Hans-Christoph Steiner @eighthave@librem.one

@aliceif @kurimu turns out that #Google also had minimal checks on such things. I don't recall anything other than #MavenCentral checking the domain names of Package Names. That's the #Android ecosystem. Today, does #GooglePlay or any other app store even check this?

@growse @guardianproject @signalapp @fdroidorg That would be nice, but sadly, no. That APK contains proprietary libraries from Google and maybe others.

@pixelcode @kkarhan I have followed their #ReproducibleBuilds over the years, they never actually reproduce the whole thing from source, just the easy parts. Last I checked, all their native code is just pulled in as binaries when using their reproducer setup. Plus, they can't reproduce the proprietary Google libraries https://github.com/signalapp/Signal-Android/blob/556bcda58ae65abbba75bf899a43666ba6d9d427/app/build.gradle.kts#L533

#Debian and #Guix rebuild everything from source.

@pixelcode @kkarhan #OpenSourceInitiative has gone to great lengths to try to standardize the definition of "open source", including filing trademarks. Including proprietary libs fails their definition of #OpenSource For this reason, many are now using the term #SourceAvailable for things like Signal.

@nemobis thanks for the info, I still wonder why they deleted the comments on the GitHub thread?

wow, #Bluesky just deleted all the comments for people who didn't like that users were objecting to them making it more like #Twitter:

There are direct links to the comments in:
https://tech.slashdot.org/story/25/04/18/2231252/users-react-to-blueskys-upcoming-blue-check-mark-verification-system

But they are no longer visible on the GitHub issue. Unfortunately, no one got a archive.org capture before that happened.

#verification #decentralization

@neil @fdroidorg Thanks, that would be very useful! Shall we just reach out to you via decoded.legal? Or we're reachable at team@f-droid.org

#Apple is supposedly the "privacy company" but apparently those sweet #SurveillanceCapitalism dollars are just too irresistable, so they are expanding their ad business:

https://www.techradar.com/pro/apple-rebrands-part-of-its-ads-business-in-major-expansion

#AppStore #privacy

@KazukyAkayashi that means that Droid-ify is using the index-v1.jar, which has a weak SHA1 signature. They should upgrade to index-v2. We have libraries for apps like Droid-ify to do that with. If I were a user, I'd file an issue to make them aware.

#security #droidify

@KazukyAkayashi Actually I see the bug now: it only shows up in older versions of the index (index-v1.json and index.xml). We'll look into fixing that.

Which client app are you using?

@KazukyAkayashi if you look at the repo metadata, you can see the name is "F-Droid" https://f-droid.org/repo/index-v2.json so it looks like it is a problem with your client app?

If you're thinking about #democracy, consider that less than 30% of the #USA adult population voted for #Trump.