Flatpak is stable and widely used, but it still has some pain points when used in certain environments or for certain ends. However, most of those drawbacks are being worked on, and fixes are planned.
Best to do both, really, so a record of using a consistent public key is created.
Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can’t get to the signing key you’ve prevented the attack.
Best to do both, really, so a record of using a consistent public key is created.
Then supply chain attacks might be noticed. If someone manages to replace the file on the webserver but can’t get to the signing key you’ve prevented the attack.