They're saying that the developer could be publishing source code which has nothing to do with what they're bundling and distributing as a Flatpak here. Unless you or a trusted third party (e.g. your distro) compiles the Flatpak from the published source code, there is nothing that links the published source code and the contents of the Flatpak.
They're saying that the developer could be publishing source code which has nothing to do with what they're bundling and distributing as a Flatpak here. Unless you or a trusted third party (e.g. your distro) compiles the Flatpak from the published source code, there is nothing that links the published source code and the contents of the Flatpak.