5 hours ago
I was really looking forward to something like F-Droid on iOS after the DSA came into force, but unfortunately Apple’s absurdly bad compliance has rendered such a thing all but impossible.
5 hours ago
Me too! I would've legitimately given iPhone a spin had Apple actually complied with the spirit of the law and not just the fine print.
6 hours ago
While F-Droid may be important, I personally tend to prefer Aurora Store and even more Obtainium[1]. Although you have to be even more careful what you install, Obtainium is extremely good at keeping apps up to date.
Some projects don't even provide an F-Droid release, so just adding the github repository to Obtainium is much easier than having to deal with apk stuff.
6 hours ago
The Aurora Store app is just a frontend for the play store. It's a useful tool, but gives none of the benefits the existence of F-Droid provides to the world. Obtainium just fetches an .apk from a site, also useful, but provides none of the security aspects of F-Droid or the Play Store.
There is no good alternative to F-Droid. Thankfully that's just because it is such a great concept.
6 hours ago
hey HEY! fdroid all the way! I do the web sight sign in every time! java cookies dom get switched on selectivly de google till it breaks and then factory reset and try again linux laptop and adb keeps my pics and files, move them to a thumb drive once in a while I almost never see any adds and can do all the "things" just fine but like the article says,you gota be brave
4 hours ago
I use android and my first place to look for apps is fdroid. It doesn't have the best search and it doesn't have many apps. But I have hit the jackpot on a few apps and that's more than enough to justify its existence for me.
It's particularly good for very niche use cases, like, you might need an app that simulates dice rolls, then fdroid might be the best place for that as you'll find an app that does just that and nothing else. No ads, no bullshit.
If fdroid doesn't work for me then I will give in and search for "commercial" (ads or paid) solutions.
6 hours ago
In some security circles, use of F-Droid is discouraged:
https://privsec.dev/posts/android/f-droid-security-issues/
https://www.privacyguides.org/en/android/obtaining-apps/#f-d...
My understanding is that this largely stems from the fact that F-Droid compiles and signs all the apps on behalf of the application developers, so there is a loss of control there. Some will say that this is what redistributable builds are for, but in my experience they are not actively/widely verified even if they do support it, especially publicly.
6 hours ago
Privacyguides isn't very good in my experience. It's got a real "blind leading the blind" thing going on, where a bunch of half-truths are repeated ad-nauseam because at some point, someone told them that thing X is bad for your privacy. It's probably best exemplified in how they can't seem to stop recommending Brave, even though you're probably better off just loading up literally any other browser that isn't Google Chrome with privacy extensions instead.
Practically speaking, you should just assess the following threat model; which is going to be a greater threat to you:
* An application developer who can be bought out and have their tools replaced with adware. (Ref. https://news.ycombinator.com/item?id=38505229 )
* The F-Droid servers, where the most realistic threat is a rogue actor obtaining the keys.
That second one is also mitigated by the fact that F-Droid generally prefers to practice "reproducible signing"; basically they'll distribute the developers apk, not the one on F-Droids buildserver, if the F-Droid release matches the GitHub release (minus the signature obviously), making the signature problem mostly a non-issue.
For most people, I'd argue the former (a "surprise update" to insert anti-features[0]) is a greater risk than the latter, so F-Droids model fits them better. The sole exception would be extremely privacy sensitive apps where trusting the developer is more paramount than having the second man in-the-middle that F-Droids maintainers are. (A basic example of that would probably be Signal.)
[0]: As defined here, although not all are relevant for users: https://f-droid.org/docs/Anti-Features/ , although I'd just add de facto adding pointless microtransactions and subscriptions to this list. They're just not included since F-Droid wouldn't ship them.
5 hours ago
This is part of the longstanding devs vs. distros tug of war. There is a loss of control for the devs, but it's better for the user to have distros like F-Droid. The alleged security benefits feel paternalistic, like the dev knows best so only they should be able to sign binaries. Why someone would get into FOSS development and then get upset when someone exercises their rights to build from source and distribute binaries is baffling to me.
