Well deserved. Though, I have problems in "discovering" apps for a particular purpose. It would have helped if there was a vote-based curated app categories section.
My current strategy is googling for "[category (e.g. 2FA or note-taking)] + reddit + open-source" then opening up each suggestion's git source and manually look for things like tech stack or project stars or number of contributors.
This fantastic news. It's possible to take an android out of the box, install F-Droid and have a reasonably useful phone without even logging into the play store.
Glad to see them getting some credit for the hard work!
I've got about 80% of my apps that would normally be on F-Droid installed through Obtainium (https://github.com/ImranR98/Obtainium), which handles Git releases (among other sources). The F-Droid client feels clunky and in the past I had some update errors that were annoying. With some improvements it should return to being a good discovery tool and app manager, so this is good news.
I was not aware of an Obtanium catalog like that. That's a nice feature that I see hidden at the bottom of the Add App screen. You can also use Obtanium to install from F-Droid sources and really just any apk, so it's superior in many ways, except in 1) discovery (which that catalog helps) 2) as devs aren't curating F-droid releases with care, sometimes it's a pain to setup, especially when a package is always `apk-latest` or something.
This reads really weirdly and seems to downplay concrete threats/malicious activity in the play store and emphasise best practice/security model violations on F-Droid.
I get F-Droid is the subject, and it's reasonable to make space to highlight issues with it here but it doesn't seem reasonable to conclude your security posture is better if you go with the play store.
I agree that the article is very bizarre and seemingly written by a non-expert.
The criticism of the inclusion policy sticks out like a sore thumb for strangeness. They criticize f-droid for requiring hosted apps that don't include proprietary software or ads. which of all the things you could criticize F-Droid for, is very strange.
And instead of making like a systematic point about process or about best practices or standards, it meanders into an anecdote about one instance of an app where the developer packaged an outdated version of WebRTC to comply, and then blames F-Droid for the way that the developer packaged the app. And then bizarrely refers to this as a "case study". There's an informal sense in which you can say case study, which I guess is fair enough, but when speaking a bit more formally case studies are real research projects, not just one-off anecdotes loosely summarized in a paragraph.
A lot of the language here is used in this gray area of formal and informal, seemingly characteristic of a high school essay.
Note that most of that page is a matter of the authors having a completely different security model than F-Droid rather than what I would consider to be true defects.
It is; the authors appear to be operating in a model where they completely trust app authors and nobody else, though they never actually spell out the threat model (which really should make us view their assessment skeptically anyways), where F-Droid specifically avoids trusting app authors. Nearly all of their objections come down to this single difference.
What echo chamber? I'm not aware of anyone else arguing this position.
That post contains 3 items: One fixed audit finding that only affects initial install of an app, one claim of problems that are unspecified and therefore impossible to assess, and one allegation of poor behavior (which is worth noting but not a security concern).
I hope they use the money to improve all the issues people have arised over the years. It can be a really good platform, if they're open to change. Otherwise, it might be dead in the future.
I use f-droid and the aurora store. The play store was disabled the day I got the phone. There has been a few issues but I stuck with f-droid for many years. Good for them.
For me Apt means that every time I install something, I have to be ready to give up my system because of resulting internal inconsistencies and because there is no rollback.
Couldn't deserve it more. Makes it easy to install FOSS alternative apps to what you find in the play store which aren't infested with dark patterns and adware.
I like it, gives you the option for older versions as well. When I updated my old browser and the look and feel completely changed, I had to go back years but I eventually found what I liked.
OTF's money comes from US Congress. They also donated 50M to Signal.
I might just have my tinfoil hat on too tight, but this doesn't make me feel warm and fuzzy inside.
F-Droid also builds AND signs packages themselves on behalf of developers, and even though reproducible builds are a thing, they are not widely used properly or publicly verified often enough for my comfort.
I was having major issues each time F-Droid decided to update itself and then the only app I cared about on it implemented self-updating so I let it go. Has major GIMP vibes IMO.
F-Droid is really amazing. It makes you believe there is still good in the world.
Hopefully they will improve their ethics mow. Their code of conduct does not even mention minorities, diversity, LGBTQF+, BLM and so on!
Well deserved. Though, I have problems in "discovering" apps for a particular purpose. It would have helped if there was a vote-based curated app categories section.
My current strategy is googling for "[category (e.g. 2FA or note-taking)] + reddit + open-source" then opening up each suggestion's git source and manually look for things like tech stack or project stars or number of contributors.
Yeah exactly that's my issue #1 with Fdroid
This fantastic news. It's possible to take an android out of the box, install F-Droid and have a reasonably useful phone without even logging into the play store.
Glad to see them getting some credit for the hard work!
I've got about 80% of my apps that would normally be on F-Droid installed through Obtainium (https://github.com/ImranR98/Obtainium), which handles Git releases (among other sources). The F-Droid client feels clunky and in the past I had some update errors that were annoying. With some improvements it should return to being a good discovery tool and app manager, so this is good news.
