Conversation

Feb 27

Sylvia van Os (F-Droid project member) saying "Why is the Graphene dev so insane" in the Aurora Store off-topic room as part of cross-platform harassment.

read image description

ALT

Just saying but maybe F-Droid developers shouldn't be organizing raids on our issue tracker and attempting to get people to harass us across different rooms. Explaining our reasoning for wanting a new repository system doesn't justify attacks they coordinated in their dev room.

Show this thread

They're currently coordinating their fabricated stories and talking points in the public F-Droid development chat room.

@hopeconf

has multiple of these people attending despite their repeated involved in harassment and raids. A board member of the main org involved is a speaker.

6:31 PM · Jul 13, 2022Twitter Web App

All I posted before their outburst of bullying and fabricated stories which started in their developer chat room was information on the Android permission model, how F-Droid presents it incorrectly to users and how that harms users by misleading them in 2 different ways about it.

Replying to

I stated we intend to add a disclaimer screen to GrapheneOS on this incorrect information in the F-Droid app if they won't fix it, which has been planned for a long time. F-Droid has multiple serious security and usability issues which they have downplayed and refused to fix.

Many of our users use F-Droid as one of their main sources of apps. There are serious known issues with the security of F-Droid' infrastructure, build, signing and app security. If they will not fix these issues, we need to add a warning screen for our users. It's not a "threat".

In many cases, F-Droid has downplayed and refused to acknowledge or fix security issues. They've started making posts with the explicit goal of downplaying the issues and misleading people about them. This will only increase the priority of replacing it and moving users away.

Engaging in harassment and libel towards people reporting and publishing information about serious issues in their software is one of their main approaches. Several people other than myself have posted blog posts and videos explaining issues, which F-Droid has attacked with lies.

Be very wary of projects which treat privacy and security researchers in this way. F-Droid is not a privacy or security friendly project. It has serious issues in both areas, which are often getting worse rather than better, and their solution to the problem is harassment/lying.

Draft: blog post about android permissions (!834) · Merge requests · F-Droid / Website · GitLab

F-Droid has now deleted their own harassment from gitlab.com/fdroid/fdroid-. It's quite possible they'll delete their dishonest messages and coordination of talking points from their development room. I archived it for a reason. They usually try to cover up and deny their abuse.

gitlab.com

I came across an article claiming that Google Play stopped displaying app permissions. And since we've been criticized for displaying them. I think it might make sense to...

They've continued this across platforms and are coming up with a fake story / spin about what happened, but I have archives of both the initial abusive behavior in their development room and then what they did on the issue tracker after I responded to that which is linked above.

I have irrefutable proof that multiple core F-Droid and Calyx developers (substantial overlap) have engaged in bullying, harassment and libel targeting me to advance their own interests. Is anything going to be done by

@hopeconf

and others platforming these long term abusers?

Not that it particularly matters, but it's worth noting the topic in question involves them trying to mislead users about the Android platform's app sandboxing and permission system to excuse F-Droid mishandling permissions and giving users inaccurate info about what apps can do.

They've been criticized by several privacy/security researchers about their approach to this and other things including serious flaws in their build infrastructure, approach to distributing apps and in their app. Instead of improving, they're putting out posts misleading people.

F-Droid will have to be marked with a warning dialog in GrapheneOS explaining the cross-profile install conflicts it causes which place a substantial support burden on us, security issues with their builds, infra and app and the very misleading inaccurate permission listings.

They won't fix these problems, and many of our users are using F-Droid. This creates major security issues for our users which they will not address, along with a massive support burden on us where many new users run into the conflicts caused across profiles from app id misuse.

Very normal for a new GrapheneOS user to install F-Droid, use their main profile, then attempt to install F-Droid in a 2nd user. This doesn't work due to them not updating the download link. We think they're refusing to fix this out of spite towards OSes not bundling F-Droid...

Next, users will run into conflicts from F-Droid apps wrongly reusing app ids. You can't install apps from the developer or Play Store in one profile and install it from F-Droid in another in the vast majority of cases where F-Droid uses their own signing keys but reuses app id.

This is not ever supposed to happen in practice, because each build variant of an app should use a separate app id and ideally also a separate signing key although that's optional. Signing keys and versions are pinned for security, and installed apks are reused for each profile.