Flatpak is stable and widely used, but it still has some pain points when used in certain environments or for certain ends. However, most of those drawbacks are being worked on, and fixes are planned.
Best to do both, really, so a record of using a consistent public key is created.
Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can’t get to the signing key you’ve prevented the attack.
Wouldn’t it make more sense then for them to simply host the Flatpak themselves? I kind of thought that was the whole idea of Flatpak.
Best to do both, really, so a record of using a consistent public key is created.
Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can’t get to the signing key you’ve prevented the attack.