n2gwtl The official F-Droid repository and Izzy's repository are highly untrustworthy sources of apps which should be avoided. F-Droid itself and the repository system have poor security. The official F-Droid repository has massive usability and security issues with how they do builds and signing. The issue brought up in this thread is pretty close to irrelevant with very little impact and has little to do with the real, severe problems with them.
F-Droid vulnerability allows bypassing certificate pinning
After this thread was posted, I thought back to why I've started to use F-Droid in the first place. F-Droid, and open source software in general, was never meant for security. The only security benefit of open source software per se is that the users are allowed to not depend on the software author's trustworthiness. Note that this is different from not depending on their trustworthiness, it's being allowed to not depend. One of the beneficial goals of F-Droid was also to gather open source apps that may not be entirely freedom-respecting, and either strip them of the freedom-disrespecting parts and/or mark them appropriately. This was supposed to be for the benefit of freedom, not for security. Furthermore, the idea that F-Droid should responsibly build and distribute the apps they offer, including enabling reproducible builds, is not supposed to be a security benefit of F-Droid, it's a basic responsibility that they willingly don't fulfill.
I like the idea that there's a catalog of freedom and privacy-respecting open source apps and that someone curates based on their quality and security, but while F-Droid does have some high-quality apps, they're neither curated as aforementioned, nor built and distributed responsibly.
There's also the argument that the fact that F-Droid signs the apps using their own keys adds an additional point of failure — I understand the argument but personally I might not have a problem trusting an additional party, if they were acting responsibly. F-Droid clearly doesn't. And the apps they sign themselves hijack the package name, which prevents the ability to have both the original version and the F-Droid version side-by-side, and prevents easily migrating data to leave the F-Droid versions of apps.
So can people please stop saying that they want F-Droid for better security?
@Artr Your assumptions are completely wrong and there's no need to post assumptions here in the first place. If it takes them half a year to notice WireGuard including a self-update system against their policies, what makes you think they're even looking at the release notes let alone at the actual code? It's simply not what they do. They are not actually reviewing the code in the way you think but rather are doing things based on half-baked scanning and user reports.
F-Droid is a highly untrustworthy group of people consistently involved in cover ups of vulnerabilities and attacks on security researchers including harassment. We advise against using it for even a single app. Get the apps directly from the developers instead and you're avoiding trusting highly untrustworthy people as a middleman who are consistently doing the opposite of protecting you. They aren't going to protect you from a compromise where hidden malicious code is included in practice unless the people doing it completely lack any attempt at stealth which would include them doing similar scans themselves to make sure it's not going to get flagged.
n2gwtl We've been clear the official F-Droid repository is not a trustworthy source of apps and that F-Droid is not a secure or recommended way to obtain apps in general. Apps which are serious about security should provide a better way of obtaining and updating their app such as including a self-update system in the app.
GrapheneOS If this was a reply to my post, I withdraw my assumption. It was based on the timing of the first published article and its eventual discussion in Hacker News. After this, F-Droid published the basic version of the client with fewer privileges as a fix to the lower-hanging fruits of the complaints about their security practices. It does not necessarily mean the first article caused the changes. I only (as you corrected) wrongly assumed the chain of events. Despite this, a distribution system that can be compromised easily is not an option.
As for the goals, they have nothing to do with the team or the project; the goals, objectively, are deemed necessary, and (unfortunately) there are no alternatives that can deliver those objectives right now. The most unfortunate, however, is that this topic of discussion has been around for over 3 years and is directed at the people rather than solutions.
I can see how some of their community members' replies target a person and offend them in their blog posts. I hope the discussion here can be more about how an ideal replacement would operate if it were to stick to the above mentioned goals.
A direct APK distribution system is not a replacement.
A distribution system which controls developer keys is not a replacement.
A distribution system that can selectively update apps and libraries of a particular device without user knowledge is not a replacement.
Instead of enumerating the badness of a particular project or the team members, the discussion could be about the goals of an alternative project, which will probably be more helpful in redirecting resources towards better projects.
Artn The basic client was released much earlier and didn't address security issues beyond updating the target API level.
A distribution system which controls developer keys is not a replacement.
It's possible to require multiple signatures, which is an approach we plan on offering as an optional feature for GrapheneOS updates eventually.
GrapheneOS I think what's needed is a consortium of the big players in privacy and security - GrapheneOS, signal, simplex, proton, tuta, Mozilla, etc - to come to agreements on what is important for the industry and to release a white paper and certification on best practices. And for the consortium to get behind projects critical for supply chain security and privacy (such as accrescent app store) to finally complete the whole pipeline for the community. It would also help to balance against the Play Integrity API and other issues.
n2gwtl Tuta posts a lot of nonsense in their social media, blog, etc. Mozilla does not take security seriously at all and laid off a huge portion of their security people. Neither of those are a good fit for working with us.
- Edited
Watermelon So can people please stop saying that they want F-Droid for better security?
Some people like to think of security and privacy and freedom as three distinct categories, and on the surface it may seem to make a lot of sense. But in practice, they are intertwined. Many on this forum has said one cannot have privacy without security, as if the app one use is not secure and can be hacked, one simply does not have any privacy either, no matter how privacy respecting the app was designed to be. I have argued the opposite holds too, that one cannot have security without privacy, as if your privacy is compromised, your personal security is also compromised.
This really applies to the freedom aspect as well. The probably most politically relevant example right now is in case end-to-end encryption would be outlawed, or client side scanning would be mandated by law. If you don't have freedom, you would lose end-to-end encryption or be forced to have government scan all your private files and messages. Then you no longer have any privacy at all, either, and thus no personal security. But freedom will allow you to modify your system, and re-enable end-to-end encryption and remove client side scanning.
And telemetry and how Apple and stock Google devices have zero privacy is often discussed, and is a major sales point for GrapheneOS. Yet, Linux also have telemetry by default, but it can be easily disabled, by simply uninstalling the telemetry components. Freedom guarantees that. It does seem freedom is necessary for privacy, and privacy is necessary for personal security. It is all intertwined.
I use F-Droid, because I cannot afford having that freedom taken away from me in my threat model. I am an activist for the rights of the oppressed minority I belong to, and loss of freedom and thus privacy and thus personal security would mean I get silenced.
I wished there was an app repository that took all of security, privacy and freedom seriously though.
ryrona I wished there was an app repository that took all of security, privacy and freedom seriously though.
I've heard that Accrescent is planning to label and add the ability to filter open source apps. So that might be the closest alternative.
Watermelon I've heard that Accrescent is planning to label and add the ability to filter open source apps. So that might be the closest alternative.
They won't start building the apps themselves though, but will just trust the uploader the same as if it was a proprietary app. So not really.
ryrona They won't start building the apps themselves though, but will just trust the uploader
I think it's only an issue for this usecase:
Watermelon One of the beneficial goals of F-Droid was also to gather open source apps that may not be entirely freedom-respecting, and either strip them of the freedom-disrespecting parts and/or mark them appropriately.
For high quality open source apps I believe it shouldn't be needed.
- Edited
Watermelon For high quality open source apps I believe it shouldn't be needed.
Unless the app developer is issued with a gag order, as discussed in multiple threads here lately. Also, some reputable open source projects adds things the users' don't want. Organic Maps added an affiliate link (advertisement for a third-party service) to their app, despite being a reputable open source app. F-Droid detected and stopped this and forced them to remove it. And Firefox is a reputable open source web browser that at this point allegedly has very privacy invasive telemetry in their official builds, at least for desktop computers. This is being patched out by basically all Linux app repositories that include Firefox.