Conversation

Notices

1. Embed this notice
   GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 00:27:19 JST GrapheneOS

   A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:

   https://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404

   This led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.

   This was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.

   • Rich Felker repeated this.
   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 00:27:25 JST GrapheneOS

     in reply to

     For the vast majority of apps they package, F-Droid downloads and builds whatever developers publish, then sign it with their own keys and release it. They aren't doing any real review as people believe. What they really do is run things through basic scans looking for libraries they've disallowed, primitive antivirus checks for common Android malware as if that's what malicious code in an open source project would be, etc. It took them that long just to realize an app openly took over updates.

     Rich Felker repeated this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 28-Jan-2025 00:30:44 JST Rich Felker

     in reply to

     • Doerk

     @NebulaTide @GrapheneOS Um, Play Store is exactly the same. They lie that they're vetting packages and that's their justification for the walled garden approach. But all they're doing is setting policies which encourage malware-playing-by-Google's-rules and randomly ban software that's actually not shit (concrete example: not understanding that there's such a thing as an app that's a pure client not tied to a particular service provider, where by connecting to someone unsavory server you might see unsavory things).

   • Embed this notice
     Doerk (nebulatide@mastodon.bsd.cafe)'s status on Tuesday, 28-Jan-2025 00:30:46 JST Doerk

     in reply to

     @GrapheneOS So whats your recommendation? Using Playstore instead?

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 00:30:57 JST GrapheneOS

     in reply to

     F-Droid has incredibly poor security practices and a strong anti-security attitude held by most of the people involved. They've consistently engaged in coverups of vulnerabilities and targeting multiple security researchers with libel and harassment.

     It's a massive single point of failure and not worthy of the trust many people are placing in it. It's adding another trusted party compared to using the apps built and signed by the developers. It is not avoiding trust in the developers of apps.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 00:34:08 JST GrapheneOS

     in reply to

     • Rich Felker
     • Doerk

     @dalias @NebulaTide Our current general recommendation is obtaining apps directly from open source developers. Obtainium and App Verifier are useful tools for that, but Obtainium doesn't do things in a way that we can wholeheartedly recommend it or package it in our app repository. We could make our own tool for downloading app builds with pinned keys from where developers publish them without involving third parties. Could support a reproducible build verification system via third parties too.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 04:31:50 JST j@mastodon

     in reply to

     @GrapheneOS

     F-Droid never shipped Firefox.

     Do you mean Fennec Fdroid?

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 04:31:51 JST GrapheneOS

     in reply to

     Regularly not shipping critical Firefox security patches for months is the norm for the main F-Droid repository. Whether or not they sign the apps themselves as they do for the vast majority of apps, updates can be indefinitely delayed based on issues with their outdated infrastructure or their Debian-style downstream patches needing to be updated.

     For the small subset signed by the app developers, many kinds of disagreements between F-Droid and developers will mean an end to receiving updates.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 04:40:03 JST j@mastodon

     in reply to

     @GrapheneOS

     I think you're dismissing the important curation work of F-Droid.

     Sure it's imperfect and security patches take too long, an additional intermediary etc.

     But using Obtainium or Accrescent just leaves the users to their own devices installing any app, with zero oversight.
     Far from ideal.

     You seem to be suggesting bad will from FDroid management, it would be better if you were more explicit on why you think that way, instead of just insinuating.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 04:41:12 JST j@mastodon

     in reply to

     @GrapheneOS And suggest avenues for resolutions of these differences.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 04:44:06 JST j@mastodon

     in reply to

     • Luce
     • Felix

     @GrapheneOS @Kulei @newhinton

     Obtanium just allows you to install any random app from a git page.
     Super dismissive of the work FDroid puts into curation, however faulty it may be.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 04:44:07 JST GrapheneOS

     in reply to

     • Luce
     • Felix

     @Kulei @newhinton

     > Isn't Obtainium just worse than F-Droid?

     No, since it avoids added another trusted party which has proven to be highly untrustworthy.

     > antivirus scanning

     It's performative.

     > F-Droid still does better checks than something like Play Store, right?

     F-Droid doesn't have a target API level standard or other basic standards that the Play Store and Accrescent enforce. They don't do any serious review, it's the same largely imaginary system as the Play Store in that regard.

   • Embed this notice
     Luce (kulei@social.vivaldi.net)'s status on Tuesday, 28-Jan-2025 04:44:08 JST Luce

     in reply to

     • Felix

     @GrapheneOS @newhinton Isn't Obtainium just worse than F-Droid? Considering that F-Droid atleast does some of the antivirus scanning and such. It's very difficult to verify whether an app is secure or private (even for people that trust aGPLv3 or just open-source apps intrinsically more than proprietary ones there is no guarantee of safety or privacy).

