures all build manifests are current and stable.

• PR Link: Update Simplenote to 2.24.0 and migration to Freedesktop SDK 25.08 by D3M-Sudo · Pull Request #15 · flathub/com.simplenote.Simplenote · GitHub

Modulo 2: BlueMail

Project information:

• Name: BlueMail

• Homepage: https://bluemail.me/

• License: Proprietary

• Upstream has been contacted: Yes, I am submitting this to fix critical execution regressions found in the current Flathub build.

Additional Information: The current version has major stability issues that this PR addresses:

1. X11: The application fails to launch.

2. Wayland: Significant delays during the startup sequence. This update optimizes the runtime environment for better display server compatibility.

• PR Link: Update flatpack for compatibility and stability by D3M-Sudo · Pull Request #59 · flathub/net.blix.BlueMail · GitHub

html-like nested tags don’t work like :

<p> A list :
  <ul>
     <li>A list item</li>
  </ul>
</p>

But

as main tag will work :

<p>A list:</p>
<ul>
  <li>An item</li>
</ul>

I am packaging my first application here. I am confused about the use of

and
• tags in the description and release fields of the metainfo.xml

  According to flathub documentation, it is the right way to put up a description list . See MetaInfo guidelines | Flathub Documentation

  However, when I run the linter (also recommended in the documentation), the ul and li tags are reported as errors.

  What’s the source of truth ? If I don’t use

• tags, what’s the proper way to provide a feature list ?

build-x86_64
The self-hosted runner lost communication with the server. Verify the machine is running and has a healthy network connection. Anything in your workflow that terminates the runner process, starves it for CPU/Memory, or blocks its network access can cause this error.

Now, Flatpak itself does not remove applications that are EOL. KDE Discover however does strongly encourage to remove unmaintained applications. That’s the prompt you have seen.

As for reinstalling it:
If it were a simple EOL, you could AFAIK still use the flatpak install command to install it, if you know the application id, as the application is only hidden.
That will probably not work though in this case, as when an application was removed due to an DMCA takedown, the application has to be removed from the servers.

First, I clicked “no” and clicked “refresh”, the “update” was still there. When I clicked “Update All”, it brought up that same dialog prompt.

So I clicked “yes” thinking it would only remove the update prompt, but nope it DELETED the ENTIRE application from my system.

Why? I don’t understand.

Isn’t there any way to just disable the update prompt?

And how do I get Ryubing emulator back?

If it was KDE Discover that was responsible for deleting it ENTIRELY from my system instead of just the reference, that’s so evil of them to do that.

I’m gonna ask about it on KDE discourse as well.

Please help me!!!

Name: arkadyzja
Homepage: https://arkadyzja.honmaru.pl GitHub - Arkadyzja/ArkadyzjaClient · GitHub

I’m now thinking of turning this into a Linux desktop app distributed via Flathub. The idea is to:

1. Make it offline‑ready (cached results, smoother UX) while still pulling live data when online.

2. Add desktop friendly features: history of analyzed videos/channels, exportable reports, and maybe even offline stats‑tracking for a creator’s own library.

3. Integrate cleanly with GNOME/other desktops: native notifications when long‑running analyses finish, proper app icons, and maybe a quick‑action helper (e.g., “Copy current video URL and analyze”).

Before I invest time in building this as a Flatpak packaged app, I’d love to know:

Are there existing YouTube analytics or engagement tools on Flathub that do something similar?
What would you, as a Linux desktop user, expect from such an app beyond the current web version? E.g., multi‑account support, export formats (CSV/JSON), or integration with other desktop tools?
Any hard Flathub specific constraints or guidelines I should bake in from the start (e.g., network usage, data‑privacy design, branding)?

Pika Backup and Deja Dup/Gnome Backup both create a sort of chunked archive that you can only access via those apps or a Borg client. That’s not an option for me.

I want to be able to plugin the drive on any kind of system, and see my photos.

