Hans-Christoph Steiner @eighthave@librem.one
- home page
- https://at.or.at
- matrix
- @eighthave:matrix.org
This level of vigilance is hard, so we have added another layer of defense in the upcoming #FDroid client v1.16 release, currently in beta. We've moved the database to be based on #Room and its built-in #security measures, then had that new code audited https://f-droid.org/2022/12/22/third-audit-results.html 2/2
#Debian and #FDroid require signature verification, and #FDroid is built on top of #Android's APK signing. This improves things a lot but does not mean they are immune. Debian and F-Droid repos can still override packages lower priority repos. It could make sense to have a "no overrides allowed" setting, but that would restrict useful features. Maybe F-Droid could implement "no new signing keys when overriding" rule by default, I wonder how much that would break what people are doing now? 2/2
@Gargron is providing a shining example of the new breed of "startup" culture that is arising. We want impact in the public interest, and just to make a living doing it. Getting rich is besides the point, and it is certainly not a reason to compromise the goals of the project. I believe #FDroid is another example of this.
We welcome help for bumping the #targetSdkVersionfor #FDroid and have mapped out what needs to be done:
* https://gitlab.com/fdroid/fdroidclient/-/issues/2037
* https://gitlab.com/fdroid/fdroidclient/-/issues/1440
Given our limited resources, I have chosen to focus my time on concrete improvements for #FreeSoftware. The only thing I'm opposed to in all this is removing functionality in order to bump targetSdkVersion. Google's recent changes there have removed functionality that many rely on.
When #FDroid is built into a #FreeSoftware ROM, like #CalyxOS, #lineageos for #microg, etc there is no popup warning with fdroidclient. That comes from "Play Protect", which is #Google proprietary software that flags things based on automated rules, it does not point to real world security concerns for apps like #FDroid. I have nothing against the #targetSdkVersion sandbox, I just think it is important to note what it is good for, and what it cannot do well 2/2
As lead maintainer of the official #FDroid client, I hear a lot of criticism that #targetSdkVersion is still at 25. fdroidclient is #FreeSoftware, publicly audited, with #ReproducibleBuilds, written in memory safe languages, with a proven record of respecting #privacy and delivering #security. The source and binaries also receive human and machine review. #targetSdkVersion is designed around untrusted proprietary software with non-memory safe code where the binary only gets machine review. 1/2
I work on #FDroid because I believe in #FreeSoftware. One of the hardest things about working on a project like F-Droid is when someone decides to publicly campaign against our work, and its only loosely based on fact. We get a constant stream of inquiries from people who just found out, asking the same questions again. Now I understand why companies hire PR staff. Communications can require a ton of work and stress. And when a project is mostly volunteers, no one is keen to take on that stress
Now that I'm focused on #FDroid client development, I have lots of time to toot because Gradle/Android builds take so damn long as compared to Python. 😂 😭
We want to add the official #Tor onion service for f-droid.org as an official mirror, so that clients will automatically use it. Please test by sharing the repo link to #FDroid client then add it as a mirror:
https://gitlab.com/fdroid/admin/-/issues/12#note_1184095205
This should prompt to add it as a mirror, which is safe since the keys need to match. Click cancel if it offers to add a new repo.
In the over 3 weeks since #FDroid
shipped a big overhaul of the production buildserver, there have been updates published on most days: Nov16 Nov15 Nov14 Nov13 Nov11 Nov09 Nov08 Nov05 Nov01 Oct31 Oct30 Oct29 Oct28 Oct27 Oct26 Oct25 Oct24 Oct22 Oct21 Oct20
And now, even more exciting, is that this unlocked lots of low hanging fruit that can make the process run much faster.
Starting this week, I want to try something new in the #fdroid weekly meeting slot (Thursdays @ 11:30 UTC): I'll have "office hours" so anyone can come and ask any question, either via the regular chat channels, or realtime voice in https://meet.jit.si/fdroid
Reading about how #Vivaldi browser aims to remove unique IDs when counting users makes me think about how #fdroid hasn't been tracking users from the beginning, and stopped tracking downloads years ago, and seems to only have become more popular. Makes me think that #FreeSoftware developed by community motivated by doing the right thing is a better way than a #startup or being driven by #tracking. Maybe improving the #privacy of tracking is missing the point.
https://vivaldi.com/blog/how-we-count-our-users/
- home page
- https://at.or.at
- matrix
- @eighthave:matrix.org
