Seit ich #GrapheneOS laufen habe lerne ich täglich neue Dinge. Was mich etwas erschreckt sind Berichte zu Sicherheitsmängel im #Fdroid - besonders im offiziellen Client, aber auch in moderneren wie #Droidify aufgrund der zugrunde liegenden Architektur. Der angehängt Artikel ist da meine Hauptquelle.
@jr Nochmal danke für die weitere Einordnung und der Artikel. Ich lese ihn mir gerne durch! Es ist erstmal auch gut zu hören, dass daran gearbeitet wird, den F-Droid sicherer zu machen. Das sieht man ja von außen nicht und wenn man nur bestimmten Quellen folgt ensteht der Eindruck, die ganze Community wäre versteift auf das aktuelle Modell und möchte nichts verändern.
@davevader F-Droid ist alles andere als versteift, wir wollen durchaus vieles ändern, aber es fehlt halt oft an Manpower und deshalb geht es teilweise nur recht langsam vorwärts...
It would be cool if #FDroid took the opposite approach to Google Play App Signing, by using their build system to create a code transparency key that developers could then bundle with their app, and then developers could in turn sign that bundle with their own signing key.
That way F-Droid could distribute apps that they’ve verified reproducible builds for (and check the CT signature in the F-Droid app), without having to sign the app with their own key—a common complaint about the default F-Droid repo.
@jonah and we encourage new app inclusions nowadays, to use reproducible builds, but we do not require it, as it's quite an additional burden for the upstream too and also there are some upstreams that do not even want to do their own signing stuff...
#WireGuard becomes the first VPN app on #FDroid to be built reproducibly! This means that WireGuard on F-Droid is now guaranteed to be 100% (bit-by-bit) equal to the WireGuard the developer builds.
If you're using WireGuard from F-Droid, please export your tunnels and re-install to switch to the developer's signature and continue receiving updates.
I can recommend installing #AirGuard app for #Android to detect #AirTags that might be tracking you. Having it installed for months it suddenly alarmed me today when walking with a group. #FreeSoftware and available on #Fdroid
Currently, the developer of this wonderful #opensource#keyboard app has no time developing it. This is why I want to highlight, we need to support him with donations to help him get more time to work on the app and bring updates whenever we need it. #foss#floss#fdroid#florisboard
Do you sometimes just want one tool from the #AndroidSDK in a container or VM, and don't want to deal with the whole pain of setting up #Java and everything? Try the #FDroid sdkmanager instead of the official one. For example, apt-get install sdkmanager then sdkmanager platform-tools. Plus this verifies all packages using apt-get style GPG-signed index with SHA256 values. Useful in #research on #Android#malware#tracking etc. In pypi, Debian, Ubuntu, and https://gitlab.com/fdroid/sdkmanager/
Special shout-out to @shiftphones thanks for supporting our team! If you haven't heard of #ShiftPhone, you might want to take notes. They build #sustainable electronics and also deliver their own #FOSS#android blend called #ShiftOSL, which comes with #FDroid preinstalled.
Some years ago I made this android live wallpaper, I'm still using it today. It's free, open source and quite lightweight (should not drain your battery). Pick it up if you want ;)
Payment permission is just a donation library I included, nothing else.
Have you heard about #ReproducibleBuilds? This is one of the biggest #security benefits of #FOSS. On #Android, this technique ensures that the #FDroid version of an app exactly matches the developer's version.