3 hours ago
> Why someone would get into FOSS development and then get upset when someone exercises their rights to build from source and distribute binaries is baffling to me.
This happens at an alarming rate within the video game emulation community. Many projects (including MAME) have openly expressed deep disdain for any forks existing at all. It's like they think any difference a fork has is a negative thing and then aggressively attack that... as if there is only one way to write software. Some projects have even stopped upstream development entirely, or closed the source or changed their license... just over forks. License violations (including GPL as well as non-commercial ones) are also rampant there.
6 hours ago
> F-Droid compiles and signs all the apps on behalf of the application developers
At least they are open and honest about it. As opposite to Google, who promised to let developers do the signing, but soon (after gaining worldwide popularity) took over with extremely shoddy justification.
6 hours ago
Isn't this the same situation as with linux software repos?
6 hours ago
Yes and it is often a source of contention as well, not only for those same reasons but also others. For example, package maintainers often configure the programs differently (see: keepassxc drama) and often the users expect support from the upstream for problems they have no control over, sometimes even causing the upstream to stop development entirely due to the entitlement and abuse of downstream users.
5 hours ago
Do these same concerns still pertain to dev-hosted F-Droid repos? (E.g. I am thinking of how I install Bitwarden from the their own repo: https://mobileapp.bitwarden.com/fdroid/)
IMHO, one of the best parts about the F-Droid ecosystem is its openness. Security models are not a one-size-fits-all and it is important to me to have access to software from multiple sources.
4 hours ago
Dev-hosted repos are the same as downloading from the developer's site, they offer none of F-Droid's guarantees
6 hours ago
The first source you linked is run by GrapheneOS community members so it's slightly biased: https://privsec.dev/about/
6 hours ago
Packager middlemen give me a layer of protection against application developers selling out to malware companies.
6 hours ago
F-Droid already saved me from this: https://liliputing.com/android-app-maker-simple-mobile-tools...
I trust F-Droid more than $RANDOM_GITHUB_ACCOUNT.
6 hours ago
I say that possibility is canceled out because those layers of protection also provide avenues for additional bad actors and even more possibility of places to inject malware/compromises.
3 hours ago
They might provide additional avenues, but they remove others, so it's hard to assess what's safer (I'd lean towards F-Droid-like solutions).
The best of both worlds is where both the developer and a third party certify the builds, as happens with F-Droid's reproducible builds.
On Android you're still left on deciding whose signature to put on the binary, however (I'd prefer one from the third party, differently from what happens with F-Droid reproducible builds).
3 hours ago
It would be nice if both parties could sign the binary. My biggest issue with reproducible builds is that not every project supports it, and many that do aren't being verified (like Signal).
6 hours ago
Examples of that? Debian has about three decades of history, have any of their packagers ever sold out?
5 hours ago
I was more referring to supply chain attacks and intentional backdoors, which have happened multiple times in the past. Debian servers have also been hacked before.
6 hours ago
Security is a while different topic. The article is about the positive aspects of demopolisation, freedom and competition.
6 hours ago
Except for some apps for financial institutions, all my apps come from F-Droid. I feel like I can trust their vetting but absolutely cannot trust random apps from Google's store. Why is it that unpaid volunteers can do better than one of the largest tech corps on the planet? Google is pathetic.
6 hours ago
There's no overwhelming financial incentive in open-source applications, while both mobile stores are a constant arms race in monetization, advertisement and shady practices, where legitimate and privacy respecting alternatives are relegated to obscurity and difficult to find even if you're specifically looking for them by name. In some ways FOSS software is even discouraged from being published due to some rules (see for example donation links being strictly forbidden) and the probability of fake malicious apps, like NewPipe or SimpleMobileTools clones.
6 hours ago
Because F-Droid contains a minuscule fraction of the apps on the Google Play store and because since F-Droid only allows open source applications it's much easier for them to determine shady behaviour (Google can't simply mandate that all apps on their store be open source).
5 hours ago
Google could do that!
2 hours ago
Of course they cannot. Literally, the Play Store itself and countless other Google apps are not open source. Google doesn't operate on a FOSS model (to the point that AGPL is banned in their company).
6 hours ago