Is Accrescent dying?

FlavoredScrabble

Their repository has only a few commits in the past 3 months from the developer. The rest of the activity comes from automated dependency updates. Why isn't Accrescent being more actively maintained? It's a very important piece of software, so it seems like there should be more activity.

matchboxbananasynergy

FlavoredScrabble It isn't dying. Lberrymage is working on Accrescent in his free time at the moment. There's a lot of ongoing work.

You can find an answer by Lberrymage here:

https://github.com/accrescent/accrescent/issues/667

I'm sure that he would love to work on it more and deliver changes faster, but the project doesn't currently get enough funding so that he could work on it full time.

The project does accept donations: https://accrescent.app/donate

lberrymage

FlavoredScrabble In addition to what was said in by @matchboxbananasynergy in matchboxbananasynergy, the repository you're referencing is only one of about 10 actively maintained repositories under the Accrescent project, of which a few are currently private. Most active development over the past many months has occurred in these private repositories, so the changes aren't yet visible. The plan is to publish them once the components they contain are ready for deployment.

The project isn't dying and is still actively maintained. However, as already stated, I'm only able to work on Accrescent in my free time, so that's why development isn't as active as would be preferable.

proclaim

I just ignore it, and prefer to use obtainium and g. play . The idea is good but the app repo has only five apps , and for me is not worth to trust in other source just for the minimal apps that provide. Also I don't like it because is not given almost any info about the apps, compared to other sources like F-droid/G.Play has examples.

TrustExecutor

The developer is active on Matrix:
https://matrix.to/#/#accrescent:matrix.org

I use it for the apps that are available, maybe 4-5. I think the experience is great! Very important project.

area51

I think the ethics behind a crescent are good, but its something I don't use nor want and would prefer to be able to remove it in all honesty, including android auto G@@gle playstore, services and mark up.

fid02

area51 I think the ethics behind a crescent are good, but its something I don't use nor want and would prefer to be able to remove it in all honesty, including android auto G@@gle playstore, services and mark up.

Those apps are not installed by default, so you must have installed them manually.

area51

area51 I don't have them installed, I never had and I never will, they are listed in the GrapheneOS app store. Every now and again they get updated, they are useless to me and would prefer to be able to remove them from the app store listing altogether.

Stewart

I've been looking forward to a serious alternative to the Play Store in terms of security and privacy for a long time, and Accrescent seems to be the alternative that many people have been waiting for. F-Droid is insecure and limited in terms of choice, Aurora Store is insecure and Obtainium is secure but limited, Accrescent is supposed to be the middle ground.
It's a pity that Accrescent is taking so long to develop and isn't opening up its application to application developers to give them much more choice, at the moment it's far too limited and almost 'useless'.

n3t_admin

Stewart Obtainium is secure but limited

How is Obtainium secure exactly?

GrouchyGrape

area51 why do you care if they're in the app store if you don't install them? That's not making any sense

Stewart

n3t_admin We download applications from the developers' official Github and Gitlab repositories, which I think is secure.

n3t_admin

Stewart sorry, but saying "Aurora is insecure and Obtainium is secure" is just plain wrong. Obtainium has pretty much every single security problem/issue of Aurora - but on steroids.
Sometimes things like updates will break if the repo URL changes. There are exactly 0 signature checks on first install. No auto-updates. Issue of trusting that Github credentials/keys weren't leaked and so much more.
"I think" is not a good argument in this case.

Stewart

n3t_admin I'm only giving my opinion on the different stores compared to Accrescent and what I expect from the latter in terms of security, privacy and convenience compared to the other stores.
Assuming that I always go through the developer's official site to access the repository, for me it's still a secure option, especially when some applications like Bitwarden receive updates via the Play Store even after installation via Obtainium, for example.

Pavestone2734

n3t_admin Obtainium has pretty much every single security problem/issue of Aurora - but on steroids.

That is a very bold claim which I don't think your following points support.

n3t_admin There are exactly 0 signature checks on first install

There are not much application checks done on Play Store either. At the end of the day you install almost the same app from Play Store as you would do With Obtainium. You can check the hash of the app on GitHub, you can also compare apk sign hashes to peers or App Verifier database. You need to trust the developer on some level. There is a reason there is still malware on the Play Store. With GitHub the advantage is that you can build the app yourself even reproducibly and verify it yourself with the source code if you really want to.

n3t_admin No auto-updates.

There are auto updates on Obtainium. Admittedly there are some apps which don't always receive proper updates if there are multiple .apk versions but you can filter those out with regex.

n3t_admin Issue of trusting that Github credentials/keys weren't leaked

Developer keys are required to sign builds. Also Play Store keys can leak just as well.

n3t_admin and so much more

Please humor us

The most secure way to obtain Play apps is from the Play Store. Aurora is considered less secure (and might I add less stable) albeit more private in an obscurity way. Whether Obtainium is more or less secure compared to Play Store is up for technical debate, but your claim of it being highly insecure is not true in my opinion.

n3t_admin fair enough, what makes Aurora insecure then

Compared to Play Store, 3rd party account setup, not up to date android frameworks/permissions, trusting another party beyond Google, are the most commonly brought up issues more of which were discussed in other threads before.

raccoondad

n3t_admin "There are exactly 0 signature checks on first install."

I mean, technically, APKverifyer is called if you have it pre installed, so there's one (manual) check.

n3t_admin

Stewart fair enough, what makes Aurora insecure then?

Stewart

n3t_admin I've got nothing against Aurora, I find it a very useful application, but I've read that there are problems with signing and verification, so I haven't really dug any further.

n3t_admin

Pavestone2734 Whether Obtainium is more or less secure compared to Play Store is up for technical debate

it really isn't. Obtainium has exactly nothing going for security. You are trusting as many parties as there are apps installed through Obtainium. Every single repo has to be legitimate. If you add a malicious repo (for example by copying a fake link), you have now installed malware and you have no idea unless you check signatures. It is extremely easy to social engineer potential victims into that.

Auto-updates on Obtainium are unreliable, need special criteria to even work in the first place and are not something I would call "auto-updates" because of that. See this issue, among many others in their issue tracker.

Obtainium offers nothing beyond manual side loading. You'd probably be better off by just getting update notifications through an RSS feed and installing apps manually from Github.

Pavestone2734 You can check the hash of the app on GitHub, you can also compare apk sign hashes to peers or App Verifier database. You need to trust the developer on some level. There is a reason there is still malware on the Play Store. With GitHub the advantage is that you can build the app yourself even reproducibly and verify it yourself with the source code if you really want to.

Well, here's the problem: uploading a completely different APK on a breached Github account is really easy. The problematic part here, is that Obtainium relies on plain old regex to find packages (and thus updates) instead of certificates or signatures. How does reproducibility matter here? As an average Joe you are hardly gonna update your apps through Obtainium when you would build them (assuming you can recreate the build environment, good luck with that).

I really don't see why people cling to Obtainium like it's some holy piece of software, when it's just a glorified download manager.

raccoondad

Pavestone2734 Developer keys are required to sign builds. Also Play Store keys can leak just as well.

He's referring to githubs certs and their keys for SSL. Which has another issue, which is that bad CAs could maliciously sign a bad cert.

This is why play store uses certificate pinning.

This is also why Obtainium called APK Verifier, but you would need to know the signing key ahead of time.