· Föderation EN So 21.07.2024 07:36:11 @jak2k We can't recommend using F-Droid due to extremely poor security practices throughout their client, repository design and infrastructure. The developers have an anti-security attitude and have demonstrated thoroughly untrustworthy behavior. We're going to be supporting Accrescent and helping them get what they need to reach a stable release and provide a huge number of apps with the support of the app developers. People are free to use F-Droid on GrapheneOS but we won't promote it. |
Föderation EN So 21.07.2024 08:50:11 @GrapheneOS Are there more information somewhere about this? |
Föderation EN So 21.07.2024 10:31:37 @jak2k |
Föderation EN Di 23.07.2024 08:48:03 F-Droid attempts to do repository metadata signing but both the approach they take and implementation is quite flawed. Transport security via HTTPS using WebPKI doesn't only trust their server. It also trusts every CA and sub-CA without a way to monitor abuse since unlike a browser there isn't enforced Certificate Transparency. We pin root keys and backup keys for our services in our apps but of course it's not what's relied on for verifying App Store repository metadata. |
Föderation EN Di 23.07.2024 09:41:06 @niko4u @jak2k @GrapheneOS How much extra security does that add though? Seems to me to be very little since you're still trusting the maintainers whose keys are embedded in the app.
|
Föderation EN So 21.07.2024 10:34:22 @jak2k reproducible builds have nothing to do with security |
Föderation EN So 21.07.2024 10:57:30 |
Föderation EN So 21.07.2024 11:56:22 @niko4u what does that do for security when we can just get it from the dev directly |
Föderation EN So 21.07.2024 21:08:27 This article has some great information. |
Föderation NL Di 23.07.2024 07:28:12 @jak2k @GrapheneOS I too would like to know. |
Föderation EN Di 23.07.2024 08:43:14 They still build and sign nearly all the apps themselves, and are not migrating towards using that approach. Regardless of whether it's their own builds with their own signatures, F-Droid is still responsible for securing the initial download. It has poor security throughout the design and implementation. You can read https://privsec.dev/posts/android/f-droid-security-issues/ as a starting point but it doesn't cover most of our technical concerns with F-Droid. We also have major concerns about the people in charge of it. |
Föderation EN Di 23.07.2024 09:44:29 @GrapheneOS @jak2k Is that worse than Google Play, which forces* developers to give up their private keys to Google?
The GOS community seems to think so but I've never understood why. *Or at least, they were planning on doing that a while ago. Have they gone ahead with it? |
Föderation EN Di 23.07.2024 17:46:41 @GrapheneOS |
Föderation EN Di 23.07.2024 20:53:26 @jak2k that's correct: all from their official distributions, signed by their own keys, and several additional checks applied on top to make sure they're as safe as possible: signing keys pinned, library checks, manifest checks, signing block checks, and much more; see e.g. https://android.izzysoft.de/articles/named/iod-scan-apkchecks?lang=en @GrapheneOS |