Good news, the @protonmail android app is now available on F-Droid.
Is it official? I do not install something like that without official confirmation.
Conversation
Notices
-
Embed this notice
ploum (ploum@mamot.fr)'s status on Saturday, 21-Oct-2023 00:11:29 JST 
ploum
-
Embed this notice
Albert ARIBAUD ✎ (aaribaud@mastodon.art)'s status on Saturday, 21-Oct-2023 00:11:28 JST 
Albert ARIBAUD ✎
@ploum @protonmail I only see the ProtonVPN app on F-Droid. What's the URL for the ProtonMail one?
-
Embed this notice
Albert ARIBAUD ✎ (aaribaud@mastodon.art)'s status on Saturday, 21-Oct-2023 02:09:38 JST
Albert ARIBAUD ✎
It's a bit short especially for an app for protonmail. Why is it a must have?
-
Embed this notice
-/mondstern (mondstern@mastodon.green)'s status on Saturday, 21-Oct-2023 02:09:40 JST 
-/mondstern
@ploum @LenticularCloud @aaribaud @protonmail
The @IzzyOnDroid repo is the Must-Have Repo
-
Embed this notice
LenticularCloud (lenticularcloud@mastodon.social)'s status on Saturday, 21-Oct-2023 02:09:41 JST 
LenticularCloud
@aaribaud @ploum @protonmail
Same, I dont see it atm. -
Embed this notice
ploum (ploum@mamot.fr)'s status on Saturday, 21-Oct-2023 02:09:41 JST
ploum
@LenticularCloud @aaribaud @protonmail : I have it in the Izzyondroid repository:
https://apt.izzysoft.de/fdroid/index/apk/ch.protonmail.android
-
Embed this notice
Albert ARIBAUD ✎ (aaribaud@mastodon.art)'s status on Saturday, 21-Oct-2023 03:27:47 JST
Albert ARIBAUD ✎
@sll I'm afraid you might have misunderstood (or I did).
There's F-Droid the repo and F-Droid the app.
@mondstern says that apps get from the Izzy *repository* to the F-Droid *app* on your mobile faster than they do from the F-Droid *repository*.
But because an app is available on the izzy repo does not mean it will ever be on the F-Droid repo.
-
Embed this notice
sll - un kien avec un capiau (sll@pouet.chapril.org)'s status on Saturday, 21-Oct-2023 03:27:49 JST 
sll - un kien avec un capiau
@mondstern OK. If it gets faster to FDroid, then no need to hurry, I can wait till the FDroid people add it :) @aaribaud
-
Embed this notice
-/mondstern (mondstern@mastodon.green)'s status on Saturday, 21-Oct-2023 03:27:51 JST
-/mondstern
Through Izzy, apps get to F-Droid faster, plus there's a daily repo update.
-
Embed this notice
Albert ARIBAUD ✎ (aaribaud@mastodon.art)'s status on Saturday, 21-Oct-2023 05:01:46 JST
Albert ARIBAUD ✎
@IzzyOnDroid Thanks for chiming in! With such (understandable) size constraints, I imagine you do not rebuild the APKs from source?
-
Embed this notice
IzzyOnDroid ✅ (izzyondroid@floss.social)'s status on Saturday, 21-Oct-2023 05:01:48 JST 
IzzyOnDroid ✅
@aaribaud Well, their APK is close to 0 MB. My repo runs on my personal space and thus has a size limit: 30 MB per app. Which means, their mail app simply does not fit in, or it would be there 🤷♂️
-
Embed this notice
Albert ARIBAUD ✎ (aaribaud@mastodon.art)'s status on Saturday, 21-Oct-2023 05:29:18 JST
Albert ARIBAUD ✎
@IzzyOnDroid Thanks a lot for your answer!
-
Embed this notice
IzzyOnDroid ✅ (izzyondroid@floss.social)'s status on Saturday, 21-Oct-2023 05:29:19 JST
IzzyOnDroid ✅
@aaribaud No. As the "Readme's" say, my repo serves the APKs built by the developers. Just follow the "details" link at the top of the list 😉 Or go directly to the question you raised via this link:
-
Embed this notice
Albert ARIBAUD ✎ (aaribaud@mastodon.art)'s status on Saturday, 21-Oct-2023 05:55:51 JST
Albert ARIBAUD ✎
@SylvieLorxu @ploum @LenticularCloud @protonmail @IzzyOnDroid
For the record: in the risk scenario(s) that I imagined with the "fetch APKs" model, IzzyOnDroid never was the bad actor -- after all, they could not tamper with the APKs they fetch without ruining the cryptographic signatures.
