@jawsh @AudraTran F-Droid needs to be replaced because it has major security and trustworthiness issues. We don't consider it a safe way to obtain open source apps due to adding an untrustworthy middleman. We do plan on doing a lot about it but we have a lot of other things to build first.
Android apps are meant to have 1 repository per app because the way the app source system works is allowing the app as the source and marking apps as installed from that source. Multi-repo apps bypass this.
@jawsh @AudraTran The main F-Droid repository is the main issue with F-Droid. It's almost entirely third party builds of apps with F-Droid signing keys. The few which aren't can have huge delays for updates since any disagreement leads to indefinite delay, although that happens for apps they build too. F-Droid automatically fetches code and then builds it. They aren't actually reviewing the apps. Apps have repeatedly purposely violated their policies and gotten away with it for long periods.
@jawsh @AudraTran F-Droid's main repository wrongly reuses package names (application ids) for their own builds with their own signing keys. That's never meant to be done and results in major usability issues with profiles due to signing key pinning for package names being enforced across profiles.
They've repeatedly had issues with using a very outdated build environment and dependencies including downgrading dependencies for apps. This has introduced/reintroduced vulnerabilities into apps.
@jawsh @AudraTran There are major issues with the F-Droid app, repository system, main repository and the team behind it. Their team was involved in the 2018 takeover attempt on GrapheneOS and supported subsequent attacks on our project to this day including endless misinformation about GrapheneOS and fabrications about our team. We'll never consider them trustworthy and there must be a full replacement for every aspect F-Droid in the future. We'll definitely fund or build that in the future.
@GrapheneOS I'm not disagreeing or defending any of F-Droids issues. I'd love to see an official store replace it in GrapheneOS. Current options are lacking tho. Obtainium is a thing and can fetch updates from developers repos but that could come with issues as well. @AudraTran
@jawsh @GrapheneOS @AudraTran we welcome reports on any issue in #FDroid, also from @GrapheneOS as we recently got. It is important to note when @GrapheneOS is posting about #FDroid, they have blocked most of our accounts, so we can even respond. So I'm responding to your response.
We are not alone as former supporters being the target of their ire:
https://www.youtube.com/watch?v=4To-F6W1NT0
@eighthave again, I'm not of the thinking F-Droid needs replacing. If there are security issues and other problems like reusing signing keys, etc (and I don't pretend to know) present in F-Droid, then seeing them addressed would be a good thing. I still use and will continue using F-Droid but better security is a good thing.
@jawsh There are people working on GrapheneOS who clearly have deep technical knowledge about Android. I welcome more topical, constructive bug reports about #FDroid from the GrapheneOS community. I'm also a #Debian Developer, and I practice the Debian Social Contract on all projects I work on. For example "we will not hide problems" and "our priorities are our users and free software".
