Hans-Christoph Steiner @eighthave@librem.one
Joined Aug 2019
Just to be sure, I scanned all apps on @fdroidorg and found no apps that used the libs vulnerable to #ReactServer #CVE-2025-55182 aka #React2Shell.
I'm no #Javascript nor #React dev though, maybe it was silly to scan apps for server components? In any case, #FDroid's data collection is easy to scan via scripts, so better safe than sorry.
I made a minor v2.4.3 release of fdroidserver to support Python 3.14, which is rollling out some places already
https://pypi.org/project/fdroidserver/2.4.3/
I'm a big fan of encrypted connections. Towards that end, I just did a survey of all the apps in @fdroidorg to see if any of the source repos would not work with https://. This includes the over 5000 apps and all of their git submodules. All the git URLs that did not have encrypted connections (e.g. git:// http://) could be upgraded to https://. So I filed a bunch of merge requests, and am working towards forcing https://
https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1737
When building software, I believe it is important to work in public. Software can give small groups of developers immense power over lots of people. Like how governments work in public and corporations have to be more public than private company, developers should be transparent not only with their source code, but also the discussions and processes while building it. This can be hard to get used to, but not bad once used to it. Great examples of this are #Debian #GitLab and IMHO #FDroid
Some #Android #SDK packages are updated with a revision number, but #sdkmanager does not allow installs to use that revision number. This sometimes breaks #ReproducibleBuilds. There is an issue open since 2017 about this:
https://issuetracker.google.com/issues/38045649
If anyone wants this feature, it should be easy to implement in #FDroid's sdkmanager:
https://gitlab.com/fdroid/sdkmanager/-/issues/26
For anyone who wants to relive the #Alphabet #DMAWorkshop the video has been released:
#DMA #compliance #competition #EC #EuropeanCommission #EU #gatekeepers #monopoly #mobile #Google #AI #GooglePlay #GooglePlayServices #GoogleFree #EDRi #FSFE #FDroid
A simple metric from #FDroid #metrics data: app downloads per week. Start with data from 1 of 2 servers for f-droid.org: http02, add hits for paths ending in ".apk". That gave about 2 million. Multiply by 18 (fronters + mirrors) and get ~36 mil app downloads a week.
import requests
hits = 0
r = requests.get(f'https://fdroid.gitlab.io/metrics/http03.fdroid.net/2025-05-26.json')
data = r.json()
for path in data['paths']:
if path.endswith('.apk'):
hits += data['paths'][path]['hits']
print('APKs', hits)
https://forum.f-droid.org/t/experiment-in-f-droid-org-metrics/32454
#Google funds this #EU think tank to put out policy papers saying #DigitalMarketsAct will break their lovely #PlayProtect scare screens, making us all less safe and "it require[s] Google to allow developers to insert links inside their Play Store apps".
https://ecipe.org/publications/eu-dma-undermine-security-mobile-operating-systems/#_ftn13
As I've always said in relation to the #DMA, let @fdroidorg compete on trustworthiness. I'd love to see this think thank include analysis malware rates of #CalyxOS with #FDroid and compare that to #GooglePlay #security
We're starting to implement support for split APKs in #FDroid. #Google wants to gather as much data about its users as possible, so trying to hide info about language, country, device specs was not a design concern for them. It is central for us. We want the official client to leak as little data as possible to any server, be it ours, mirrors, or custom repos. We welcome input:
https://gitlab.com/fdroid/fdroidclient/-/issues/2963
#Android #APK #privacy #DataEfficiency #efficiency #technology #data #metadata
Joined Aug 2019
