5 days later

treequell existing Play Store alternatives are fatally flawed.

How so?

I don't really understand the logic to implement Accrescent either - yes it's good to have a chain of trust from the OS to other apps, but helpful is it if there's only like ten of those other apps in total?

Why not have F-Droid in the Graphene App Store? It's massively well-established, mature in its own app development, and trusted by millions. (If the security issue is that users can add 3rd-party repos, well, that's a user decision just like using Play Store, isn't it? What is F-Droid's "fatal flaw"?)

    lberrymage It's assumed that users will use system navigation (i.e. gesture or 3-button navigation) to navigate backward through the app, which is why there's no back button. We can reconsider this, but it is currently possible to navigate backward through the app.

    I also vote to implement an in-app back button, for clearer navigation. If your repo has an issue open for this I'd be happy to comment there too. My experience, as a "digital native" and very tech savvy, is that lacking back buttons leads to confusion about where one currently is in relation to the rest of the app. I've used several apps that use your approach, like Neo Store and SystemUI Tuner, and in all of them I frequently exit the app accidentally because I thought the OS back gesture will take me to the previous screen in the app.

    hemlockiv [how] helpful is it if there's only like ten of those other apps in total?

    The Accrescent devs are deliberately limiting the number of apps while they build a scalable infrastructure, and add the features expected of an app store. They obviously expect to have far more apps in the future.

    hemlockiv Why not have F-Droid in the Graphene App Store?

    1) F-Droid signs most apps themselves, so you are trusting them in addition to the app developers

    2) F-Droid has a history of sketchy behavior

    I do not speak for the GrapheneOS team, but based on past comments, I think they would discourage people from using F-Droid for apps that can be obtained from elsewhere.

      Probably9857 They obviously expect to have far more apps in the future.

      Sure. It just seems weird that GOS, typically a very polished project, would push something in its alpha. And the apks that ARE included feel arbitrary. Why Clipious but not NewPipe, which is more mature and stable? Why Transcribro but not Futo Voice, which is more reliable? How many users need a chess clock?

      Probably9857 1) F-Droid signs most apps themselves, so you are trusting them in addition to the app developers

      Yes, they build and sign apps so there's one root of trust instead of dozens. The entire process is open-source. Beyond that, it's exactly the same trustworthiness of installing ANY precompiled apk. Unless you're building from source, you always have to trust that the apk's code hasn't been modified.

      Probably9857 2) F-Droid has a history of sketchy behavior

      Such as...?

        hemlockiv It just seems weird that GOS, typically a very polished project, would push something in its alpha.

        My sense is that Accrescent is doing a soft launch, but that the GrapheneOS developers believe that their app vetting and security processes are good enough that what is available should be trustworthy. I don't think the GrapheneOS project is "pushing" Accrescent, any more than they are "pushing" Android Auto or Markup.

        hemlockiv And the apks that ARE included feel arbitrary. Why Clipious but not NewPipe, which is more mature and stable? Why Transcribro but not Futo Voice, which is more reliable?

        From the outside it's hard to say. Are the NewPipe and FUTO Voice authors willing to have their apps vetted? Do those apps depend on features that Accrescent doesn't support yet? Asking the app authors and/or the Accrescent authors might be productive.

        hemlockiv Such as...?

        In addition to the links from @de0u...

        See https://privsec.dev/posts/android/f-droid-security-issues/ for a good compilation of the issues (some of which may have been addressed by now, but I suspect most have not).

        Regarding sketchy behavior aside from poor security practices, see the Meta section at the end:

        https://privsec.dev/posts/android/f-droid-security-issues/#meta

        ...the release of this article has unfortunately triggered a mostly negative response from the F-Droid team and some of their community, who seem to take a dismissive stance toward this article rather than bringing relevant counterpoints. Some of these individuals go as far as engaging in harassment campaigns against projects and security researchers that do not share their views;

        hemlockiv Yes, they build and sign apps so there's one root of trust instead of dozens.

        That is the wrong conclusion. You're still trusting the developers. F-Droid themselves acknowledges this.

        The fact that they build and sign does 2 things:

        1. It introduces an additional trusted party.

        2. It makes it impossible to verify that the app you're installing wasn't modified from what the developer provided, or that it even came from the developer at all.

        You're putting a lot of trust in F-Droid, but that does not substantially reduce the trust you're also putting in the app developers.

        hemlockiv Beyond that, it's exactly the same trustworthiness of installing ANY precompiled apk

        No, because with Accrescent, or downloading from GitHub, or from the developer's website, the APKs are signed by the developers. So you know they are coming directly from the dev, and no third party has tampered with the APK.

          Probably9857 you know they are coming directly from the dev, and no third party has tampered with the APK.

          This doesnt preclude the possibility that the dev deliberately published safe source code then compiled malicious code, unless the apk release is also published via a github workflow. I admit, this may be an unlikelyunlikely scenario, but a possible one.

          Thanks for the informative links about F-Droid!

            Probably9857 No, because with Accrescent, or downloading from GitHub, or from the developer's website, the APKs are signed by the developers. So you know they are coming directly from the dev, and no third party has tampered with the APK.

            No third party, except for maybe Bruce Schneier (source).

            hemlockiv

            hemlockiv This doesnt preclude the possibility that the dev deliberately published safe source code then compiled malicious code

            True. Reproducible builds would address this, but its more work for devs, and few seem to think its worth the effort.

            Even then, it's not that difficult to obfuscate malicious code, so...

            In practice, its difficult to avoid trusting the devs of the software you use.

              Probably9857 Yeah, and from what you're saying it sounds like the Accrescent maintainers are going to do a better job of vetting source code than F-Droid, which doesnt do it as much as I had previously believed

              hemlockiv This doesnt preclude the possibility that the dev deliberately published safe source code then compiled malicious code, unless the apk release is also published via a github workflow. I admit, this may be an unlikelyunlikely scenario, but a possible one.

              Maybe rethink the word "deliberately". Their infrastructure might be compromised and they will be unknowingly compiling malicious code. Which seems much more likely!

                Hb1hf not sure I follow what sort of compromised infrastructure could lead to that result. You mean someone's personal git repo being hacked? If we are now considering a threat model that includes trusted devs unknowingly compiling malicious code not included in their open source code, then we're back to square one of "never install any apk you didn't audit and compile yourself"

                I think if the app developer gets hacked we are lost anyway.

                hemlockiv offtopic, but could you explain why Transcribro is less reliable than Futo Voice? I'm the lead developer of Transcribro, I'd just like to know what reliability bugs you found so I can fix them. If you can, please report it to Transcribro's GitHub issue tracker (https://github.com/soupslurpr/Transcribro/issues) but I understand if you don't have an account. Please let me know, thanks.

                  soupslurpr Hi ! are there any plans to add other languages such as French to the text-to-speech ? I remember the last time I used it, it only supported English, thanks !

                  Edit : I read the topic on Github, this seems like good news.

                  LazyT Why should it? IIRC the idea for it was to be a secure Play Store alternative. It's even called "App Store" now, not just "Apps." I hope they keep adding more quality apps.