Well deserved. Though, I have problems in "discovering" apps for a particular purpose. It would have helped if there was a vote-based curated app categories section.
My current strategy is googling for "[category (e.g. 2FA or note-taking)] + reddit + open-source" then opening up each suggestion's git source and manually look for things like tech stack or project stars or number of contributors.
This fantastic news. It's possible to take an android out of the box, install F-Droid and have a reasonably useful phone without even logging into the play store.
Glad to see them getting some credit for the hard work!
For me Apt means that every time I install something, I have to be ready to give up my system because of resulting internal inconsistencies and because there is no rollback.
From what I remember, Droidif-y is a fork of Foxy Droid and Neo Chat was fork of Droidif-y or vice versa. Either way, I used to use Foxy Droid but Droidif-y has been the modern update it needed.
I've got about 80% of my apps that would normally be on F-Droid installed through Obtainium (https://github.com/ImranR98/Obtainium), which handles Git releases (among other sources). The F-Droid client feels clunky and in the past I had some update errors that were annoying. With some improvements it should return to being a good discovery tool and app manager, so this is good news.
I was not aware of an Obtanium catalog like that. That's a nice feature that I see hidden at the bottom of the Add App screen. You can also use Obtanium to install from F-Droid sources and really just any apk, so it's superior in many ways, except in 1) discovery (which that catalog helps) 2) as devs aren't curating F-droid releases with care, sometimes it's a pain to setup, especially when a package is always `apk-latest` or something.
I use f-droid and the aurora store. The play store was disabled the day I got the phone. There has been a few issues but I stuck with f-droid for many years. Good for them.
You make a great point! Discoverability is definitely a challenge when looking for open-source apps. A vote-based curated app categories section would be a fantastic addition to help surface the best options. In the meantime, your approach of using Reddit and GitHub metrics like stars and contributors is a smart way to gauge project quality and activity. Hopefully, we’ll see better solutions emerge for open-source app discovery in the future!
OTF's money comes from US Congress. They also donated 50M to Signal.
I might just have my tinfoil hat on too tight, but this doesn't make me feel warm and fuzzy inside.
F-Droid also builds AND signs packages themselves on behalf of developers, and even though reproducible builds are a thing, they are not widely used properly or publicly verified often enough for my comfort.
Note that most of that page is a matter of the authors having a completely different security model than F-Droid rather than what I would consider to be true defects.
Let's say I'm doing all of those things, and am prepared to atone for my sins.
And I just want to know what you found echo chamberry about the other comment. Can you enlighten me? Maybe that way I can avoid all of the mistakes that I'm making.
It is; the authors appear to be operating in a model where they completely trust app authors and nobody else, though they never actually spell out the threat model (which really should make us view their assessment skeptically anyways), where F-Droid specifically avoids trusting app authors. Nearly all of their objections come down to this single difference.
What echo chamber? I'm not aware of anyone else arguing this position.
That post contains 3 items: One fixed audit finding that only affects initial install of an app, one claim of problems that are unspecified and therefore impossible to assess, and one allegation of poor behavior (which is worth noting but not a security concern).
To add insult to the injury, they claim that most people should stick to Play Store - a malware repository controlled by an ad distribution company - for better privacy. We're supposed to take this seriously.
They had a much more convincing argument before the Play Store started forcing the same exact thing that they said was one of the main problems with F-Droid, and F-Droid started providing reproducible builds.
This reads really weirdly and seems to downplay concrete threats/malicious activity in the play store and emphasise best practice/security model violations on F-Droid.
I get F-Droid is the subject, and it's reasonable to make space to highlight issues with it here but it doesn't seem reasonable to conclude your security posture is better if you go with the play store.
I agree that the article is very bizarre and seemingly written by a non-expert.
The criticism of the inclusion policy sticks out like a sore thumb for strangeness. They criticize f-droid for requiring hosted apps that don't include proprietary software or ads. which of all the things you could criticize F-Droid for, is very strange.
And instead of making like a systematic point about process or about best practices or standards, it meanders into an anecdote about one instance of an app where the developer packaged an outdated version of WebRTC to comply, and then blames F-Droid for the way that the developer packaged the app. And then bizarrely refers to this as a "case study". There's an informal sense in which you can say case study, which I guess is fair enough, but when speaking a bit more formally case studies are real research projects, not just one-off anecdotes loosely summarized in a paragraph.
A lot of the language here is used in this gray area of formal and informal, seemingly characteristic of a high school essay.
