Show more

We can set up communities with hard requirements to respect the community. This is why is legally structured to put first and foremost, via legal structures set up by Commons Conservancy.

Show thread

I will go one step further and say that calling an "unsafe app" by this standard is dishonest. It seems that some at also agreed, since the older version of that screen was honest: "Blocked by Play Protect" instead of "Unsafe app blocked". Looks like the team is still focused on protecting their , this time using scare tactics. 2/2

Show thread

This screen that shows on when installing really bugs me. It is purely based on the integer value targetSdkVersion, without considering our security model, public audits results, track record over 10+ years, exclusive use of memory safe languages, or even what our code actually does. It is as if marked anything that comes from Google as containing ads and trackers. 1/2

So the ad on this episode says: "Bitwarden doesn't track your data, only crash reporting, and even that is removed in the F-Droid installation." at around 16:30 twit.tv/shows/floss-weekly/epi

Maybe not a big deal, but it seems like a new level for : people paying money to promote based on F-Droid's principals, in this case, opt-out data collection is tracking.

Do you sometimes just want one tool from the in a container or VM, and don't want to deal with the whole pain of setting up and everything? Try the sdkmanager instead of the official one. For example, `apt-get install sdkmanager` then `sdkmanager platform-tools`. Plus this verifies all packages using `apt-get` style GPG-signed index with SHA256 values. Useful in on etc. In pypi, Debian, Ubuntu, and gitlab.com/fdroid/sdkmanager/

Just tagged v2.2.1 of fdroidserver tools package, and uploaded it to pypi.org, , and our PPA. This version has passed autopkgtest in Debian/bookworm, so it looks like it should make it into bookworm without further work tracker.debian.org/pkg/fdroids

's representative gave a classic, well polished FUD PR piece framed as lots of questions. Of course, I fully agree that human review of apps is key to trustworthy app stores, that's why goes the whole way and requires apps provide the whole source code to be review, not just the binaries. And F-Droid does done this since 2010 even though is not a . Being the only app store on the platform locks out app stores that do better review than .

Flying to Brussels, I was offered some digital boarding pass format which I was not familiar with: pkpass. Living , I assumed it was some proprietary thing. But I searched and found @ligi 's app:
f-droid.org/packages/org.ligi.
It worked perfectly!

@webmink I greatly enjoyed your live tooting of the . I'm up next: this Monday is the next one, this time about the app store regulations. I'll be there representing @fdroidorg. Any advice for pushing in that context?

client is configured with two repos: Maven Central and the Google one. Yet running `./gradlew buildEnvironment --scan` downloads `org.gradle:gradle-enterprise-gradle-plugin:3.10.2`, which is not available on those two repositories. It seems that is adding repositories automatically, that seems sketchy to me. I confirmed this by running `gradle --write-verification-metadata sha256 buildEnvironment --scan`

Just uploaded to the key inspection tools 2.7.0 and the latest from git, ahead of 2.5.2. All sorts of tools like and more rely on these for inspecting Android APK files.

This level of vigilance is hard, so we have added another layer of defense in the upcoming client v1.16 release, currently in beta. We've moved the database to be based on and its built-in measures, then had that new code audited f-droid.org/2022/12/22/third-a 2/2

Show thread

and require signature verification, and is built on top of 's APK signing. This improves things a lot but does not mean they are immune. Debian and F-Droid repos can still override packages lower priority repos. It could make sense to have a "no overrides allowed" setting, but that would restrict useful features. Maybe F-Droid could implement "no new signing keys when overriding" rule by default, I wonder how much that would break what people are doing now? 2/2

Show thread

@Gargron is providing a shining example of the new breed of "startup" culture that is arising. We want impact in the public interest, and just to make a living doing it. Getting rich is besides the point, and it is certainly not a reason to compromise the goals of the project. I believe is another example of this.

arstechnica.com/tech-policy/20

We welcome help for bumping the and have mapped out what needs to be done:
* gitlab.com/fdroid/fdroidclient
* gitlab.com/fdroid/fdroidclient

Given our limited resources, I have chosen to focus my time on concrete improvements for . The only thing I'm opposed to in all this is removing functionality in order to bump targetSdkVersion. Google's recent changes there have removed functionality that many rely on.

Show thread

When is built into a ROM, like , for , etc there is no popup warning with fdroidclient. That comes from "Play Protect", which is proprietary software that flags things based on automated rules, it does not point to real world security concerns for apps like . I have nothing against the sandbox, I just think it is important to note what it is good for, and what it cannot do well 2/2

Show thread

As lead maintainer of the official client, I hear a lot of criticism that is still at 25. fdroidclient is , publicly audited, with , written in memory safe languages, with a proven record of respecting and delivering . The source and binaries also receive human and machine review. is designed around untrusted proprietary software with non-memory safe code where the binary only gets machine review. 1/2

I work on because I believe in . One of the hardest things about working on a project like F-Droid is when someone decides to publicly campaign against our work, and its only loosely based on fact. We get a constant stream of inquiries from people who just found out, asking the same questions again. Now I understand why companies hire PR staff. Communications can require a ton of work and stress. And when a project is mostly volunteers, no one is keen to take on that stress

Now that I'm focused on client development, I have lots of time to toot because Gradle/Android builds take so damn long as compared to Python. 😂 😭

We want to add the official onion service for f-droid.org as an official mirror, so that clients will automatically use it. Please test by sharing the repo link to client then add it as a mirror:
gitlab.com/fdroid/admin/-/issu

This should prompt to add it as a mirror, which is safe since the keys need to match. Click cancel if it offers to add a new repo.

Show more
image/svg+xml Librem Chat image/svg+xml