F-Droid's maintainer is against shipping builds of their app without rebranding the app id, app name and logo which is itself reasonable. However, F-Droid itself distributes builds of thousands of apps without following those same expectations for them...
matrix.f-droid.org/room/!UAdCANfo
Conversation
Replying to
This is definitely a big issue. I did the mistake of using the same app ID for GitHub and F-Droid builds for , and the users cannot switch between two without uninstalling the other. But I guess most F-Droid users are already aware of this.
2
The idea is to follow the example of projects like Debian, Mozilla, etc and enforce #FreeSoftware. Someone could otherwise easily embed proprietary bits or repos, then ship it as "F-Droid". F-Droid does provide app devs the same option via , shipping their key even
1
Part of our inclusion process is asking the upstream app dev for permission, and they can specify a different Application ID, for example, f-droid.org/packages/com.c
1
I also agree that there should be less signature conflicts in the Android ecosystem, but I disagree using Google Play is a solution. The complete solution the F-Droid community is providing is #ReproducibleBuilds with developer's own signature.
2
Google Play controls the app signing keys now, so that breaks the real solution of developer controlled keys combined with #ReproducibleBuilds. Amazon does it even worse: they force-resign all APKs that developers upload.
1
But wouldn't it be better to prefix the app ids of non reproducible builds on f-droid with something? That would resolve all problems caused by f-droid at least...
2
Their 'reproducible' builds are broken since they use an outdated build environment and aren't able to keep up with the modern platform. All that will happen is that they're unable to ship updates unless app developers go out of the way to try to keep their broken infra working.
1
1
They already have massive issues keeping up with updates and leave users with broken and insecure apps for long periods of time. Blocking updates based on fixing their poorly maintained infrastructure and debugging future issues with it is only going to make this worse.
F-Droid has done little to nothing to address blatant security issues with their app / infrastructure / services, the involvement of untrustworthy people with a history of malicious behavior or the problematic mismatch between their approach and the platform's app source model.
1
1
The sooner it's replaced by trustworthy infrastructure and developers, the better. It's a legacy project that has held back the open source Android ecosystem for years and does a massive disservice to it. It has blocked the development of far better systems for distributing apps.
1
1
Show replies