✨ Feature Suggestion | Create section for F-Droid, recommend reproducable builds #1800

New Issue

2020-03-26T13:06:40Z

dngray commented

2020-03-26 13:06:40 +00:00

(Migrated from github.com)

We should create a section mentioning F-Droid, why it should be used etc.

Some links we should use:

The section should also recommend https://gitlab.com/AuroraOSS/AuroraStore if Google Play apps are required.

Closes: https://github.com/privacytoolsIO/privacytools.io/issues/1577
Closes: https://github.com/privacytoolsIO/privacytools.io/issues/338
Closes: https://github.com/privacytoolsIO/privacytools.io/issues/1201
Closes: https://github.com/privacytoolsIO/privacytools.io/issues/874
Closes: https://github.com/privacytoolsIO/privacytools.io/issues/1248
Fixes: https://github.com/privacytoolsIO/privacytools.io/pull/1575
Fixes: https://github.com/privacytools/privacytools.io/issues/1956

We should create a section mentioning F-Droid, why it should be used etc. Some links we should use: - https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html - https://f-droid.org/en/docs/Reproducible_Builds/ - https://en.wikipedia.org/wiki/Reproducible_builds The section should also recommend https://gitlab.com/AuroraOSS/AuroraStore if Google Play apps are required. Closes: https://github.com/privacytoolsIO/privacytools.io/issues/1577 Closes: https://github.com/privacytoolsIO/privacytools.io/issues/338 Closes: https://github.com/privacytoolsIO/privacytools.io/issues/1201 Closes: https://github.com/privacytoolsIO/privacytools.io/issues/874 Closes: https://github.com/privacytoolsIO/privacytools.io/issues/1248 Fixes: https://github.com/privacytoolsIO/privacytools.io/pull/1575 Fixes: https://github.com/privacytools/privacytools.io/issues/1956

👍 5

dngray commented

2020-03-26 15:29:21 +00:00

(Migrated from github.com)

We could also have a summary list of the other android apps we recommend, with a link to F-Droid as well as a handful of open source alternatives that people might like. Eg a fitness app, sound recorder, calendar, camera, notepad etc..

The requirements would have to be that it is maintained, in f-droid and meets decent QA usage.

We could also have a summary list of the other android apps we recommend, with a link to F-Droid as well as a handful of open source alternatives that people might like. Eg a fitness app, [sound recorder](https://f-droid.org/en/packages/com.github.axet.audiorecorder/), [calendar](https://f-droid.org/en/packages/ws.xsoh.etar/), [camera](https://f-droid.org/en/packages/net.sourceforge.opencamera), [notepad](https://f-droid.org/en/packages/net.gsantner.markor) etc.. The requirements would have to be that it is maintained, in f-droid and meets decent QA usage.

dngray commented

2020-03-26 15:33:20 +00:00

(Migrated from github.com)

I'm also thinking it would have 3 headings:

F-Droid, why we recommend it
Some apps in F-Droid that we recommend
- (something like the browser extension layout)
Finally mention Aurora Store if the app is only in Google Play

Yes this page would be specific to Android, and no iOS equivalent would exist. The fact of the matter is that iOS is a proprietary platform, and most of the apps in AppStore are not open source let alone reproducible.

I'm also thinking it would have 3 headings: - ### F-Droid, why we recommend it - #### Some apps in F-Droid that we recommend - (something like the browser extension layout) - #### Finally mention Aurora Store if the app is only in Google Play Yes this page would be specific to Android, and no iOS equivalent would exist. The fact of the matter is that iOS is a proprietary platform, and most of the apps in AppStore are not open source let alone reproducible.

IzzySoft commented

2020-03-26 20:59:20 +00:00

(Migrated from github.com)

As for the issue just referenced and closed: My app listings help in chosing privacy-friendly apps:

focus on those marked with a ⭐ and those with a F-Droid icon – as those come without (known) trackers
avoid those with "monitor icons" as they are tracking you
easier find what you are after, as everything is grouped by (multi-level) categories

and more – like links to reviews, guides…

As for the issue just referenced and closed: [My app listings](https://android.izzysoft.de/applists) help in chosing privacy-friendly apps: * focus on those marked with a :star: and those with a F-Droid icon – as those come without (known) trackers * avoid those with "monitor icons" as they are tracking you * easier find what you are after, as everything is grouped by (multi-level) categories and more – like links to reviews, guides…

👍 1

dngray commented

2020-03-27 01:53:07 +00:00

(Migrated from github.com)

We may use it for some inspiration, but we won't be using the actual site itself, and this shortlist certainly won't be an exhaustive "all apps for everything" list.