The actual risk scenario would be that a github repo owner build an APK from sources other than those on the repo and upload it to the repo, then have IzzyOnDroid fetch it.
[1/2]
-
Embed this notice
Sylvia (sylvielorxu@chaos.social)'s status on Saturday, 21-Oct-2023 05:55:52 JST 
Sylvia
@ploum @LenticularCloud @aaribaud @protonmail I mean, if you use the IzzyOnDroid repository you trust @IzzyOnDroid to pull it in from the official source and not do anything weird :)
I personally do trust him a lot and I think he has a well-deserved reputation of trustworthiness after years of running IzzyOnDroid.
For context, his website on https://apt.izzysoft.de/fdroid/index/apk/ch.protonmail.android states the .apk file comes from https://github.com/ProtonMail/proton-mail-android
-
Embed this notice
ploum (ploum@mamot.fr)'s status on Saturday, 21-Oct-2023 05:55:53 JST
ploum
@SylvieLorxu @LenticularCloud @aaribaud @protonmail : for something as sensible as Protonmail, it would be interesting to know exactly who have pushed this and how we can trust that person.
-
Embed this notice
Sylvia (sylvielorxu@chaos.social)'s status on Saturday, 21-Oct-2023 05:55:55 JST
Sylvia
@ploum @LenticularCloud @aaribaud @protonmail IzzyOnDroid is not F-Droid. When you add a third party repository to F-Droid, you get apps directly from that repository without *any* checks from F-Droid.
Izzy is pretty trustworthy, his repo grabs apps straight from GitHub/GitLab/etc. of the developers, but there are no checks if the .apk file matches the source code in question and apps may contain proprietary code.
But yeah, Proton Mail is not in F-Droid. It is in IzzyOnDroid. Not the same.
-
Embed this notice
Albert ARIBAUD ✎ (aaribaud@mastodon.art)'s status on Saturday, 21-Oct-2023 06:00:47 JST
Albert ARIBAUD ✎
@SylvieLorxu @ploum @LenticularCloud @protonmail @IzzyOnDroid
[2/2] And I am fine with a risk as long as I am aware of it -- then I can decide to either take that risk or take precautions which I think the risk makes necessary.
Apologies if I appeared to distrust IzzyOnDroid.
-
Embed this notice
Albert ARIBAUD ✎ (aaribaud@mastodon.art)'s status on Saturday, 21-Oct-2023 06:38:02 JST
Albert ARIBAUD ✎
@ploum @IzzyOnDroid @SylvieLorxu @LenticularCloud
From the respective site, it seems like the submission processes are separate and independent for F-Droid and IzzyOnDroid, and duplication (or its avoidance) is not considere.
-
Embed this notice
ploum (ploum@mamot.fr)'s status on Saturday, 21-Oct-2023 06:38:03 JST
ploum
@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : I’m a bit confused about the F-droid process. Who decide what goes on the F-droid official repository and how do you ensure you don’t duplicate too much with them ?
-
Embed this notice
IzzyOnDroid ✅ (izzyondroid@floss.social)'s status on Saturday, 21-Oct-2023 06:38:04 JST
IzzyOnDroid ✅
@ploum it indeed mostly is. The entire framework and all (see https://gitlab.com/IzzyOnDroid/repo/). There were some contributions, and I got some help on questions – but for the most part (95%?) it's just me… Same with the companion site at https://android.izzysoft.de/ and my eBook server at https://ebooks.qumran.org/ (see my profile here). Glad to read you find it helpful! 😍 @aaribaud @SylvieLorxu @LenticularCloud
-
Embed this notice
ploum (ploum@mamot.fr)'s status on Saturday, 21-Oct-2023 06:38:05 JST
ploum
@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : wait a minute… You mean that IzzyOnDroid repository is a one-person-project ?
If that’s the case, good job! Thanks for that, it is really useful.
-
Embed this notice
IzzyOnDroid ✅ (izzyondroid@floss.social)'s status on Saturday, 21-Oct-2023 06:38:07 JST
IzzyOnDroid ✅
@aaribaud @SylvieLorxu @ploum @LenticularCloud
"The actual risk scenario would be that a github repo owner build an APK from sources other than those on the repo and upload it to the repo"
That indeed is a real risk as I have no means to check that. There are other checks in place (library scanner, VT etc) which should reduce the risk of "bad stuff" – but a little risk always exists. So you need to trust the developer, too…
-
Embed this notice
All GNU social JP content and data are available under the