• TropicalDingdong@lemmy.world
    link
    fedilink
    arrow-up
    39
    ·
    1 year ago

    Seems like a good thing. I download and install things from Fdroid all the time and I assure you, I have no clue what I’m doing.

    • LUHG@lemmy.world
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      Could do with knowing if the app is actively maintained instead of looking to see when it was last updated.

  • cron@feddit.de
    link
    fedilink
    arrow-up
    23
    ·
    1 year ago

    This is a good thing and an interesting read, especially for developers and security-focused users.

    • incogtino@lemmy.zip
      link
      fedilink
      English
      arrow-up
      28
      ·
      1 year ago

      F-Droid used to build and sign the APK for each app they distribute using keys owned by F-Droid

      That meant you had to trust F-Droid to distribute the app as per the source, and hope that the source hadn’t been compromised (as the developer wasn’t signing anything)

      Now when a new app is added to the repo, they build an APK from source and compare it with an APK distributed by the developer

      If they match exactly (and if there is no reason to think the developer key has been compromised) then F-Droid will instead distribute APKs signed with the developer key, and verify that the same key was used for each update

      If the same key was used, F-Droid doesn’t need to build the APK themselves but can distribute the update as-is

      The advantages then are that F-Droid is acting as an additional layer of security and assurance to the developer signing the APK, and updates can be distributed faster as F-Droid doesn’t have to build them

        • incogtino@lemmy.zip
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Yes, that video is primarily complaining about F-Droid self-signing, and that it creates: a requirement to trust them; a single point of failure for security; and slows updates

          The trade off is that developers must maintain their key, if they lose it the user must uninstall and reinstall the app, as Android will not trust an update signed with a different key

          • Nakres@lemmy.one
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            What alternative does the video promote? Trusting Google and the Playstore? Trusting each dev of every app to deliver apks which match the code? I don’t want to give the video more clicks if it’s scaring away people from F-droid towards worse alternatives.

            • incogtino@lemmy.zip
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              No need to click, it complains about exactly what has now been changed. In essence you are always trusting the dev, why add other parties to that chain

              • Nakres@lemmy.one
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                Wrong, if you are using F-droid, you aren’t trusting the dev, you are trusting F-droid and the source code, the dev CAN NOT give you an app that doesn’t match the code, and the code can be seen and reviewed by anyone.

  • zwekihoyy
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    good. this is the only reason I’ve recommended people avoid fdroid. would be useful to fix that