There will be indeed some areas where we do not offer recommendation.

Each application will require:

source to be checked
be maintained
be not of alpha/beta quality, ie mostly complete not crashing
available in official f-droid repositories where it can be verified with a third party verification server
not rely on proprietary GAPPS, Eg FCM/GCM, some apps will crash if that is not present.

We may use it for *some* inspiration, but we won't be using the actual site itself, and this shortlist certainly won't be an exhaustive "all apps for everything" list. There will be indeed some areas where we do not offer recommendation. Each application will require: 1. source to be checked 2. be maintained 3. be not of alpha/beta quality, ie mostly complete not crashing 4. available in official f-droid repositories where it can be verified with a third party [verification server](https://f-droid.org/ru/docs/Verification_Server/) 5. not rely on proprietary GAPPS, Eg [FCM](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging)/[GCM](https://en.wikipedia.org/wiki/Google_Cloud_Messaging), some apps will crash if that is not present.

beerisgood commented

2020-03-27 07:33:33 +00:00

(Migrated from github.com)

Don't forget AuroraDroid which is F-Droid replacement from AuroraStore guys and is more stable then F-Droid

IzzySoft commented

2020-03-27 07:39:24 +00:00

(Migrated from github.com)

Ah, OK – so you're going pretty strict, which is a good thing. Besides: item 4 automatically implies item 5 – as proprietary components are not accepted by F-Droid. Especially GCM/FCM was a stumbling block for many apps in the past (as it seems nowadays even toilet paper cannot do without that) – either they managed to create a flavor coming without GCM/FCM, or they were not accepted. Other apps are no longer updated because they've added such crap.

Item 4 also implies item 1, as F-Droid builds from source. For that, the source is checked multiple ways. Thanks for your "general description" in item 4 btw; this currently would match f-droid.org and the Guardian repo, but there might be more in the future.

Ah, OK – so you're going pretty strict, which is a good thing. Besides: item 4 automatically implies item 5 – as proprietary components are not accepted by F-Droid. Especially GCM/FCM was a stumbling block for many apps in the past (as it seems nowadays even toilet paper cannot do without that) – either they managed to create a flavor coming without GCM/FCM, or they were not accepted. Other apps are no longer updated because they've added such crap. Item 4 also implies item 1, as F-Droid builds from source. For that, the source is checked multiple ways. Thanks for your "general description" in item 4 btw; this currently would match f-droid.org and the Guardian repo, but there might be more in the future.

dngray commented

2020-03-27 07:49:12 +00:00

(Migrated from github.com)

Basically the reason for being so strict is because otherwise there isn't much point in bothering at all if we allow anything/everything.

There's really not much strength gained by using F-Droid unless you're making use of build verification. In fact I'd argue that repositories third party to Google are probably less secure if not verified.

We also don't want it to become an exhaustive list of "all the apps in the world", just a few alternatives that don't really fit in elsewhere, in addition to having things that we recommend already on various pages.

There are also particular areas that we won't be including, such as things which really can be done in the web browser without an app. Eg. you really don't need a weather app, when a bookmark in a web browser will be just as good.

The more apps people install, the more code that must be trusted, and thus audited. We do not want to encourage the "app for everything" ideology.

Basically the reason for being so strict is because otherwise there isn't much point in bothering at all if we allow anything/everything. There's really not much strength gained by using F-Droid unless you're making use of build verification. In fact I'd argue that repositories third party to Google are probably less secure if not verified. We also don't want it to become an exhaustive list of "all the apps in the world", just a few alternatives that don't really fit in elsewhere, in addition to having things that we recommend already on various pages. There are also particular areas that we won't be including, such as things which really can be done in the web browser without an app. Eg. you really don't need a weather app, when a bookmark in a web browser will be just as good. The more apps people install, the more code that must be trusted, and thus audited. We do not want to encourage the "app for everything" ideology.

👍 1

blacklight447 commented

2020-03-27 07:51:08 +00:00

(Migrated from github.com)

@beerisgood why would fdroid need a replacement though?

dngray commented

2020-03-27 07:54:57 +00:00

(Migrated from github.com)

I am inclined to try out AuroraDroid especially if it provides a more stable experience.