No application can do that. Not on Flathub. GRsync can do it. But hard to install on something like Bluefin, Bazzite since they are immutable.

barthalion:

We attempted that but it was unrealistic. I’m working on some heuristic to flag “invasive” changes but as always, I can’t say if or when.

So there has been an attempt. What was unrealistic about it? Was it the review load on human reviewers?

I do have a suggestion. What if we flagged a change for human review if the domain in a URL is modified? This should tighten the restriction on changes at a great cost-benefit ratio. I imagine domain changes are infrequent in legitimate scenarios. Though, we’d have to also create stricter cases for git repos, since changing the owner/name URL portion changes ownership.

I’m interested in hearing about the heuristics you’re working if you don’t mind talking about it publicly.

bobbo:

But no mention of review when URL or SHA1 changes.

We attempted that but it was unrealistic. I’m working on some heuristic to flag “invasive” changes but as always, I can’t say if or when.

We would roll back a change like that, or yank the package altogether, combined with an announcement on the website.

This is not really different to other Linux distributions by any means. As every open source project, we put a lot of trust into people maintaining apps. The unverified ProtonPass you mentioned in your initial post is a fairly old apps and submission process has been hugely tightened since. I don’t think it’s likely it would be accepted these days, that being said, it’s maintained by a long-term Flathub maintainer.

Name:StreamDeckOBSStudioLinuxPlugin
Homepage: GitHub - LinuxGamesTV/streamdeck-obs-linux-plugin2: Stream Deck - OBS Studio plugin 2.0 · GitHub
License:GPL3
Upstream has been contacted:No

Hi, i need help for a flatpak version from the obs-streamdeck-plugin for linux.

I tryed to pack it, but I couldn’t pack the flatpak.

LANG=EN flatpak remote-info flathub --system net._86box._86Box.ROMs --log

86Box ROMs - ROMs for an 86Box classic IBM PC clones emulator

            ID: net._86box._86Box.ROMs
           Ref: runtime/net._86box._86Box.ROMs/x86_64/stable
          Arch: x86_64
        Branch: stable
       Version: 5.3
       License: LicenseRef-proprietary=https://raw.githubusercontent.com/86Box/roms/master/LICENSE
    Collection: org.flathub.Stable
 Download Size: 2.3?kB
Installed Size: 5.1?kB

        Commit: 875517e5cc83c1e400c13ac2e1888fb46afec87078e260b9c8e9be53d5c12956
        Parent: bdc4c769823c9c03bc49d900fd4a5a5ce0c56cda6eca6d1c32c1c2883687ca43
       Subject: Update the runtime (#31) (324266da7ddd)
          Date: 2026-04-11 19:07:57 +0000
       History: 

        Commit: bdc4c769823c9c03bc49d900fd4a5a5ce0c56cda6eca6d1c32c1c2883687ca43
       Subject: Update the runtime (#31) (324266da7ddd)
          Date: 2025-12-25 10:52:19 +0000

        Commit: 15c537ed7f0b7323b6b4ffd74a85ec61c71cf80c747a5ad4be5e0d3883b81060
       Subject: 86box-roms: Update 86Box-roms.tar.gz to 5.3 (#29) (77b5469e6ac5)
          Date: 2025-12-23 20:15:04 +0000

        Commit: db9dc93b1c4a4bb0eef80a048ba01c6dd02f6d54fb9cf46780ad565920924835
       Subject: 86box-roms: Update 86Box-roms.tar.gz to 5.2 (#28) (8410ec01696d)
          Date: 2025-10-26 23:33:00 +0000

        Commit: fad625483ee4e93f95022a6ff0e59710582f7beab8253f388ce96b0a11a98144
       Subject: Update the runtime (#27) (dededb1863c0)
          Date: 2025-10-04 18:27:49 +0000

Is there any other git repo where I can see details of the commited changes to this package since it’s not available on GitHub?

