So I’ve been in the rabbit hole of android privacy for some time, last I joined the GrapheneOS community but let’s just say that they doesn’t have a “healthy” opinion about other projects like f-droid.

So I am looking for generic communities that focus on mobile privacy that doesn’t have drama or toxicity or “extreme opinions”. Any suggestions? I prefer chat based communities like matrix or simplex instead of like reddit or lemmy.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      21
      ·
      edit-2
      3 months ago

      Fdroid is introducing another trusted party to your supply chain, which should be a factor in anyone’s threat molding.

      https://f-droid.org/docs/Reproducible_Builds/ However, with reproducible builds now a package is built and signed by both fdroid and the original developer, so you get a net security benefit of having a third party attesting they can independently reproduce the binary from source. Problem solved right? Well, yes but mostly no. Most projects and packages don’t have reproducible builds, so if your using fdroid for most packages your still trusting droid.

      I think a lot of the online hate comes from people making assumptions that their use case and threat model applies to everyone. That’s why I prefer discourse where we just talk about the attributes and not “you should”

      • Captain Beyond@linkage.ds8.zone
        link
        fedilink
        arrow-up
        12
        ·
        edit-2
        3 months ago

        I feel like there’s a lot of FUD around this subject, because people bring it up as if it’s purely a negative without talking about the reasons why it’s done the way it is. The whole point of F-Droid is that it’s a repository (not a store) of free software applications. They have an inclusion policy forbidding proprietary code and dependencies, and in order to enforce this policy they have to build from publicly available source code, and in order to do so they need to sign the builds themselves. This means, yes, you are trusting F-Droid instead of the upstream developer - but given F-Droid has higher standards than upstream developers this is a tradeoff I am willing to make.

        Reproducible builds solves this in a way that preserves the standards of F-Droid, however, “security peoples’” favored “alternatives” (such as Accrescent, Obtainium, and Google Play Store/Aurora Store) forego this entirely, showing they don’t either have a viable solution to offer or that they don’t really care about the problem that F-Droid is addressing to begin with.

      • lord___vader@sh.itjust.worksOP
        link
        fedilink
        arrow-up
        6
        arrow-down
        2
        ·
        3 months ago

        I completely understand, but this only adversely affects you if f-droid getting hacked is in your threat model. And not everyone have that.

        • jet@hackertalks.com
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          2
          ·
          3 months ago

          Yeah exactly. So pointing that out is sufficient, and it’s up to every user to decide if the benefit is worth the risk. And I’m sure for most people fdroid is a net positive.

          Now, I want to change gears, and talk about annoying personalities also being really beneficial. Crazy principled people drive change in the world. The open BSD founder, RMS, the graphene founder, these are crazy unreasonable uncompromising people which are difficult to get along, but they drive change. Sometimes we need those uncompromising people. I think putting up with them is the cost of a vibrant ecosystem.

          • BearOfaTime@lemm.ee
            link
            fedilink
            arrow-up
            3
            arrow-down
            2
            ·
            edit-2
            3 months ago

            I disagree.

            If you’re an asshole, people don’t want to work with you, and will actively avoid you.

            I’m the IT guru in my family and extended circle. Of the probably 100+ people I advise, none will ever use Graphene now.

            They alienate people with their hubris and condescension. Rather than help people understand their perspective, they act like it’s “the only answer”.

            That’s never a solution. Discussing pros and cons of different approaches moves us forward, not the Graphene “us VS them” mentality.

      • Possibly linux
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        There isn’t anything better than F-droid as far as I can tell

    • JackbyDev@programming.dev
      link
      fedilink
      English
      arrow-up
      9
      ·
      3 months ago

      What’s an unhealthy opinion of f-droid? Is something wrong with it? Genuine question. I’m out of the loop.

      • lord___vader@sh.itjust.worksOP
        link
        fedilink
        arrow-up
        8
        arrow-down
        3
        ·
        3 months ago

        F-droid acts as a trust for all the apps you download through it, which means if F droid is hacked, hackers can push fake update to all the apps. It is an issue, but not the biggest concern of average joe. Although F-droid should take it pretty seriously.

        But I think hating on them is not the solution…

        • JackbyDev@programming.dev
          link
          fedilink
          English
          arrow-up
          11
          arrow-down
          1
          ·
          3 months ago

          Oh. Same is true for Google Play and literally every self updating app/program on the planet lmao.

          • jet@hackertalks.com
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            edit-2
            3 months ago

            For Google Play: Google has root on play devices which is a separate issue, but the apps are actually signed by their developers and not google.

            • refalo@programming.dev
              link
              fedilink
              arrow-up
              7
              ·
              edit-2
              3 months ago

              not google

              This is not true… play store now requires you to give up your signing keys to google so they can sign the app themselves after injecting whatever they feel like. F-Droid does the same because they also compile your apps for you. Another reason some don’t trust F-Droid (or Signal, Tor and a bunch of other free/open source software for that matter) is that they received funding from OTF which is funded by the US government and some people don’t like that. And yes I know computers and the internet also came from the government /shrug

              I have no skin in this game, I am not intentionally trying to spread any FUD (but I realize some people will still claim so, they are free to do so), just relaying information I have seen elsewhere. Happy to provide sources if anyone likes.

        • Possibly linux
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 months ago

          They have actually made a bunch of security enhancements to there systems and processes. You can look at the blog if you are curious.