Conversation

Google have suspended Element in the Play Store without notifying us; we're reaching out to find out what's going on. Apologies for the inconvenience; in the interim there's f-droid.org/en/packages/im but it's a few versions behind. We'll post updates here.

1,205

1,764

Replying to

and

Maybe a good idea to push the newest versions to f-droid at the same time as you push them to play store in the future?

Replying to

and

That's not how the official F-Droid repository works. Developers don't release their apps through it. The way it works is the F-Droid packagers choose apps to package and are responsible for keeping them updated. They could make their own F-Droid repository to do it themselves.

Replying to

and

The issue with that is F-Droid handles it quite poorly and confuses users since the app releases signed with different signatures are incompatible. Perhaps F-Droid should add an app id prefix when using their own signing keys but they aren't doing that. It's a bit of a mess.

Replying to

and

Huh thanks for clearing that up, didn't know it worked that way. It seems that F-droid needs some improvement considering how much it is quickly becoming critical FOSS infrastructure.

Replying to

and

I don't feel like it's on the path to becoming what's needed. For GrapheneOS, we're going to be making our own app install / update system. One of the apps we'll provide in our repo is F-Droid, but we aren't comfortable bundling it with the OS or giving auto-install privileges.

Replying to

and

It has too many issues with usability and maintenance. It has security implications. For example, Android switched to v2 apk signatures in 2016 (Android 7) to address security limitations with the original signing system from the Java world. F-Droid kept using v1 until 2020.

Replying to

and

It could be blamed on lack of resources, but it's their choice to package such a huge number of apps including many that are unmaintained and/or blatantly insecure. Play Store also has minimum API target level for privacy/security reasons, and F-Droid definitely doesn't do that.

Replying to

and

The reason they finally switched to v2+ signatures is that Android starting enforcing it for apps targeting API 30+ as a security improvement. F-Droid had dozens of apps with v1 signatures and API 30+ which all broke for users on Android 11. This impacted GrapheneOS users a lot.

1:44 AM · Jan 30, 2021Twitter Web App

Replying to

and

The apps got detected as invalid after booting up the Android 11 upgrade and forcefully disabled. It's invalid to have an app with v1 signature and API 30+. Unfortunately, the F-Droid developers don't seem to test on modern Android. F-Droid itself has an old target API level.

Replying to

and

F-Droid is focused on older devices and older generation apps for those devices. It's in conflict with privacy and security. We want an extremely minimal alternative to it focused on robustness and security with the option of automatic updates without security / usability issues.

Show replies