Well deserved. Though, I have problems in "discovering" apps for a particular purpose. It would have helped if there was a vote-based curated app categories section.
My current strategy is googling for "[category (e.g. 2FA or note-taking)] + reddit + open-source" then opening up each suggestion's git source and manually look for things like tech stack or project stars or number of contributors.
This fantastic news. It's possible to take an android out of the box, install F-Droid and have a reasonably useful phone without even logging into the play store.
Glad to see them getting some credit for the hard work!
For me Apt means that every time I install something, I have to be ready to give up my system because of resulting internal inconsistencies and because there is no rollback.
From what I remember, Droidif-y is a fork of Foxy Droid and Neo Chat was fork of Droidif-y or vice versa. Either way, I used to use Foxy Droid but Droidif-y has been the modern update it needed.
I've got about 80% of my apps that would normally be on F-Droid installed through Obtainium (https://github.com/ImranR98/Obtainium), which handles Git releases (among other sources). The F-Droid client feels clunky and in the past I had some update errors that were annoying. With some improvements it should return to being a good discovery tool and app manager, so this is good news.
I was not aware of an Obtanium catalog like that. That's a nice feature that I see hidden at the bottom of the Add App screen. You can also use Obtanium to install from F-Droid sources and really just any apk, so it's superior in many ways, except in 1) discovery (which that catalog helps) 2) as devs aren't curating F-droid releases with care, sometimes it's a pain to setup, especially when a package is always `apk-latest` or something.
I use f-droid and the aurora store. The play store was disabled the day I got the phone. There has been a few issues but I stuck with f-droid for many years. Good for them.
You make a great point! Discoverability is definitely a challenge when looking for open-source apps. A vote-based curated app categories section would be a fantastic addition to help surface the best options. In the meantime, your approach of using Reddit and GitHub metrics like stars and contributors is a smart way to gauge project quality and activity. Hopefully, we’ll see better solutions emerge for open-source app discovery in the future!
OTF's money comes from US Congress. They also donated 50M to Signal.
I might just have my tinfoil hat on too tight, but this doesn't make me feel warm and fuzzy inside.
F-Droid also builds AND signs packages themselves on behalf of developers, and even though reproducible builds are a thing, they are not widely used properly or publicly verified often enough for my comfort.
Note that most of that page is a matter of the authors having a completely different security model than F-Droid rather than what I would consider to be true defects.
Let's say I'm doing all of those things, and am prepared to atone for my sins.
And I just want to know what you found echo chamberry about the other comment. Can you enlighten me? Maybe that way I can avoid all of the mistakes that I'm making.
It is; the authors appear to be operating in a model where they completely trust app authors and nobody else, though they never actually spell out the threat model (which really should make us view their assessment skeptically anyways), where F-Droid specifically avoids trusting app authors. Nearly all of their objections come down to this single difference.
What echo chamber? I'm not aware of anyone else arguing this position.
That post contains 3 items: One fixed audit finding that only affects initial install of an app, one claim of problems that are unspecified and therefore impossible to assess, and one allegation of poor behavior (which is worth noting but not a security concern).
To add insult to the injury, they claim that most people should stick to Play Store - a malware repository controlled by an ad distribution company - for better privacy. We're supposed to take this seriously.
They had a much more convincing argument before the Play Store started forcing the same exact thing that they said was one of the main problems with F-Droid, and F-Droid started providing reproducible builds.
This reads really weirdly and seems to downplay concrete threats/malicious activity in the play store and emphasise best practice/security model violations on F-Droid.
I get F-Droid is the subject, and it's reasonable to make space to highlight issues with it here but it doesn't seem reasonable to conclude your security posture is better if you go with the play store.
I agree that the article is very bizarre and seemingly written by a non-expert.
The criticism of the inclusion policy sticks out like a sore thumb for strangeness. They criticize f-droid for requiring hosted apps that don't include proprietary software or ads. which of all the things you could criticize F-Droid for, is very strange.