86Box ROMs - ROMs for an 86Box classic IBM PC clones emulator

    ID: net._86box._86Box.ROMs
   Ref: runtime/net._86box._86Box.ROMs/x86_64/stable
  Arch: x86_64
Branch: stable

Version: 5.3
License: LicenseRef-proprietary=https://raw.githubusercontent.com/86Box/roms/master/LICENSE
Collection: org.flathub.Stable
Download: 2.3 kB
Installed: 5.1 kB

Commit: 875517e5cc83c1e400c13ac2e1888fb46afec87078e260b9c8e9be53d5c12956
Parent: bdc4c769823c9c03bc49d900fd4a5a5ce0c56cda6eca6d1c32c1c2883687ca43

Subject: Update the runtime (#31) (324266da7ddd)
Date: 2026-04-11 19:07:57 +0000

• Basic concepts - Flatpak documentation
• Basic concepts - Flatpak documentation
• Sandbox Permissions - Flatpak documentation

Second question:

Even modified source code must use the same sandbox permissions. Otherwise, some major changes made to the manifest file will automatically trigger certain alarms, and the application will not be released. We also track changes made to the manifest file. I wish there was a restriction preventing changes to the main repository. Sometimes applications change repository names, sometimes developers change usernames, and there is currently no strict restriction against changing the main repository URL.

I couldn’t find any documentation to link to regarding the last question.

That’s all the information I have. I didn’t want to just paste an AI-generated answer.

/Google Translate

I will add --env=QML_DISABLE_DISK_CACHE=1 to the manifest, but usually this should not be needed.

1. What measures does Flathub take to prevent a malicious, established Flathub contributor from updating the manifest with a malicious source?
2. What happens if a malicious contributor were to change the source URL to a malicious domain?
3. If (2) were to happen, would the users of the compromised flatpak be alerted somehow?

I do not understand your answer in relation to any of these questions. Do you mean to say that it’s unreasonable for me to entertain the idea of Flathub employing supply-chain attack prevention measures and harm mitigation responses, in the case that the application package is not published by its developer?

Verified apps do not mean “secure”

.

THERE IS NO WARRANTY FOR THE PROGRAM.

Known One time Workaround from January

• Update Kde Sdk & Runtime, but there are not enough updates for every small UI changes available for this

I track this in flathub and flathub-beta builds older version of mcpelauncher-ui-manifest qml than in manifest specifies · Issue #412 · flathub/io.mrarm.mcpelauncher · GitHub as well.

On GitHub Actions I would manually try to delete the build cache and rebuilt.

Can a flathub infrastructure admin might help me to try?

• Clear the cache of io.mrarm.mcpelauncher
• Trigger a rebuild from scratch

I am absolutely clueless, since I cannot imagine that other than cache, delta format or flathub ostree could be any issue with my flathub manifest.

All pipelines I control has never shown any of such issue, since the old qml files should not even be accessible in flathub-builder.

I did set up auto merge for flathub-beta a while ago

E.g.

• I added a special label beta-update to the pr as a filter so only specific PRs get auto merged
• Take care to not auto merge PRs from untrusted forks/users
• Usually users from forks cannot freely decide about pr labels
• This workflow checks the author of the done comment is done by flathub bots account id not anyone trying to fake that entity
• The flathub bot comment is usually some minutes after the commit status, but good enough for full automation

I cannot say if this is good solution, but merging possible daily beta PRs by hand is not manageable.

So what happens if a malicious contributor were to change the source URL to a malicious domain? And if this were to happen, hypothetically, would the users of the compromised flatpak be alerted somehow?

In the case that the manifest is compromised, sandboxing would not prevent confidential data from being exfiltrated from within the application. For example, if you were to use Proton Pass, which is an unverified package for a password manager: a malicious actor could replace the source with their own malicious version and exfiltrate all user passwords in a smash and grab, until the package is corrected.

What measures have been taken to prevent this scenario?

From the Bazaar app

From the GNOME Software