However I don't like the idea of it having repositories with proprietary apps only a single tap away.

F-Droid is pretty good, but would we miss anything if we recommended AuroraDroid?

The original plan was to mention Aurora Store as a last resort, not a first-stop.

AuroraDroid is still in a development phase right now; Only infrequent, stable builds will be uploaded there. F-Droid's review & build process is also quite lengthy.

I think for the time being we'll only recommend the F-Droid app.

I am inclined to try out [AuroraDroid](https://gitlab.com/AuroraOSS/auroradroid) especially if it provides a more stable experience. However I don't like the idea of it having repositories with proprietary apps only a single tap away. F-Droid is pretty good, but would we miss anything if we recommended AuroraDroid? The original plan was to mention Aurora Store as a last resort, not a first-stop. > AuroraDroid is still in a development phase right now; Only infrequent, stable builds will be uploaded there. F-Droid's review & build process is also quite lengthy. I think for the time being we'll only recommend the F-Droid app.

beerisgood commented

2020-03-27 08:05:31 +00:00

(Migrated from github.com)

@beerisgood why would fdroid need a replacement though?

Because it has a lot of problems with search and install updates in background. Even with the privileged stuff installed.

Also from the AuroraDroid page:

What is the difference between AuroraDroid and the official FDroid client?

It isn't a buggy mess. Of course, alongwith the download manager, transparent downloads and MD2 design.

> > > @beerisgood why would fdroid need a replacement though? Because it has a lot of problems with search and install updates in background. Even with the privileged stuff installed. Also from the [AuroraDroid page](https://gitlab.com/AuroraOSS/auroradroid#frequently-asked-questions): > > What is the difference between AuroraDroid and the official FDroid client? > >> It isn't a buggy mess. Of course, alongwith the download manager, transparent downloads and MD2 design.

blacklight447 commented

2020-03-27 08:12:57 +00:00

(Migrated from github.com)

It works perfectly fine here?

beerisgood commented

2020-03-27 08:54:40 +00:00

(Migrated from github.com)

It works perfectly fine here?

Are you sure? On every device i see it doesn't.
Start from automatic installs in backgrounds to simple automatic check for updates. No matter which network or Android version or device.

For example on one device here with Android 9 it doesn't update nor check for updates for a week. And this with the privileged stuff installed. This isn't how it should be work

> > > It works perfectly fine here? Are you sure? On every device i see it doesn't. Start from automatic installs in backgrounds to simple automatic check for updates. No matter which network or Android version or device. For example on one device here with Android 9 it doesn't update nor check for updates for a week. And this with the privileged stuff installed. This isn't how it should be work

IzzySoft commented

2020-03-27 09:18:04 +00:00

(Migrated from github.com)

@beerisgood This issue was introduced by Oreo (Android 8) – I do not have it on the one device still running Nougat (Android 7; but yes, confirmed on Oreo and up). The client needs the FOREGROUND_SERVICE on Oreo & higher to not be "cancelled" by Android. The issue is known to the client team, and being worked on. Admittedly, that takes a bit too long for my feeling as well…

@beerisgood This issue was introduced by Oreo (Android 8) – I do not have it on the one device still running Nougat (Android 7; but yes, confirmed on Oreo and up). The client needs the `FOREGROUND_SERVICE` on Oreo & higher to not be "cancelled" by Android. The issue is known to the client team, and being worked on. Admittedly, that takes a bit too long for my feeling as well…

👍 1

beerisgood commented

2020-03-27 09:35:00 +00:00

(Migrated from github.com)

@beerisgood This issue was introduced by Oreo (Android 8) – I do not have it on the one device still running Nougat (Android 7; but yes, confirmed on Oreo and up). The client needs the FOREGROUND_SERVICE on Oreo & higher to not be "cancelled" by Android. The issue is known to the client team, and being worked on. Admittedly, that takes a bit too long for my feeling as well…

This. We already have Android 10 since fall last year and Android 11 is comming.
I wonder why implemate this is so hard and why AuroraDroid get it but not F-Droid.

