Hans-Christoph Steiner @eighthave@librem.one
Joined Aug 2019
We can set up #internet communities with hard requirements to respect the community. This is why #FDroid is legally structured to put #FreeSoftware first and foremost, via legal structures set up by Commons Conservancy.
I will go one step further and say that calling #FDroid an "unsafe app" by this standard is dishonest. It seems that some at #Google also agreed, since the older version of that screen was honest: "Blocked by Play Protect" instead of "Unsafe app blocked". Looks like the #GooglePlay team is still focused on protecting their #monopoly, this time using scare tactics. 2/2
This screen that #Google shows on #Android when installing #FDroid really bugs me. It is purely based on the integer value targetSdkVersion, without considering our security model, public audits results, track record over 10+ years, exclusive use of memory safe languages, or even what our code actually does. It is as if #FDroid marked anything that comes from Google as containing ads and trackers. 1/2
So the #Bitwarden ad on this #FLOSSWeekly episode says: "Bitwarden doesn't track your data, only crash reporting, and even that is removed in the F-Droid installation." at around 16:30 https://twit.tv/shows/floss-weekly/episodes/720
Maybe not a big deal, but it seems like a new level for #FDroid: people paying money to promote based on F-Droid's principals, in this case, opt-out data collection is tracking.
Do you sometimes just want one tool from the #AndroidSDK in a container or VM, and don't want to deal with the whole pain of setting up #Java and everything? Try the #FDroid sdkmanager instead of the official one. For example, `apt-get install sdkmanager` then `sdkmanager platform-tools`. Plus this verifies all packages using `apt-get` style GPG-signed index with SHA256 values. Useful in #research on #Android #malware #tracking etc. In pypi, Debian, Ubuntu, and https://gitlab.com/fdroid/sdkmanager/
Just tagged v2.2.1 of #FDroid fdroidserver tools package, and uploaded it to pypi.org, #Debian, and our #Ubuntu PPA. This version has passed autopkgtest in Debian/bookworm, so it looks like it should make it into bookworm without further work https://tracker.debian.org/pkg/fdroidserver
#Apple's representative gave a classic, well polished FUD PR piece framed as lots of questions. Of course, I fully agree that human review of apps is key to trustworthy app stores, that's why #FDroid goes the whole way and requires apps provide the whole source code to be review, not just the binaries. And F-Droid does done this since 2010 even though #FDroid is not a #gatekeeper. Being the only app store on the platform locks out app stores that do better review than #apple. #DMAWorkshop
Flying to Brussels, I was offered some digital boarding pass format which I was not familiar with: #Passbook pkpass. Living #GoogleFree, I assumed it was some proprietary thing. But I searched #FDroid and found @ligi 's app:
https://f-droid.org/packages/org.ligi.passandroid/
It worked perfectly! #FreeSoftware #FTW
@webmink I greatly enjoyed your live tooting of the #DMAWorkshop. I'm up next: this Monday is the next one, this time about the app store regulations. I'll be there representing #FDroid @fdroidorg. Any advice for pushing #FreeSoftware in that context?
#fdroid client is configured with two #Maven repos: Maven Central and the Google one. Yet running `./gradlew buildEnvironment --scan` downloads `org.gradle:gradle-enterprise-gradle-plugin:3.10.2`, which is not available on those two repositories. It seems that #Gradle is adding repositories automatically, that seems sketchy to me. I confirmed this by running `gradle --write-verification-metadata sha256 buildEnvironment --scan`
Just uploaded to #Debian the key #Android inspection tools #apktool 2.7.0 and the latest #smali from git, ahead of 2.5.2. All sorts of tools like #droidlysis #fdroid #kalilinux and more rely on these for inspecting Android APK files.
This level of vigilance is hard, so we have added another layer of defense in the upcoming #FDroid client v1.16 release, currently in beta. We've moved the database to be based on #Room and its built-in #security measures, then had that new code audited https://f-droid.org/2022/12/22/third-audit-results.html 2/2
#Debian and #FDroid require signature verification, and #FDroid is built on top of #Android's APK signing. This improves things a lot but does not mean they are immune. Debian and F-Droid repos can still override packages lower priority repos. It could make sense to have a "no overrides allowed" setting, but that would restrict useful features. Maybe F-Droid could implement "no new signing keys when overriding" rule by default, I wonder how much that would break what people are doing now? 2/2
@Gargron is providing a shining example of the new breed of "startup" culture that is arising. We want impact in the public interest, and just to make a living doing it. Getting rich is besides the point, and it is certainly not a reason to compromise the goals of the project. I believe #FDroid is another example of this.
We welcome help for bumping the #targetSdkVersionfor #FDroid and have mapped out what needs to be done:
* https://gitlab.com/fdroid/fdroidclient/-/issues/2037
* https://gitlab.com/fdroid/fdroidclient/-/issues/1440
Given our limited resources, I have chosen to focus my time on concrete improvements for #FreeSoftware. The only thing I'm opposed to in all this is removing functionality in order to bump targetSdkVersion. Google's recent changes there have removed functionality that many rely on.
When #FDroid is built into a #FreeSoftware ROM, like #CalyxOS, #lineageos for #microg, etc there is no popup warning with fdroidclient. That comes from "Play Protect", which is #Google proprietary software that flags things based on automated rules, it does not point to real world security concerns for apps like #FDroid. I have nothing against the #targetSdkVersion sandbox, I just think it is important to note what it is good for, and what it cannot do well 2/2
As lead maintainer of the official #FDroid client, I hear a lot of criticism that #targetSdkVersion is still at 25. fdroidclient is #FreeSoftware, publicly audited, with #ReproducibleBuilds, written in memory safe languages, with a proven record of respecting #privacy and delivering #security. The source and binaries also receive human and machine review. #targetSdkVersion is designed around untrusted proprietary software with non-memory safe code where the binary only gets machine review. 1/2
I work on #FDroid because I believe in #FreeSoftware. One of the hardest things about working on a project like F-Droid is when someone decides to publicly campaign against our work, and its only loosely based on fact. We get a constant stream of inquiries from people who just found out, asking the same questions again. Now I understand why companies hire PR staff. Communications can require a ton of work and stress. And when a project is mostly volunteers, no one is keen to take on that stress
Now that I'm focused on #FDroid client development, I have lots of time to toot because Gradle/Android builds take so damn long as compared to Python. 😂 😭
We want to add the official #Tor onion service for f-droid.org as an official mirror, so that clients will automatically use it. Please test by sharing the repo link to #FDroid client then add it as a mirror:
https://gitlab.com/fdroid/admin/-/issues/12#note_1184095205
This should prompt to add it as a mirror, which is safe since the keys need to match. Click cancel if it offers to add a new repo.
Joined Aug 2019
