@selectallfromdual Latest F-Droid Client 1.20 alpha (expand Versions to install) redesigned the repo section. Feedback is welcome.
I accidentally found a security issue while benchmarking postgres changes.
If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.
Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
For anybody cynically going "haha, 'given enough eyeballs, all bugs are shallow" my ass", I'm willing to argue that the reverse engineering of the #xz #backdoor actually validates this claim.
We just didn't have enough eyeballs on this particular dependency, nor is it possible to have every commit in your dependency graph investigated. But once the issue was found, the community's focus moved like the 👁️ of Sauron; few teams could have done that work (as quickly, thoroughly, or at all).
@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html
Today, we've opened five non-compliance investigations under the Digital Markets Act.
It concerns:
🔹Alphabet’s rules on steering in Google Play
🔹Alphabet’s self-preferencing in Google Search
🔹Apple’s rules on steering in the App Store
🔹Apple's choice screen for Safari
🔹Meta’s ‘pay or consent model’
More info https://europa.eu/!4NF6bV
Feels a little funny to be sympathic to #Google's point of view in the #DMA compliance workshop when some of the advertising industry lobbyists ask questions. From what I've seen, Google is less crappy than the average ad tech company when it comes to privacy, so I really hope the DMA does not open us up to more crappy ad tech companies.
In collaboration with @fdroidorg, the @fsfe prepared a study for the Japanese Competition Authority HDMC on how Apple's plans to comply with the #DMA represent a risk for #FreeSoftware and #DeviceNeutrality.
Key recommendations: 👇
- Full and unfettered side-loading
- No distribution via DRM encryption
- No residency or credit requirements for
3rd party app stores
- No interoperability request forms
- More competition on trustworthiness
https://download.fsfe.org/device-neutrality/fsfe-apple-report-final.pdf
#Sideloading apps and using alt stores like #Flathub is a major feature of elementary OS and a competitive edge over closed platforms that only let you install apps from a locked down store. In this release we’ve made several improvements to smooth out the experience of using alt stores based on your feedback and the latest #CrossPlatform standards.
So maybe #PlayServices is a special case here, maybe not. But all of the apps that #Google requires to be in the bundle do not require special privileges, so can easily be built into Android devices in a way where they are easily uninstallable, e.g. disabled and deleted. I'm thinking Maps, Gmail, etc.
After 2018, #Google stopped publishing data about malware coming via sideloading. Today in the #DMA workshop they made big claims that sideloading is much more likely to be malware. Since they are making claims based on that, they should again release that publicly.
https://transparencyreport.google.com/android-security/overview
@f15h XIII. Art. 6(3) B.1 23. ...Google Android allows users to uninstall apps by: (i) fully deleting apps that are downloaded or pre-installed in a Google Android device's user partition; and (ii) disabling apps in a Google Android device's system partition such that they are returned into an uninstalled state.
#Google says #PlayServices is not part of the OS but then do not allow users to actually uninstall it. At the same time, they say that they won't let people download it and install it on other AOSP-based systems like Amazon Fire. We know this kind of thing works since people are downloading Play Services from places like APKMirror.
If you needed any more proof that the so-called #AppAssociation #ACT is an #Apple front, their lobbyist just asked #Google whether it wasn't worried that 3rd party app stores are dangerous to users and would put a control process in place (like Apple does). 😠
How to install old apps on Android 14 #Android, #Android14, #BypassLowTargetSdkBlock, #Security, #Sideloading
https://liliputing.com/how-to-install-old-apps-on-android-14/
Just in case you're wondering why #Apple & #Google etc. are such jerks about implementing #DMA, here are some numbers:
* play store revenue 2019: $ 11.2 Billion
https://www.reuters.com/technology/google-play-app-store-revenue-reached-112-bln-2019-lawsuit-says-2021-08-28/
* apple appstore revenue 2021: $ 85.1 Billion
https://www.statista.com/statistics/296226/annual-apple-app-store-revenue/
* apple app store made more money on games alone in 2019 than nintendo, microsoft and sony combined
https://www.techspot.com/news/91577-apple-reportedly-made-more-money-games-2019-than.html
Today: #DMA compliance workshop with #Alphabet/#Google :)
While Alphabet seems to be better in terms of the new #browser & #search choice screens, they have a strange view regarding their new obligation to allow un-installing pre-installed apps like #PlayStore or #Gmail:
Alphabet's lobbyists argue un-install and remove are two different things and as the #DigitalMarketsAct's Art 6(3) only mandates un-install but not removal, the current "deactivation" feature in Android would be enough. 🤔
EU antitrust chief Margrethe Vestager called out Apple’s proposed core technology fee for what it is: a way to protect its monopoly instead of actually complying with the Digital Markets Act.
“…if the new Apple fee structure will de facto not make it in any way attractive to use the benefits of the DMA. That kind of thing is what we will be investigating.”
#Google said it has no involvement of OEM's including app stores by default. To ship an #GooglePlay device, it has to comply with secret NDA'd "GMS Compliance", which requires OEMs to justify to Google pre-installed app store needs to access the same APIs that Play uses to install and uninstall apps. Somehow, I don't think Google will stop requiring OEMs be granted permission by Google to include the app stores of their choosing.
Haha #Google bitches against #Apple: "We allow 3rd party app stores, #sideloading, automatic updates for sideloaded apps, and #PWA for free."