From f613f47e98edacf7ec084b7e8738ff0bd969d6a1 Mon Sep 17 00:00:00 2001 From: Sebastian Palencsar Date: Wed, 24 Jun 2026 18:38:51 +0200 Subject: [PATCH] docs: add security warning regarding official vs unofficial distribution channels --- README.md | 8 ++++++++ SECURITY.md | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/README.md b/README.md index c4d726a..63ef8a2 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,14 @@ Screenshots: KDE Plasma on Linux. ## Quick Start +> [!CAUTION] +> ### Official Distribution & Security Notice +> We only guarantee the security and integrity of our official distribution channels: +> 1. **Our official Flatpak repository** (`https://flatpak.bearwave.app/`), which is GPG-signed by the author. +> 2. **Our official AUR package** (`bearwave-git`), where the source code is cloned directly from our official GitHub repository and built locally on your machine. +> +> We **do not verify, support, or guarantee** the security of any other third-party binary repositories (such as unofficial repositories on the openSUSE Build Service, private arch repositories, or other third-party package mirrors). Installing from unofficial sources carries security risks, as the binaries are not compiled or controlled by the original author. + Three sensible paths right now: ### Option A: Flatpak (Recommended) diff --git a/SECURITY.md b/SECURITY.md index d06d4e1..6e08a81 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,6 +2,14 @@ BearWave is currently in a public beta phase. Security reports are very welcome and should be handled carefully, especially since BearWave processes external internet radio streams and metadata. +## Official Distribution & Security Notice + +We only guarantee the security and integrity of our official distribution channels: +1. **Our official Flatpak repository** (`https://flatpak.bearwave.app/`), which is GPG-signed by the author. +2. **Our official AUR package** (`bearwave-git`), where the source code is cloned directly from our official GitHub repository and built locally on your machine. + +We **do not verify, support, or guarantee** the security of any other third-party binary repositories (such as unofficial repositories on the openSUSE Build Service, private arch repositories, or other third-party package mirrors). Installing from unofficial sources carries security risks, as the binaries are not compiled or controlled by the original author. + ## Supported Versions During the beta phase, security fixes target the latest code on `main` and the most recent published release when practical.