So the ad on this episode says: "Bitwarden doesn't track your data, only crash reporting, and even that is removed in the F-Droid installation." at around 16:30

Maybe not a big deal, but it seems like a new level for : people paying money to promote based on F-Droid's principals, in this case, opt-out data collection is tracking.

Do you sometimes just want one tool from the in a container or VM, and don't want to deal with the whole pain of setting up and everything? Try the sdkmanager instead of the official one. For example, `apt-get install sdkmanager` then `sdkmanager platform-tools`. Plus this verifies all packages using `apt-get` style GPG-signed index with SHA256 values. Useful in on etc. In pypi, Debian, Ubuntu, and

Just tagged v2.2.1 of fdroidserver tools package, and uploaded it to, , and our PPA. This version has passed autopkgtest in Debian/bookworm, so it looks like it should make it into bookworm without further work

's representative gave a classic, well polished FUD PR piece framed as lots of questions. Of course, I fully agree that human review of apps is key to trustworthy app stores, that's why goes the whole way and requires apps provide the whole source code to be review, not just the binaries. And F-Droid does done this since 2010 even though is not a . Being the only app store on the platform locks out app stores that do better review than .

Flying to Brussels, I was offered some digital boarding pass format which I was not familiar with: pkpass. Living , I assumed it was some proprietary thing. But I searched and found @ligi 's app:
It worked perfectly!

@webmink I greatly enjoyed your live tooting of the . I'm up next: this Monday is the next one, this time about the app store regulations. I'll be there representing @fdroidorg. Any advice for pushing in that context?

client is configured with two repos: Maven Central and the Google one. Yet running `./gradlew buildEnvironment --scan` downloads `org.gradle:gradle-enterprise-gradle-plugin:3.10.2`, which is not available on those two repositories. It seems that is adding repositories automatically, that seems sketchy to me. I confirmed this by running `gradle --write-verification-metadata sha256 buildEnvironment --scan`

Just uploaded to the key inspection tools 2.7.0 and the latest from git, ahead of 2.5.2. All sorts of tools like and more rely on these for inspecting Android APK files.

This level of vigilance is hard, so we have added another layer of defense in the upcoming client v1.16 release, currently in beta. We've moved the database to be based on and its built-in measures, then had that new code audited 2/2

Show thread

and require signature verification, and is built on top of 's APK signing. This improves things a lot but does not mean they are immune. Debian and F-Droid repos can still override packages lower priority repos. It could make sense to have a "no overrides allowed" setting, but that would restrict useful features. Maybe F-Droid could implement "no new signing keys when overriding" rule by default, I wonder how much that would break what people are doing now? 2/2

Show thread

@Gargron is providing a shining example of the new breed of "startup" culture that is arising. We want impact in the public interest, and just to make a living doing it. Getting rich is besides the point, and it is certainly not a reason to compromise the goals of the project. I believe is another example of this.

We welcome help for bumping the and have mapped out what needs to be done:

Given our limited resources, I have chosen to focus my time on concrete improvements for . The only thing I'm opposed to in all this is removing functionality in order to bump targetSdkVersion. Google's recent changes there have removed functionality that many rely on.

Show thread

When is built into a ROM, like , for , etc there is no popup warning with fdroidclient. That comes from "Play Protect", which is proprietary software that flags things based on automated rules, it does not point to real world security concerns for apps like . I have nothing against the sandbox, I just think it is important to note what it is good for, and what it cannot do well 2/2

Show thread

As lead maintainer of the official client, I hear a lot of criticism that is still at 25. fdroidclient is , publicly audited, with , written in memory safe languages, with a proven record of respecting and delivering . The source and binaries also receive human and machine review. is designed around untrusted proprietary software with non-memory safe code where the binary only gets machine review. 1/2

I work on because I believe in . One of the hardest things about working on a project like F-Droid is when someone decides to publicly campaign against our work, and its only loosely based on fact. We get a constant stream of inquiries from people who just found out, asking the same questions again. Now I understand why companies hire PR staff. Communications can require a ton of work and stress. And when a project is mostly volunteers, no one is keen to take on that stress

Now that I'm focused on client development, I have lots of time to toot because Gradle/Android builds take so damn long as compared to Python. 😂 😭

We want to add the official onion service for as an official mirror, so that clients will automatically use it. Please test by sharing the repo link to client then add it as a mirror:

This should prompt to add it as a mirror, which is safe since the keys need to match. Click cancel if it offers to add a new repo.

In the over 3 weeks since
shipped a big overhaul of the production buildserver, there have been updates published on most days: Nov16 Nov15 Nov14 Nov13 Nov11 Nov09 Nov08 Nov05 Nov01 Oct31 Oct30 Oct29 Oct28 Oct27 Oct26 Oct25 Oct24 Oct22 Oct21 Oct20

And now, even more exciting, is that this unlocked lots of low hanging fruit that can make the process run much faster.

Starting this week, I want to try something new in the weekly meeting slot (Thursdays @ 11:30 UTC): I'll have "office hours" so anyone can come and ask any question, either via the regular chat channels, or realtime voice in

Reading about how browser aims to remove unique IDs when counting users makes me think about how hasn't been tracking users from the beginning, and stopped tracking downloads years ago, and seems to only have become more popular. Makes me think that developed by community motivated by doing the right thing is a better way than a or being driven by . Maybe improving the of tracking is missing the point.

image/svg+xml Librem Chat image/svg+xml