It seems that Obtainium "curates" apps, i.e. derives lists of downloadable apps, is by crowd-sourcing this task. See:
https://apps.obtainium.imranr.dev/
I also believe the client is doesn't limit itself to FOSS.
I was not aware of an Obtanium catalog like that. That's a nice feature that I see hidden at the bottom of the Add App screen. You can also use Obtanium to install from F-Droid sources and really just any apk, so it's superior in many ways, except in 1) discovery (which that catalog helps) 2) as devs aren't curating F-droid releases with care, sometimes it's a pain to setup, especially when a package is always `apk-latest` or something.
F-Droid is indeed a nice alternative for Play Store, but still, it's not perfect.
https://privsec.dev/posts/android/f-droid-security-issues/
This reads really weirdly and seems to downplay concrete threats/malicious activity in the play store and emphasise best practice/security model violations on F-Droid.
I get F-Droid is the subject, and it's reasonable to make space to highlight issues with it here but it doesn't seem reasonable to conclude your security posture is better if you go with the play store.
I agree that the article is very bizarre and seemingly written by a non-expert.
The criticism of the inclusion policy sticks out like a sore thumb for strangeness. They criticize f-droid for requiring hosted apps that don't include proprietary software or ads. which of all the things you could criticize F-Droid for, is very strange.
And instead of making like a systematic point about process or about best practices or standards, it meanders into an anecdote about one instance of an app where the developer packaged an outdated version of WebRTC to comply, and then blames F-Droid for the way that the developer packaged the app. And then bizarrely refers to this as a "case study". There's an informal sense in which you can say case study, which I guess is fair enough, but when speaking a bit more formally case studies are real research projects, not just one-off anecdotes loosely summarized in a paragraph.
A lot of the language here is used in this gray area of formal and informal, seemingly characteristic of a high school essay.
Note that most of that page is a matter of the authors having a completely different security model than F-Droid rather than what I would consider to be true defects.
It's not. Stop being in an echo chamber. Refer to this post for more valid criticism: https://news.ycombinator.com/item?id=42653176
Setting aside agreement or disagreement, what about that comment is striking you as symptomatic of coming from an echo chamber?
Oh please. It's a factual argument and you've contributed nothing to it apart from steering away from the goalpost
In order:
It is; the authors appear to be operating in a model where they completely trust app authors and nobody else, though they never actually spell out the threat model (which really should make us view their assessment skeptically anyways), where F-Droid specifically avoids trusting app authors. Nearly all of their objections come down to this single difference.
What echo chamber? I'm not aware of anyone else arguing this position.
That post contains 3 items: One fixed audit finding that only affects initial install of an app, one claim of problems that are unspecified and therefore impossible to assess, and one allegation of poor behavior (which is worth noting but not a security concern).
I hope they use the money to improve all the issues people have arised over the years. It can be a really good platform, if they're open to change. Otherwise, it might be dead in the future.
I use f-droid and the aurora store. The play store was disabled the day I got the phone. There has been a few issues but I stuck with f-droid for many years. Good for them.
For me, F-Droid is the apt of Android.
- Installs software adequately
- Terrible search ergonomics
It checks all the boxes.
What does that mean? Its a package manager? Or something deeper?
It is an F-Droid client.
Is that good or bad?
For me, it's good. Apt is famous for installing the software you want quickly, easily, and with no fuss.
For me Apt means that every time I install something, I have to be ready to give up my system because of resulting internal inconsistencies and because there is no rollback.
And with no malware whatsoever.
I use "Droid-ify".
It also connects to FDroid.
Also check out https://droidify.eu.org.
The client is better IMHO.
https://f-droid.org/en/packages/nya.kitsunyan.foxydroid/ is quite nice also
Oh yeah just made a comment about it, I prefer it over F-Droid, too.
Couldn't deserve it more. Makes it easy to install FOSS alternative apps to what you find in the play store which aren't infested with dark patterns and adware.
I like it, gives you the option for older versions as well. When I updated my old browser and the look and feel completely changed, I had to go back years but I eventually found what I liked.
Great news. First place I check for OSS android software. App needs a bit of work but there are open alternatives.
OTF's money comes from US Congress. They also donated 50M to Signal.
I might just have my tinfoil hat on too tight, but this doesn't make me feel warm and fuzzy inside.
F-Droid also builds AND signs packages themselves on behalf of developers, and even though reproducible builds are a thing, they are not widely used properly or publicly verified often enough for my comfort.
https://news.ycombinator.com/item?id=42653176
https://www.privacyguides.org/en/android/#f-droid
I was having major issues each time F-Droid decided to update itself and then the only app I cared about on it implemented self-updating so I let it go. Has major GIMP vibes IMO.