A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:
-
A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:
https://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404
This led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.
This was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.
-
A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:
https://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404
This led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.
This was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.
For the vast majority of apps they package, F-Droid downloads and builds whatever developers publish, then sign it with their own keys and release it. They aren't doing any real review as people believe. What they really do is run things through basic scans looking for libraries they've disallowed, primitive antivirus checks for common Android malware as if that's what malicious code in an open source project would be, etc. It took them that long just to realize an app openly took over updates.
-
For the vast majority of apps they package, F-Droid downloads and builds whatever developers publish, then sign it with their own keys and release it. They aren't doing any real review as people believe. What they really do is run things through basic scans looking for libraries they've disallowed, primitive antivirus checks for common Android malware as if that's what malicious code in an open source project would be, etc. It took them that long just to realize an app openly took over updates.
@GrapheneOS So whats your recommendation? Using Playstore instead?
-
@GrapheneOS So whats your recommendation? Using Playstore instead?
@NebulaTide @GrapheneOS Um, Play Store is exactly the same. They lie that they're vetting packages and that's their justification for the walled garden approach. But all they're doing is setting policies which encourage malware-playing-by-Google's-rules and randomly ban software that's actually not shit (concrete example: not understanding that there's such a thing as an app that's a pure client not tied to a particular service provider, where by connecting to someone unsavory server you might see unsavory things).
-
@NebulaTide @GrapheneOS Um, Play Store is exactly the same. They lie that they're vetting packages and that's their justification for the walled garden approach. But all they're doing is setting policies which encourage malware-playing-by-Google's-rules and randomly ban software that's actually not shit (concrete example: not understanding that there's such a thing as an app that's a pure client not tied to a particular service provider, where by connecting to someone unsavory server you might see unsavory things).
@dalias @NebulaTide Our current general recommendation is obtaining apps directly from open source developers. Obtainium and App Verifier are useful tools for that, but Obtainium doesn't do things in a way that we can wholeheartedly recommend it or package it in our app repository. We could make our own tool for downloading app builds with pinned keys from where developers publish them without involving third parties. Could support a reproducible build verification system via third parties too.
-
@dalias @NebulaTide Our current general recommendation is obtaining apps directly from open source developers. Obtainium and App Verifier are useful tools for that, but Obtainium doesn't do things in a way that we can wholeheartedly recommend it or package it in our app repository. We could make our own tool for downloading app builds with pinned keys from where developers publish them without involving third parties. Could support a reproducible build verification system via third parties too.
@dalias @NebulaTide Play Store used to be a way to obtain developer builds of apps signed by the developers but has moved away from it and the code transparency system they provide isn't a complete solution to verifying what they generate and sign from the app bundles uploaded by developers.
For our own app repository, we don't want to build thousands of open source apps largely not aligned with our approach, especially without doing a pass updating dependencies and adding basic hardening.
-
@dalias @NebulaTide Play Store used to be a way to obtain developer builds of apps signed by the developers but has moved away from it and the code transparency system they provide isn't a complete solution to verifying what they generate and sign from the app bundles uploaded by developers.
For our own app repository, we don't want to build thousands of open source apps largely not aligned with our approach, especially without doing a pass updating dependencies and adding basic hardening.
@GrapheneOS @dalias @NebulaTide these days Google Play directly requires developer's private keys to repackage the app the way Google wants to. -
@GrapheneOS @dalias @NebulaTide these days Google Play directly requires developer's private keys to repackage the app the way Google wants to.
@a1ba @GrapheneOS @NebulaTide That is horrifying and hard nope.
-
@a1ba @GrapheneOS @NebulaTide That is horrifying and hard nope.
@dalias @GrapheneOS @NebulaTide fun fact, this reply federated to me only a month later. Why? Who knows!
