WingNews logo WingNews
top | item 30507490

(no title)

pserwylo | 4 years ago

> F-Droid builds are custom signed and can be made by random parties without proper auditing after initial review.

F-Droid follows a similar model to traditional linux package managers which has shown time anda gain the they are both trustworthy and secure (or at least, they offer the user the freedom to choose the level of trust they have in the package signers).

When installing from a Debian repo, I'm typically installing a package that is not build/signed by the upstream developer. I am implicitly (in the case of a default install) trusting the Debian developers signing practices or explicitly (if you add a third party repo). This means you trust both those in charge of the building/packaging/signing as well as the upstream developers. The same is true of F-Droid.

Of course, the notable exception is that F-Droid also supports upstream packages signed by the developer if the builds are verifiably reproducible.

discuss

order

nosedief|4 years ago

There is a difference in your Linux desktop workstation and your most private device. Desktop systems are not nearly as secure and should not be seen as such, and Linux surely at the tail end.

People using F-Droid might not be aware that they are trusting a third party as they think it is a trusted distribution channel, relying on the information stated on the client app or website.

toastal|4 years ago

> your most private device

What? A smart phone is just a computer—they are the same thing. Everything from private chats to TOTP tokens are on both my phone and my laptop. The only difference is my bank cries if I’m rooted on my phone and says nothing about it on my laptop.

upofadown|4 years ago

Surely a desktop running a well respected Linux distribution is much more secure than any smartphone. It will be locked for much of the day, possibly with disk encryption. There are few services (any?) exposed to the network. The software can be all open source, both OS and applications. The only weakness would be the web browser, and there are web browsers used on smartphones.

lolinder|4 years ago

In order to get started with F-Droid you have to jump through several hoops with strong warnings from Android about allowing third party apps to install applications.

Here's the exact text of the warning:

> Your phone and personal data are more vulnerable to attack by unknown apps. By installing apps from this source, you agree that you are responsible for any damage to your phone or loss of data that may result from their use.