• Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      arrow-up
      49
      arrow-down
      3
      ·
      1 year ago

      Those are some very strange objections to F-Droid. The outdated signing software on the backend doesn’t really affect the end user, for a start. The signing key problem is also present in Google Play, the only other app store people actually use, and it’s intentional.

      F-Droid builds the sources developers make available, it doesn’t accept a developers 's build with the pinky promise that no malware was added when they compiled there code.

      The loose requirements are a feature, not a bug; things like a low API target level are why Termux still works on F-Droid but not on GPlay. This does pose some privacy risks because of API compatibility stuff, but because of the requirements for an app to be even listed on there, the impact is minimal.

      Should F-Droid improve their technical debt? Definitely. Does any of this pose an actual risk to users? Definitely not.

    • Possibly linux@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      I actually would go for the main repo as all the software in the main repo is reviewed by the main Dev team

        • Possibly linux@lemmy.zipOP
          link
          fedilink
          English
          arrow-up
          20
          arrow-down
          1
          ·
          1 year ago

          The author of this article completely misses the point of F-droid. They clearly are used to a world of proprietary software that takes “security” over freedom

          So yes I did read the article and no it doesn’t change anything. If your going to make an argument you shouldn’t just link to someone else’s work. Part of the problem with the internet is no one thinks for tuemselves

          • c0mmando@links.hackliberty.org
            link
            fedilink
            arrow-up
            5
            arrow-down
            11
            ·
            edit-2
            1 year ago

            Sure, I’ll spell it out for you since apparently the point went right over your head. Fdroid devs are a single point of failure by signing every application themselves. This introduces a potential for supply chain attack, not to mention Fdroid running on EOL servers.

            When you use an individual dev repo, you can avoid any trojanized apps from Fdroid because the developers maintain their own infrastructure and sign their own apks.

            That’s called… D I S T R I B U T E D T R U S T

            • Captain Beyond@linkage.ds8.zone
              link
              fedilink
              arrow-up
              22
              ·
              edit-2
              1 year ago

              The reason F-Droid builds from source is to ensure that they can enforce their inclusion criteria. If you go outside F-Droid you lose that guarantee. For example, self-published apks in github or google play may contain anti-features or proprietary code that are forbidden by the F-Droid standards.

              From another point of view, what you call a single point of failure is a third party that represents the interests of the user community, independent from individual developers. This is the same model used in GNU/Linux distributions, and Drew DeVault explains here the role that software distributions play in the free software community.

              Of course, this represents a trade-off, in that you are placing trust in the software distribution instead of or in addition to the upstream developer. The question is, how can you solve the problem without foregoing F-Droid’s inclusion standards? The answer is reproducible builds, where F-Droid builds from source and compares to the developer’s apk, and publishes the developer’s apk with their signature if the build reproduces successfully.

              Until Reproducible builds are the norm in the Android free software world, I accept the trade-off because I value having software freedom in my computing, and I know I can’t trust upstream developers to care about that as much as F-Droid or I do.

              • c0mmando@links.hackliberty.org
                link
                fedilink
                arrow-up
                2
                arrow-down
                4
                ·
                1 year ago

                Sure, atleast you admit there’s a trade off (security) for (FOSS) and maybe some additional privacy.

                People should be made aware of the risks and choose according to their threat models, which is why I’ve highlighted some of these issues to begin with.

            • Possibly linux@lemmy.zipOP
              link
              fedilink
              English
              arrow-up
              4
              ·
              1 year ago

              Everything the F-droid team does is out in the open. Your welcome to audit it once in a while and suggest changes to make it better. I’m sure they wouldn’t mind the help.

              F-droid is the best tool we got. Its not a silver bullet but it is better than anything else I’ve seen