Hans-Christoph Steiner @eighthave@librem.one
Joined Aug 2019
@newhinton @GrapheneOS There is a difference of opinion in a longer term fix. They want to maintain support for v1-only signatures, we are working to require v2/v3 signatures in order to use AllowedAPKSigningKeys. v1 signatures are deprecated and going away. And the design of v1 signatures is massively over-complicated, and will never really be possible to support properly.
@newhinton @GrapheneOS In case you missed it, the bugs v1-only and v3.1-only APK certificate parsing were acknowledged, accepted, fixed, and released: https://floss.social/@fdroidorg/113871647937841033
We were asked not to ping the reporter anywhere, so that makes it difficult for us to give credit.
APK Signature pinning is still a research topic, there are no public implementations I know of besides ours. We welcome alternate implementations and experiments. Please dive in! It is not a simple problem, but important.
Hans-Christoph Steiner
boosted
We have one nomination for Community Council and we're extending the feedback period.
Want to get involved?
Do read: https://f-droid.org/2025/01/27/community-council-nominations-feedback.html
Hans-Christoph Steiner
boosted
We've signed the open letter to the @EUCommission calling for strong enforcement of the #DMA.
The EU must act decisively to create opportunities, protect innovation and increase consumer choice.
https://appfairness.org/the-digital-markets-act-europes-digital-competitiveness-at-stake/
@rene_mobile is there anything you could add here? It would be quite useful to have these questions clarified so we can make solid Python implementations as used in projects like Androguard, F-Droid, etc.
Hans-Christoph Steiner
boosted
The success of the free software Android ecosystem relies on contributors like you. Interested in funding to maintain F-Droid or related projects? Let us help you apply to https://nlnet.nl/funding.html, https://prototypefund.de/en/, https://www.sovereign.tech/programs, or https://grayarea.org/initiative/cultural-memory-lab/. We can also mentor you during the grant process to help navigate non-profit funding. please reach out here or via email hans@guardianproject.info
Hans-Christoph Steiner
boosted
Seven new projects have been selected to contribute to the three NGI Pilots. IzzyOnDroid and OWASP blint will join forces with NGI Mobifree which works on a more ethical mobile ecosystem. Nuxt, Flohmarkt & Open Banking Gateway will work on integrations with Taler, the privacy-preserving digital payment system. And NGI Fediversity - the effort to create a hosting stack in-a-box - will be joined by Drupal & Source-based Nextcloud + Onlyoffice.
https://nlnet.nl/news/2025/20250122-project-selection-pilots.html
#NGI #FOSS
So what is the Android team's intention? Should v3.1-only APKs be considered valid? Or not? My guess is they should be not considered valid since the Android team has explicitly marked that kind of signature as invalid since apksigner v30.0.0 (besides v33). Are there any plans to unified the code that verifies APK signatures?
#Android #AndroidSDK #APK #apksigner
2/2
Interesting bug in #apksigner reported to @fdroidorg: an APK with only a v3.1 signature was only considered valid by v33. <33 error out with "APK Signature Scheme v2 signature 0 indicates the APK is signed using APK Signature Scheme v3 but no such signature was found." >33 error out with "The APK contains a v3.1 signing block without a v3.0 base block". Android uses its own verify code and treats it as valid. https://gitlab.com/fdroid/fdroidserver/-/issues/1253
1/2
@fdroidorg @Aliyan A UI overhaul is already underway! It will be released as v1.23. We'll be releasing nightlies and alphas soon, and we are looking for feedback and testing. Follow the development here:
https://gitlab.com/fdroid/fdroidclient/-/milestones/52#tab-merge-requests
Hans-Christoph Steiner
boosted
fdroidserver v2.3.5 was released to fix issues with `AllowedAPKSigningKeys` when used in specific configurations. More details in the changelog: https://gitlab.com/fdroid/fdroidserver/-/blob/2.3.5/CHANGELOG.md#235---2025-01-20 #FDroid
Hans-Christoph Steiner
boosted
Michiel Leenaars (our director of strategy) speaks at #FOSDEM about Europe's ambition to increase its digital sovereignty in relation to the #NextGenerationInternet. Despite its contribution to tech sovereignty with over 1300 Free and Open technologies supported, so far #NGI is not in the EU's future plans. Michiel addresses the question: What should our new EU Commissioner for Tech Sovereignty be working on for the next 5 years from the the vantage point of NGI?
https://fosdem.org/2025/schedule/event/fosdem-2025-6508-next-generation-internet-2025-where-next-/
#FOSS
Hans-Christoph Steiner
boosted
The gig economy is ground zero for the use of experimental algorithms that use workers' own data against them. Leaving workers playing a game that they don’t know the rules to and that the house always wins.
#TimeToDeliverAnswers
Hans-Christoph Steiner
boosted
There's a "Signal deanonymized" thing going around:
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
Stay calm. Deep breaths.
👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location
👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as vulnerable
👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.
Hans-Christoph Steiner
boosted
Reminder: Tech jobs with real impact are rare. At the Sovereign Tech Agency, we work to strengthen digital infrastructure – fostering security, innovation, and resilience to provide a stable foundation for participation and democracy.
You can still apply for our open positions! 📩
In the official release of the #AndroidSDK package "build-tools_r35.0.1_linux.zip", they included what looks like a hand-edited "source.properties" metadata file that is a key part of the "sdkmanager" packaging system:
```
Pkg.UserSrc=false
Pkg.UserSrc=false
Pkg.Revision=35.0.1
#Pkg.Revision=35.0.0 rc4h
```
I mean really? The Android SDK packages are not automatically generated?
@gwagner With Big Oil gaining more power via Trump, it is time for individuals to take responsibility. If you believe in climate change, get rid of your second car, ride a bike, take a train.
It is also time for city and state governments to step up. They have the power to do a lot of the things that Trump wants to stop the Federal Government from doing. And those actions would be out of reach of Trump's executive orders.
Hans-Christoph Steiner
boosted
We need for community-run, ethical, well-moderated communication platforms more than ever.
I'm sure this is one of the reasons why many folks are joining fedi today. Welcome, glad to see you here! 👋
However:
👉 infrastructure is not free
👉 moderation is hard emotional labor
👉 managing a server takes time and effort
Please consider getting engaged and contributing, if you can. Help moderate your instance. Support your instance financially. Help make fedi sustainable.
@rysiek oh wow, this is awesome! I live somewhere where the Nazis reigned for 7 years, and I have been playing a version of this game with my family for a while now. This quote is prescient these days:
> Nazism has nothing to do with race and nationality. It appeals to a certain type of mind
Fun article
Joined Aug 2019