And instead of making like a systematic point about process or about best practices or standards, it meanders into an anecdote about one instance of an app where the developer packaged an outdated version of WebRTC to comply, and then blames F-Droid for the way that the developer packaged the app. And then bizarrely refers to this as a "case study". There's an informal sense in which you can say case study, which I guess is fair enough, but when speaking a bit more formally case studies are real research projects, not just one-off anecdotes loosely summarized in a paragraph.
A lot of the language here is used in this gray area of formal and informal, seemingly characteristic of a high school essay.
Assuming one did have reproducible builds, would you even need signing keys anymore? All you would need is to build the app yourself or have some trusted third party build it and verify that both outputs are the same. You could also use md5s published by the developer and check that against the f-droid build. It seems like the advantage of signing is pretty small at that point. At least in the case I am thinking of, where the developer is using GitHub, it seems unlikely that a malicious actor would be able to add malicious code to the repo and create a new release but somehow be blocked by the signing keys. In that case, I think it would be better to just use "00000000" as the signing key for all apps (8 character minimum jks length) to make build scripts more reproducible, ie. the signing is part of the build script, which also makes apk md5 comparisons easier. Am I missing something?
The benefit of having a signature over a simple hash is that even if the code was tampered with, you would know it is not the same as what the author used. On the other hand, if it was a reproducible build, it could have still been tampered with somewhere and only the original developer could verify that you got the right code to start with.
Also, not everyone is equipped to build software. Signatures enable you to easily know that there was no MITM tampering (or at least, to assume much lower chances of it), with less overall trust required.
I hope they use the money to improve all the issues people have arised over the years. It can be a really good platform, if they're open to change. Otherwise, it might be dead in the future.
I like it, gives you the option for older versions as well. When I updated my old browser and the look and feel completely changed, I had to go back years but I eventually found what I liked.
Couldn't deserve it more. Makes it easy to install FOSS alternative apps to what you find in the play store which aren't infested with dark patterns and adware.
This is like complaining about an agriculturist being awarded money for a novel agricultural technique they developed, but they aren't saving the penguins in the Antarctic...
As a queer person I don't even know what I'd want from a CoC like that. It feels like I'd be giving up the freedom I love from F-Droid so I could better police other apps (which is something I don't want or need).
Considering how absolutely useless CoCs are in other software I use, I'm pretty happy with where F-Droid is today.
I'm not convinced they ever really had the effect people hoped. More often instead I see it used not as a way to show that people are welcome, but as a false flag used to justify arbitrary enforcement of subjective terminology... which they already had the power to do anyways.
I was having major issues each time F-Droid decided to update itself and then the only app I cared about on it implemented self-updating so I let it go. Has major GIMP vibes IMO.
Well deserved. Though, I have problems in "discovering" apps for a particular purpose. It would have helped if there was a vote-based curated app categories section.
My current strategy is googling for "[category (e.g. 2FA or note-taking)] + reddit + open-source" then opening up each suggestion's git source and manually look for things like tech stack or project stars or number of contributors.
There's gdroid (https://gitlab.com/gdroid/gdroidclient/) that tries to tackle this problem by using stars in the app, github stars and some more metrics.
However it's usage does not seem to be widespread.
Yeah exactly that's my issue #1 with Fdroid
This fantastic news. It's possible to take an android out of the box, install F-Droid and have a reasonably useful phone without even logging into the play store.
Glad to see them getting some credit for the hard work!
For me, F-Droid is the apt of Android.
- Installs software adequately
- Terrible search ergonomics
It checks all the boxes.
I use "Droid-ify".
It also connects to FDroid.
What does that mean? Its a package manager? Or something deeper?
It is an F-Droid client.
Is that good or bad?
For me, it's good. Apt is famous for installing the software you want quickly, easily, and with no fuss.
For me Apt means that every time I install something, I have to be ready to give up my system because of resulting internal inconsistencies and because there is no rollback.
