Nevermind that you can compile them from source, and presumably verify the checksum of the developer provided flatpack if you do it just so. Am I missing something about flatpacks, or even snaps, or is OP?
Verifying the checksum like that requires Reproducible Builds, which you don't get for free. The compiler output has to be bit-for-bit precisely the same, no matter where you run the build, which is rarely the case by default.
They're saying that the developer could be publishing source code which has nothing to do with what they're bundling and distributing as a Flatpak here. Unless you or a trusted third party (e.g. your distro) compiles the Flatpak from the published source code, there is nothing that links the published source code and the contents of the Flatpak.
What part of it says that you build a Flatpak?
Nevermind that you can compile them from source, and presumably verify the checksum of the developer provided flatpack if you do it just so. Am I missing something about flatpacks, or even snaps, or is OP?
Verifying the checksum like that requires Reproducible Builds, which you don't get for free. The compiler output has to be bit-for-bit precisely the same, no matter where you run the build, which is rarely the case by default.
https://en.wikipedia.org/wiki/Reproducible_builds
They're saying that the developer could be publishing source code which has nothing to do with what they're bundling and distributing as a Flatpak here. Unless you or a trusted third party (e.g. your distro) compiles the Flatpak from the published source code, there is nothing that links the published source code and the contents of the Flatpak.