Right, which is a lower security standard then rebuilding from source. If you trust fdroid is the best. If you don’t trust fdroid, and it’s a reproducible build, then you get fdroid confirming the binary is from the source but it’s signed by the developer meaning fdroid didn’t modify it.
Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. Additionally, the requirements for an app to be included in the official F-Droid repo are less strict than other app stores like Google Play, meaning that F-Droid tends to host a lot more apps which are older, unmaintained, or otherwise no longer meet modern security standards.
Other popular third-party repositories for F-Droid such as IzzyOnDroid alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers’ own repositories. However, it is not something that we can fully recommend, as apps are typically removed from that repository if they are later added to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they’re accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates.
That said, the F-Droid and IzzyOnDroid repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through other means such as the Play Store, Aurora Store, or by getting the APK directly from the developer. You should use your best judgement when looking for new apps via this method, and keep an eye on how frequently the app is updated. Outdated apps may rely on unsupported libraries, among other things, posing a potential security risk.
Oh, I see your point. But generally, I tend to trust the developer isn’t going to put out a binary that is different from the source code they publish. My chain of trust would be, fdroid, being the best, the developer, binary directly, being second, and open source, and then something like Google Play with closed source crapware.
I won’t argue one way or another. The argument against f-droid is this
‘The issue with F-Droid is that all apps are signed by the same party (F-Droid) which is also not the developer. You’re now adding another party you’ll have to trust since you still have to trust the developer anyway, which isn’t ideal: the fewer parties, the better.’
There are other examples too, and Divestos (which I have a lot of respect for) maintains their own repo.
So just because each follows their own standards does not disqualify one from another in my mind.
I have shifted to Obtanium as my source, a personal choice, and I am happy with it. I get more timely updates direct from the source. The developer could introduce Pixel tracking, or Google AdMob, but i scan all installs with App Manager, and RethinkDNS is set to block those anyway.
The developer could introduce Pixel tracking, or Google AdMob, but i scan all installs with App Manager, and RethinkDNS is set to block those anyway.
This is not something most users practice. Many users did not even know that SMT was acquired. When SMT was acquired, the F-Droid team disabled auto-updates to safeguard users and mentioned it in their weekly news. Whereas on the Google Play Store, trackers and new permissions were added to the apps, and I wonder how many users noticed that.
Therefore, I try to recommend safer and simpler methods.
Ultimately, it is up to each user to consider all sides of the discussion and make an informed decision.
No disagreement there, everyone should do due diligence, many will not. I was only pointing out that the community is not agreed on F-Droid being the best choice. Especially with the recent infighting there.
Fossify Contacts (Manage your contacts privately and efficiently with vCard support) https://f-droid.org/packages/org.fossify.contacts/
Edit: Oh, interesting. That link throws a 404. But it shows as being available via IzzyOnDroid.
deleted by creator
From what I understand Izzy takes the builds directly from the applications git repository.
Right, which is a lower security standard then rebuilding from source. If you trust fdroid is the best. If you don’t trust fdroid, and it’s a reproducible build, then you get fdroid confirming the binary is from the source but it’s signed by the developer meaning fdroid didn’t modify it.
not necessarily
https://f-droid.org/docs/Reproducible_Builds/
Oh, I see your point. But generally, I tend to trust the developer isn’t going to put out a binary that is different from the source code they publish. My chain of trust would be, fdroid, being the best, the developer, binary directly, being second, and open source, and then something like Google Play with closed source crapware.
I won’t argue one way or another. The argument against f-droid is this
‘The issue with F-Droid is that all apps are signed by the same party (F-Droid) which is also not the developer. You’re now adding another party you’ll have to trust since you still have to trust the developer anyway, which isn’t ideal: the fewer parties, the better.’
https://privsec.dev/posts/android/f-droid-security-issues/
There are other examples too, and Divestos (which I have a lot of respect for) maintains their own repo.
So just because each follows their own standards does not disqualify one from another in my mind.
I have shifted to Obtanium as my source, a personal choice, and I am happy with it. I get more timely updates direct from the source. The developer could introduce Pixel tracking, or Google AdMob, but i scan all installs with App Manager, and RethinkDNS is set to block those anyway.
This is not something most users practice. Many users did not even know that SMT was acquired. When SMT was acquired, the F-Droid team disabled auto-updates to safeguard users and mentioned it in their weekly news. Whereas on the Google Play Store, trackers and new permissions were added to the apps, and I wonder how many users noticed that.
Therefore, I try to recommend safer and simpler methods.
Ultimately, it is up to each user to consider all sides of the discussion and make an informed decision.
No disagreement there, everyone should do due diligence, many will not. I was only pointing out that the community is not agreed on F-Droid being the best choice. Especially with the recent infighting there.
The SMS Messenger is also available now, probably Izzy, too
Yes, only Izzy for now https://github.com/FossifyOrg/Messages