And with no malware whatsoever.
Also check out https://droidify.eu.org.
The client is better IMHO.
https://f-droid.org/en/packages/nya.kitsunyan.foxydroid/ is quite nice also
From what I remember, Droidif-y is a fork of Foxy Droid and Neo Chat was fork of Droidif-y or vice versa. Either way, I used to use Foxy Droid but Droidif-y has been the modern update it needed.
Oh yeah just made a comment about it, I prefer it over F-Droid, too.
I've got about 80% of my apps that would normally be on F-Droid installed through Obtainium (https://github.com/ImranR98/Obtainium), which handles Git releases (among other sources). The F-Droid client feels clunky and in the past I had some update errors that were annoying. With some improvements it should return to being a good discovery tool and app manager, so this is good news.
It seems that Obtainium "curates" apps, i.e. derives lists of downloadable apps, is by crowd-sourcing this task. See:
https://apps.obtainium.imranr.dev/
I also believe the client is doesn't limit itself to FOSS.
I was not aware of an Obtanium catalog like that. That's a nice feature that I see hidden at the bottom of the Add App screen. You can also use Obtanium to install from F-Droid sources and really just any apk, so it's superior in many ways, except in 1) discovery (which that catalog helps) 2) as devs aren't curating F-droid releases with care, sometimes it's a pain to setup, especially when a package is always `apk-latest` or something.
This is interesting! I like the curated apps idea because it means I can search for more apps compared to fdroid.
I use f-droid and the aurora store. The play store was disabled the day I got the phone. There has been a few issues but I stuck with f-droid for many years. Good for them.
You make a great point! Discoverability is definitely a challenge when looking for open-source apps. A vote-based curated app categories section would be a fantastic addition to help surface the best options. In the meantime, your approach of using Reddit and GitHub metrics like stars and contributors is a smart way to gauge project quality and activity. Hopefully, we’ll see better solutions emerge for open-source app discovery in the future!
OTF's money comes from US Congress. They also donated 50M to Signal.
I might just have my tinfoil hat on too tight, but this doesn't make me feel warm and fuzzy inside.
F-Droid also builds AND signs packages themselves on behalf of developers, and even though reproducible builds are a thing, they are not widely used properly or publicly verified often enough for my comfort.
https://news.ycombinator.com/item?id=42653176
https://www.privacyguides.org/en/android/#f-droid
F-Droid is really amazing. It makes you believe there is still good in the world.
F-Droid is indeed a nice alternative for Play Store, but still, it's not perfect.
https://privsec.dev/posts/android/f-droid-security-issues/
Note that most of that page is a matter of the authors having a completely different security model than F-Droid rather than what I would consider to be true defects.
It's not. Stop being in an echo chamber. Refer to this post for more valid criticism: https://news.ycombinator.com/item?id=42653176
Setting aside agreement or disagreement, what about that comment is striking you as symptomatic of coming from an echo chamber?
Oh please. It's a factual argument and you've contributed nothing to it apart from steering away from the goalpost
Let's say I'm doing all of those things, and am prepared to atone for my sins.
And I just want to know what you found echo chamberry about the other comment. Can you enlighten me? Maybe that way I can avoid all of the mistakes that I'm making.
In order:
It is; the authors appear to be operating in a model where they completely trust app authors and nobody else, though they never actually spell out the threat model (which really should make us view their assessment skeptically anyways), where F-Droid specifically avoids trusting app authors. Nearly all of their objections come down to this single difference.
What echo chamber? I'm not aware of anyone else arguing this position.
That post contains 3 items: One fixed audit finding that only affects initial install of an app, one claim of problems that are unspecified and therefore impossible to assess, and one allegation of poor behavior (which is worth noting but not a security concern).
To add insult to the injury, they claim that most people should stick to Play Store - a malware repository controlled by an ad distribution company - for better privacy. We're supposed to take this seriously.
