f-droid's de facto complete lack of any sort of malware is literally more important than any theoretical concern imo
is it possible to sneak malware in if you really tried? yes
is there malware? no absolutely not
you go on google play and download a flashlight app and the top 20 results are all malware lol
sure f-droid has some pretty shit apps but none of them will infect your phone, and to be fair f-droid also has a handful of extremely high quality apps that you would have trouble finding otherwise
so idk, for the average user f-droid is just de facto higher quality apps, and confers more security just by being a little more tightly controlled by forcing apps to be open source (malware people will typically not want to make their shit open source. that's usually how it works)
@haskal One of my favorite things about f-droid is that it has apps for free that you'd need to pay for on the play store
My favorite example is OSMAnd+
@haskal Trusting signed binaries instead of signed source code is a conspiracy by Google, Apple, and Microsoft to sell proprietary software.
@haskal Security Man says forced obsolescence is about Security. Who cares that it means people need to buy way more hardware? I mean, those lazy application developers need to upgrade their shit. Nonono, don't blame Google for forking the shit out of Linux and encouraging rampant GPL violation by their hardware partners. Google's boots taste too good for Security Man!
@haskal "open-source apps aren’t necessarily more private or secure. Instead, you should rely on the strong security and privacy guarantees provided by a modern operating system with a robust sandboxing/permission model, namely modern Android, GrapheneOS and iOS."
So, trust your proprietary operating system (bad idea) to deal with your lack of trust in the developers of the applications you use... instead of, you know, just trusting the application developers?? 🙃
@haskal Don't get me wrong, sandboxing applications is generally good. But relying on that in lieu of trusting application developers is a technological solution to a social problem.
@haskal Come to think of it, aren't all technological security measures technological solutions to social problems?
That being said, you shouldn’t have to trust either way. Tools including something like a packet sniffer should ideally be simple enough for everyone to use to know when an app requests network permission, and where it connects. Users worried about telemetry should be able to just deny network access instead of trusting anyone. That’s honestly a lot easier than looking at the repo for each app.
I thing FLOSS is essential for many reasons; at the same time, the best way to verify what a program does when you run it is to…run it.
The black-box and white-box approaches to securing a device are not mutually exclusive; they complement each other.
"Backward compatibility is often the enemy of security, and while there’s a middle-ground for convenience and obsolescence, it shouldn’t be exaggerated. (...) the main repository of F-Droid is filled with obsolete apps from another era (...). Let’s not make the same mistake as the desktop platforms: instead, complain to your vendors for selling devices with no decent OS/firmware support."
"instead, complain to your vendors"
WTF. How naive can a person be?
@haskal My takeaway wasn’t “don’t use F-Droid”, but “F-Droid lacks some security features present in Google Play”. I’d use it while acknowledging the fact that has problems, some of which could be solved. I do agree with your point that we shouldn’t recommend the Play Store unless you really vet each app carefully.
I think it’s reasonable to want both the apps and the platform to offer some security. Accrescent could be a way to get something from both worlds.
Getting updates quickly and incentivising good security practices (like a minimum target API level) are reasonable things to want in addition to the ecosystem that F-Droid provides.
@Sandra @easrng @haskal That's because Apple is actively hostile to it. You can't publish GPL licensed applications on the iOS App Store without every contributor to the code agreeing to a special exception to the GPL. Apple's terms explicitly say you can't distribute the application outside of their app store among other ridiculous restrictions which are incompatible with the GPL.
@Bubu @haskal There’s also some research showing #Fdroid to push less malware than #Playstore → https://nsl.cs.waseda.ac.jp/wp-content/uploads/2018/04/submitted_wama2017.pdf (see also https://git.disroot.org/cyberMonk/liberethos_paradigm/src/branch/master/usa_brokerages.md#why-fis-that-impose-google-playstore-gps-or-apple-are-blacklisted )
@haskal (Having not yet read the entire thread)
"Unintentional" malware is still a possibility though, is it not? I mean, look at the number of attacks that have happened on dependency chains: by getting something, somewhere, to use your (malicious) package, whatever depends on it...
Though realistically, there's no stopping that, unless you have a manual review that checks every line of every dependency, recursively, which nobody will ever do.
> is there malware?
Well, I've found one spyware or another, so that's not quite true. But after opening a ticket the folks from the f-droid team reacted reasonably quickly. So, yes, it's much better than google play.