I have irrefutable proof that multiple core F-Droid and Calyx developers (substantial overlap) have engaged in bullying, harassment and libel targeting me to advance their own interests. Is anything going to be done by and others platforming these long term abusers?
Conversation
Not that it particularly matters, but it's worth noting the topic in question involves them trying to mislead users about the Android platform's app sandboxing and permission system to excuse F-Droid mishandling permissions and giving users inaccurate info about what apps can do.
1
9
They've been criticized by several privacy/security researchers about their approach to this and other things including serious flaws in their build infrastructure, approach to distributing apps and in their app. Instead of improving, they're putting out posts misleading people.
1
8
F-Droid will have to be marked with a warning dialog in GrapheneOS explaining the cross-profile install conflicts it causes which place a substantial support burden on us, security issues with their builds, infra and app and the very misleading inaccurate permission listings.
1
9
They won't fix these problems, and many of our users are using F-Droid. This creates major security issues for our users which they will not address, along with a massive support burden on us where many new users run into the conflicts caused across profiles from app id misuse.
1
9
Very normal for a new GrapheneOS user to install F-Droid, use their main profile, then attempt to install F-Droid in a 2nd user. This doesn't work due to them not updating the download link. We think they're refusing to fix this out of spite towards OSes not bundling F-Droid...
2
9
Replying to
Any number of profiles can have the same app installed. F-Droid is reusing app ids for different apps, which is not supposed to be done, and causes conflicts, since apks are shared across profiles with the apps installed and key pinning / downgrade protection is applied globally.
2
Replying to
Oh, 2 different problems. Which app ids are being reused? Like the play store version of the app and the f droid version have the same id?
1
Replying to
Yes, or the developer's variant of the app they published outside the Play Store. This is not supposed to be done when apps are different build variants or have different signing keys. The app id is supposed to be unique to each published build variant or you get conflicts.
1
Replying to
If you published 2 build variants of an app yourself with the same app id, then installing the 1st variant in one profile and then the 2nd variant in another would replace the 1st variant globally. App ids are meant to be globally unique identifiers for the build variant of apps.
Replying to
You are supposed to use a reverse domain name as the prefix of your app identifier. You are supposed to own that domain. If you fork / modify another project, you're supposed to change the app id to a reverse domain of a domain that you own. It's mostly an under the hood thing.
1
1
Replying to
It is user facing in several places. Play Store on the web shows it as the URL for the application page. Settings app shows the app id too. It's in multiple other places too, but it's mostly an under the hood unique identifier for an app. It's how the OS identifies app packages.
1
1
Show replies