Also F-Droid host a lot of old and insecure apps (some are 6+ years old). And also the updates are provided very very slow.
Thanks to you, @IzzySoft i got for example FairEmail updates daily! Not possible with nativ F-Droid.
This is a mess

> > > @beerisgood This issue was introduced by Oreo (Android 8) – I do not have it on the one device still running Nougat (Android 7; but yes, confirmed on Oreo and up). The client needs the `FOREGROUND_SERVICE` on Oreo & higher to not be "cancelled" by Android. The issue is known to the client team, and being worked on. Admittedly, that takes a bit too long for my feeling as well… This. We already have Android 10 since fall last year and Android 11 is comming. I wonder why implemate this is so hard and why AuroraDroid get it but not F-Droid. Also F-Droid host a lot of old and insecure apps (some are 6+ years old). And also the updates are provided very very slow. Thanks to you, @IzzySoft i got for example FairEmail updates daily! Not possible with nativ F-Droid. This is a mess

IzzySoft commented

2020-03-27 09:46:39 +00:00

(Migrated from github.com)

@beerisgood we're getting slightly OT here, but short on the points: I fully agree on the client being a problem solved too late (who wouldn't). Standard apology: team is lacking resources (no bashing here, but I agree this takes far too long – without blaming anyone).

Old apps: you can always suggest having them moved to archive. "Old" alone is no argument for that – insecure is. And glad I was able to help – though my repo certainly won't be recommended by PTIO (not even partly) as it e.g. doesn't meet point 4 (verification server support).

@beerisgood we're getting slightly OT here, but short on the points: I fully agree on the client being a problem solved too late (who wouldn't). Standard apology: team is lacking resources (no bashing here, but I agree this takes far too long – without blaming anyone). Old apps: you can always suggest having them moved to archive. "Old" alone is no argument for that – insecure is. And glad I was able to help – though my repo certainly won't be recommended by PTIO (not even partly) as it e.g. doesn't meet point 4 (verification server support).

👍 1

blacklight447 commented

2020-03-27 10:27:52 +00:00

(Migrated from github.com)

@dngray why use some weird third party app if we got a good looking perfectly work first party app with a years long trusted reputation.

dngray commented

2020-03-27 13:05:10 +00:00

(Migrated from github.com)

@dngray why use some weird third party app if we got a good looking perfectly work first party app with a years long trusted reputation.

This is the point. I'm reluctant to suggest something which is not as mainstream as the F-Droid application. At least not to begin with.

@beerisgood This issue was introduced by Oreo (Android 8) – I do not have it on the one device still running Nougat (Android 7; but yes, confirmed on Oreo and up). The client needs the FOREGROUND_SERVICE on Oreo & higher to not be "cancelled" by Android. The issue is known to the client team, and being worked on. Admittedly, that takes a bit too long for my feeling as well…

I have to admit I also only have LineageOS 16 and a Graphene device on hand, ie Android 9/10.

Also F-Droid host a lot of old and insecure apps (some are 6+ years old). And also the updates are provided very very slow.

Those apps won't be subject to the list. This list will be a very short list as everything must be well maintained. We will be auditing what gets added so we won't be adding a huge number of things.

> @dngray why use some weird third party app if we got a good looking perfectly work first party app with a years long trusted reputation. This is the point. I'm reluctant to suggest something which is not as mainstream as the F-Droid application. At least not to begin with. > @beerisgood This issue was introduced by Oreo (Android 8) – I do not have it on the one device still running Nougat (Android 7; but yes, confirmed on Oreo and up). The client needs the `FOREGROUND_SERVICE` on Oreo & higher to not be "cancelled" by Android. The issue is known to the client team, and being worked on. Admittedly, that takes a bit too long for my feeling as well… I have to admit I also only have LineageOS 16 and a Graphene device on hand, ie Android 9/10. > Also F-Droid host a lot of old and insecure apps (some are 6+ years old). And also the updates are provided very very slow. Those apps won't be subject to the list. This list will be a very short list as everything must be well maintained. We will be auditing what gets added so we won't be adding a huge number of things.

👍 1

lynn-stephenson commented

2020-07-20 01:12:59 +00:00

(Migrated from github.com)

@IzzySoft Do you know if F-Droid supports APK v2 signing?

IzzySoft commented

2020-07-20 07:05:51 +00:00

(Migrated from github.com)

@lynn-stephenson it supports v2 signatures (so does my repo). But it looks like it always signs v1 only, no idea why. You could raise that question in the corresponding issue tracker (most likely fdroidserver) or on IRC.

This repo is archived. You cannot comment on issues.