This simply tells you that the Railway app is open source, i.e. not proprietary. And you can easily build it yourself if you want to, just fetch the manifest and feed it to flatpak-builder.
The circled item says the code is auditable. This makes the package somewhat more trustworthy, even if the enduser never looks at the code themselves.
What part of it says that you build a Flatpak?
They’re saying that the developer could be publishing source code which has nothing to do with what they’re bundling and distributing as a Flatpak here. Unless you or a trusted third party (e.g. your distro) compiles the Flatpak from the published source code, there is nothing that links the published source code and the contents of the Flatpak.
trusted third party (e.g. your distro) compiles the Flatpak from the published source code
flatpak bundles in flathub repository are built by flathub build bot.
Hmm, interesting. But can’t you also upload proprietary programs onto FlatHub?
Admittedly, I’ve never researched much about Flatpak specifically…
Yes but then the bot won’t say that the code is open source.
The list above is information about the specific package. Eg if it did require hardware access, it would say so instead of saying it doesn’t.
you can. in that case compilation step is replaced with downloading a binary.
compare steam and workbench manifests. in the first case manifest instructs to download a binary and copy stuff into the right place, in second one - to use meson buildsystem, it does everything for you.pretty much the same as, for example, rpm
Nevermind that you can compile them from source, and presumably verify the checksum of the developer provided flatpack if you do it just so. Am I missing something about flatpacks, or even snaps, or is OP?
I think OP is being obtuse and pedantic by claiming that it’s not truly open-source unless the program is shipped as source code that you build locally.
Oh is Gentoo making a comeback?
Verifying the checksum like that requires Reproducible Builds, which you don’t get for free. The compiler output has to be bit-for-bit precisely the same, no matter where you run the build, which is rarely the case by default.