When tapping an app, the user sees the app details screen as usual. There, a new box at the top shows the repository the app comes from.
All information on that page including the versions provided for installation are provided by that repo.
Version 1.20 of @fdroidorg brings some pretty big changes of how repositories are handled:
• official repo is always preferred
• the repo an app comes from is prominently shown
• if an app is available from more than one repo, they can choose where to get it from
• power users can change global repo priorities
If you did not yet opt-in to beta versions of F-Droid, please manually install 1.20 and help testing before we make it available for everyone.
@cratermoon @timbray sounds worthwhile to me, there are so many compression libs out there
Are you experienced with GTK and Rust ? ❤️
We are looking to contract someone to work on the new GNOME Password Manager 🔑
We want it to become a core/default app and help secure millions of users.
You'll be working with the GNOME Foundation, a non-profit dedicated to building emancipatory technologies for everyone.
Please send resume / portfolio to stf@gnome.org
Boosts welcome
#GTK #Rust #rustlang #GNOME #Linux #Ubuntu #Linux #Fedora #OpenSUSE #Debian
Its also kinda enlightening on how distros react to the #xz backdoor:
* #arch "lets rerelease the version from the untrusted party, we run autogen.sh ourselves now"
* #debian "lets roll back to the last version not having any changes by the untrusted party and rebuild our infra from scratch"
I know which of these I trust more as an upstream ...
@selectallfromdual Latest F-Droid Client 1.20 alpha (expand Versions to install) redesigned the repo section. Feedback is welcome.
@WPalant Because the submitter deleted their account as a response to the review, I think it could be an deliberate attempt to insert the vuln. Plus all the attention from random new accounts. If it had been a normal review process, I could see how it could have been an honest mistake. But that scenario also makes it more attractive to the attacker, since making a mistake there is quite plausible, and could serve as an easy cover story.
@WPalant Ironically, it could be because I was so aware of the crappy state of things that I caught this. The author of the SQL code was no longer involved. I suck at SQL but was well aware that string concat to build SQL queries is a bad idea. So I was terrified to merge any changes to the SQL without really confirming them.
In any case, we've since replaced all that crazy code with libraries that provide much more protection.
@Optional clear communication definitely suffers when maintainers are overloaded, stressed out and feel ganged up on. I think that's another key takeaway from this current incident. For a well resourced actor, it is not too hard to social engineer themselves into a trusted position when projects get into that position. That happens all too often, unfortunately.
@atrus @joeyh I think a more useful and realistic takeaway from the #xz #backdoor is that build systems should be clean, direct, simple, and easily readable. A key part was the m4 code in the build system that read the payload from the obfuscated test file. If the build system was easy to read, then it would have been a lot harder to do that.
I accidentally found a security issue while benchmarking postgres changes.
If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.
Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
For anybody cynically going "haha, 'given enough eyeballs, all bugs are shallow" my ass", I'm willing to argue that the reverse engineering of the #xz #backdoor actually validates this claim.
We just didn't have enough eyeballs on this particular dependency, nor is it possible to have every commit in your dependency graph investigated. But once the issue was found, the community's focus moved like the 👁️ of Sauron; few teams could have done that work (as quickly, thoroughly, or at all).
@setiathome @kuketzblog @IzzyOnDroid Leider nicht, aber wir haben das selber entdeckt. Ich verstehe nicht was "LibraryCheck" genau ist. F-Droid issuebot benutzt fdroid/suss für non-free libraries, Exodus ETIP für Tracking, und @IzzyOnDroid hat selber iod-scan-apk.php entwickelt als Teil von issuebot. Was ist übrug?
@joeyh Doesn't git have a length field for each blob? That would prevent lots of kinds of abuse. Most of the checks require `git fsck` though, and that isn't run by default. I recommend requiring it in each machine's global git config, e.g. git config --global transfer.fsckObjects=true
@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html
@FritzAdalis It is true, a couple of contributors did quit. I'm happy to see they are still working on Android free software and wish them well. From what I've seen in the past four months, #FDroid has completed a major overhaul of the repository UX in the client (v1.19 and v1.20), launched F-Droid Basic to track the latest targetSdkVersion, and upgraded the buildserver to Debian bookworm. Plus half of the board has completed their first term, and we have promising new candidates. More to come!
Today, we've opened five non-compliance investigations under the Digital Markets Act.
It concerns:
🔹Alphabet’s rules on steering in Google Play
🔹Alphabet’s self-preferencing in Google Search
🔹Apple’s rules on steering in the App Store
🔹Apple's choice screen for Safari
🔹Meta’s ‘pay or consent model’
More info https://europa.eu/!4NF6bV