In many cases, F-Droid has downplayed and refused to acknowledge or fix security issues. They've started making posts with the explicit goal of downplaying the issues and misleading people about them. This will only increase the priority of replacing it and moving users away.
Conversation
Engaging in harassment and libel towards people reporting and publishing information about serious issues in their software is one of their main approaches. Several people other than myself have posted blog posts and videos explaining issues, which F-Droid has attacked with lies.
1
1
13
Be very wary of projects which treat privacy and security researchers in this way. F-Droid is not a privacy or security friendly project. It has serious issues in both areas, which are often getting worse rather than better, and their solution to the problem is harassment/lying.
1
2
18
F-Droid has now deleted their own harassment from gitlab.com/fdroid/fdroid-. It's quite possible they'll delete their dishonest messages and coordination of talking points from their development room. I archived it for a reason. They usually try to cover up and deny their abuse.
1
3
19
They've continued this across platforms and are coming up with a fake story / spin about what happened, but I have archives of both the initial abusive behavior in their development room and then what they did on the issue tracker after I responded to that which is linked above.
1
9
I have irrefutable proof that multiple core F-Droid and Calyx developers (substantial overlap) have engaged in bullying, harassment and libel targeting me to advance their own interests. Is anything going to be done by and others platforming these long term abusers?
1
10
Not that it particularly matters, but it's worth noting the topic in question involves them trying to mislead users about the Android platform's app sandboxing and permission system to excuse F-Droid mishandling permissions and giving users inaccurate info about what apps can do.
1
9
They've been criticized by several privacy/security researchers about their approach to this and other things including serious flaws in their build infrastructure, approach to distributing apps and in their app. Instead of improving, they're putting out posts misleading people.
1
8
F-Droid will have to be marked with a warning dialog in GrapheneOS explaining the cross-profile install conflicts it causes which place a substantial support burden on us, security issues with their builds, infra and app and the very misleading inaccurate permission listings.
1
9
They won't fix these problems, and many of our users are using F-Droid. This creates major security issues for our users which they will not address, along with a massive support burden on us where many new users run into the conflicts caused across profiles from app id misuse.
1
9
Very normal for a new GrapheneOS user to install F-Droid, use their main profile, then attempt to install F-Droid in a 2nd user. This doesn't work due to them not updating the download link. We think they're refusing to fix this out of spite towards OSes not bundling F-Droid...
Replying to
Next, users will run into conflicts from F-Droid apps wrongly reusing app ids. You can't install apps from the developer or Play Store in one profile and install it from F-Droid in another in the vast majority of cases where F-Droid uses their own signing keys but reuses app id.
1
9
This is not ever supposed to happen in practice, because each build variant of an app should use a separate app id and ideally also a separate signing key although that's optional. Signing keys and versions are pinned for security, and installed apks are reused for each profile.
3
9
The fabrications and spin they pushed about this in their developer room are actually outrageous. They come up with all kinds of things to falsely accuse me of including false claims of ban evasion and after all the recent bullying and libel try to falsely accuse me of doing it.
6
Replying to
Any number of profiles can have the same app installed. F-Droid is reusing app ids for different apps, which is not supposed to be done, and causes conflicts, since apks are shared across profiles with the apps installed and key pinning / downgrade protection is applied globally.
2
Show replies