Assuming one did have reproducible builds, would you even need signing keys anymore? All you would need is to build the app yourself or have some trusted third party build it and verify that both outputs are the same. You could also use md5s published by the developer and check that against the f-droid build. It seems like the advantage of signing is pretty small at that point. At least in the case I am thinking of, where the developer is using GitHub, it seems unlikely that a malicious actor would be able to add malicious code to the repo and create a new release but somehow be blocked by the signing keys. In that case, I think it would be better to just use "00000000" as the signing key for all apps (8 character minimum jks length) to make build scripts more reproducible, ie. the signing is part of the build script, which also makes apk md5 comparisons easier. Am I missing something?
The benefit of having a signature over a simple hash is that even if the code was tampered with, you would know it is not the same as what the author used. On the other hand, if it was a reproducible build, it could have still been tampered with somewhere and only the original developer could verify that you got the right code to start with.
Also, not everyone is equipped to build software. Signatures enable you to easily know that there was no MITM tampering (or at least, to assume much lower chances of it), with less overall trust required.
I hope they use the money to improve all the issues people have arised over the years. It can be a really good platform, if they're open to change. Otherwise, it might be dead in the future.
I like it, gives you the option for older versions as well. When I updated my old browser and the look and feel completely changed, I had to go back years but I eventually found what I liked.
Couldn't deserve it more. Makes it easy to install FOSS alternative apps to what you find in the play store which aren't infested with dark patterns and adware.
This is like complaining about an agriculturist being awarded money for a novel agricultural technique they developed, but they aren't saving the penguins in the Antarctic...
As a queer person I don't even know what I'd want from a CoC like that. It feels like I'd be giving up the freedom I love from F-Droid so I could better police other apps (which is something I don't want or need).
Considering how absolutely useless CoCs are in other software I use, I'm pretty happy with where F-Droid is today.
I'm not convinced they ever really had the effect people hoped. More often instead I see it used not as a way to show that people are welcome, but as a false flag used to justify arbitrary enforcement of subjective terminology... which they already had the power to do anyways.
I was having major issues each time F-Droid decided to update itself and then the only app I cared about on it implemented self-updating so I let it go. Has major GIMP vibes IMO.
My current strategy is googling for "[category (e.g. 2FA or note-taking)] + reddit + open-source" then opening up each suggestion's git source and manually look for things like tech stack or project stars or number of contributors.
However it's usage does not seem to be widespread.
Glad to see them getting some credit for the hard work!
- Terrible search ergonomics
It checks all the boxes.
The client is better IMHO.
https://apps.obtainium.imranr.dev/
I also believe the client is doesn't limit itself to FOSS.
I might just have my tinfoil hat on too tight, but this doesn't make me feel warm and fuzzy inside.
F-Droid also builds AND signs packages themselves on behalf of developers, and even though reproducible builds are a thing, they are not widely used properly or publicly verified often enough for my comfort.
https://news.ycombinator.com/item?id=42653176
https://www.privacyguides.org/en/android/#f-droid
https://privsec.dev/posts/android/f-droid-security-issues/
And I just want to know what you found echo chamberry about the other comment. Can you enlighten me? Maybe that way I can avoid all of the mistakes that I'm making.
It is; the authors appear to be operating in a model where they completely trust app authors and nobody else, though they never actually spell out the threat model (which really should make us view their assessment skeptically anyways), where F-Droid specifically avoids trusting app authors. Nearly all of their objections come down to this single difference.
What echo chamber? I'm not aware of anyone else arguing this position.
That post contains 3 items: One fixed audit finding that only affects initial install of an app, one claim of problems that are unspecified and therefore impossible to assess, and one allegation of poor behavior (which is worth noting but not a security concern).
I get F-Droid is the subject, and it's reasonable to make space to highlight issues with it here but it doesn't seem reasonable to conclude your security posture is better if you go with the play store.
The criticism of the inclusion policy sticks out like a sore thumb for strangeness. They criticize f-droid for requiring hosted apps that don't include proprietary software or ads. which of all the things you could criticize F-Droid for, is very strange.
And instead of making like a systematic point about process or about best practices or standards, it meanders into an anecdote about one instance of an app where the developer packaged an outdated version of WebRTC to comply, and then blames F-Droid for the way that the developer packaged the app. And then bizarrely refers to this as a "case study". There's an informal sense in which you can say case study, which I guess is fair enough, but when speaking a bit more formally case studies are real research projects, not just one-off anecdotes loosely summarized in a paragraph.
A lot of the language here is used in this gray area of formal and informal, seemingly characteristic of a high school essay.
Also, not everyone is equipped to build software. Signatures enable you to easily know that there was no MITM tampering (or at least, to assume much lower chances of it), with less overall trust required.
https://github.com/NeoApplications/Neo-Store
https://github.com/Droid-ify/client
This is like complaining about an agriculturist being awarded money for a novel agricultural technique they developed, but they aren't saving the penguins in the Antarctic...
F-Droid does not exist in vacuum, their actions send message!
Considering how absolutely useless CoCs are in other software I use, I'm pretty happy with where F-Droid is today.