They had a much more convincing argument before the Play Store started forcing the same exact thing that they said was one of the main problems with F-Droid, and F-Droid started providing reproducible builds.
This reads really weirdly and seems to downplay concrete threats/malicious activity in the play store and emphasise best practice/security model violations on F-Droid.
I get F-Droid is the subject, and it's reasonable to make space to highlight issues with it here but it doesn't seem reasonable to conclude your security posture is better if you go with the play store.
I agree that the article is very bizarre and seemingly written by a non-expert.
The criticism of the inclusion policy sticks out like a sore thumb for strangeness. They criticize f-droid for requiring hosted apps that don't include proprietary software or ads. which of all the things you could criticize F-Droid for, is very strange.
And instead of making like a systematic point about process or about best practices or standards, it meanders into an anecdote about one instance of an app where the developer packaged an outdated version of WebRTC to comply, and then blames F-Droid for the way that the developer packaged the app. And then bizarrely refers to this as a "case study". There's an informal sense in which you can say case study, which I guess is fair enough, but when speaking a bit more formally case studies are real research projects, not just one-off anecdotes loosely summarized in a paragraph.
A lot of the language here is used in this gray area of formal and informal, seemingly characteristic of a high school essay.
Assuming one did have reproducible builds, would you even need signing keys anymore? All you would need is to build the app yourself or have some trusted third party build it and verify that both outputs are the same. You could also use md5s published by the developer and check that against the f-droid build. It seems like the advantage of signing is pretty small at that point. At least in the case I am thinking of, where the developer is using GitHub, it seems unlikely that a malicious actor would be able to add malicious code to the repo and create a new release but somehow be blocked by the signing keys. In that case, I think it would be better to just use "00000000" as the signing key for all apps (8 character minimum jks length) to make build scripts more reproducible, ie. the signing is part of the build script, which also makes apk md5 comparisons easier. Am I missing something?
The benefit of having a signature over a simple hash is that even if the code was tampered with, you would know it is not the same as what the author used. On the other hand, if it was a reproducible build, it could have still been tampered with somewhere and only the original developer could verify that you got the right code to start with.
Also, not everyone is equipped to build software. Signatures enable you to easily know that there was no MITM tampering (or at least, to assume much lower chances of it), with less overall trust required.
I hope they use the money to improve all the issues people have arised over the years. It can be a really good platform, if they're open to change. Otherwise, it might be dead in the future.
For those who don't know, there's also Neo store, which has F-Droid in it.
https://github.com/NeoApplications/Neo-Store
Also Droidify, which I believe is either a fork or Neo Store or Neo Store is a fork of Droidify. Whichever is the original is a fork of Foxy Droid.
https://github.com/Droid-ify/client
I like it, gives you the option for older versions as well. When I updated my old browser and the look and feel completely changed, I had to go back years but I eventually found what I liked.
Couldn't deserve it more. Makes it easy to install FOSS alternative apps to what you find in the play store which aren't infested with dark patterns and adware.
Great news. First place I check for OSS android software. App needs a bit of work but there are open alternatives.
[flagged]
I think this is an unfair comment.
This is like complaining about an agriculturist being awarded money for a novel agricultural technique they developed, but they aren't saving the penguins in the Antarctic...
It is absolutely fair! Farms have to cull cows, to reduce methane emissions, to save penguins!
F-Droid does not exist in vacuum, their actions send message!
As a queer person I don't even know what I'd want from a CoC like that. It feels like I'd be giving up the freedom I love from F-Droid so I could better police other apps (which is something I don't want or need).
Considering how absolutely useless CoCs are in other software I use, I'm pretty happy with where F-Droid is today.
I'm not convinced they ever really had the effect people hoped. More often instead I see it used not as a way to show that people are welcome, but as a false flag used to justify arbitrary enforcement of subjective terminology... which they already had the power to do anyways.
I was having major issues each time F-Droid decided to update itself and then the only app I cared about on it implemented self-updating so I let it go. Has major GIMP vibes IMO.