     F-Droid still does better checks than something like Play Store, right?

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 04:44:09 JST GrapheneOS

     in reply to

     • Luce
     • Felix

     @Kulei @newhinton We recommend using Accrescent for the apps which are available through it. It's not specific to either open source apps or privacy focused apps but rather is meant to become a Play Store alternative.

     Obtainium + App Verifier for getting apps directly from developers, although we'd prefer a leaner and more security focused approach than Obtainium.

   • Embed this notice
     Luce (kulei@social.vivaldi.net)'s status on Tuesday, 28-Jan-2025 04:44:10 JST Luce

     in reply to

     • Felix

     @newhinton @GrapheneOS There is a new project here https://accrescent.app/

     I don't know much about it, can't verify anything, just heard about it

   • Embed this notice
     Felix (newhinton@fosstodon.org)'s status on Tuesday, 28-Jan-2025 04:44:12 JST Felix

     in reply to

     @GrapheneOS

     You are not the only ones that struggle with f-droid. (There is an ongoing struggle to fix certificate pinning by f-droid by a former maintainer, which has neither been acknowledeg nor accepted).

     But the question is: what alternatives are there? As far as i can tell, f-droid is the only large scale-repository of open source apps there is.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 04:59:57 JST j@mastodon

     in reply to

     @GrapheneOS

     Oh and btw

     avg 4d 1h 49min 3s
     max 1w 18h 51min 8s
     min 22h 19min 51s
     https://gitlab.com/ironfox-oss/IronFox/-/issues/7

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 05:27:41 JST j@mastodon

     in reply to

     @GrapheneOS

     This looks as ugly for WireGuard than for F-Droid.

     WireGuard current app on Izzy repo for F-Droid does not tell users where it's updating from, does not ask for consent and it's opt-out. So there were clearly not happy about letting users know.

     Not to diss WireGuard which is course an awesome project.

     A growing number of Izzy repo apps are reproducible builds.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 28-Jan-2025 10:21:06 JST Rich Felker

     in reply to

     • :umu: :umu:
     • Doerk

     @a1ba @GrapheneOS @NebulaTide That is horrifying and hard nope.

   • Embed this notice
     :umu: :umu: (a1ba@suya.place)'s status on Tuesday, 28-Jan-2025 10:21:11 JST :umu: :umu:

     in reply to

     • Rich Felker
     • Doerk
     @GrapheneOS @dalias @NebulaTide these days Google Play directly requires developer's private keys to repackage the app the way Google wants to.
   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 10:21:12 JST GrapheneOS

     in reply to

     • Rich Felker
     • Doerk

     @dalias @NebulaTide Play Store used to be a way to obtain developer builds of apps signed by the developers but has moved away from it and the code transparency system they provide isn't a complete solution to verifying what they generate and sign from the app bundles uploaded by developers.

     For our own app repository, we don't want to build thousands of open source apps largely not aligned with our approach, especially without doing a pass updating dependencies and adding basic hardening.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 11:05:28 JST GrapheneOS

     in reply to

     • :umu: :umu:
     • Rich Felker
     • Doerk

     @dalias @a1ba @NebulaTide They did provide a code transparency system to prove the generated APKs match the provided code but it does not cover all the relevant forms of resources, just all the code, so we don't think it provides what is needed even if it was widely adopted to verify what's generated.

     Google essentially moved to the system used by the Apple App Store where developers upload bundles of signed code which are then turned into the actual signed packages by Apple and Google.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 28-Jan-2025 11:05:28 JST Rich Felker

     in reply to

     • :umu: :umu:
     • Doerk

     @GrapheneOS @a1ba @NebulaTide That's largely irrelevant. The big issues are that it allows them to forge future releases, and that, regardless of application, sharing or transferring private keys is an absolute cryptographic no-no.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 28-Jan-2025 11:06:45 JST Rich Felker

     in reply to

     • :umu: :umu:
     • Doerk

     @GrapheneOS @a1ba @NebulaTide Thanks for the heads up that I should never waste time trying to put something in the Play Store.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 11:06:46 JST GrapheneOS

     in reply to

     • :umu: :umu:
     • Rich Felker
     • Doerk

     @dalias @a1ba @NebulaTide Google hasn't forced existing apps to move to Play Signing. They do require it for all new apps. We entirely split the 3 apps we release on the Play Store from the ones we include in GrapheneOS and our app repository. There's the GrapheneOS variant of the apps with the normal app id like app.grapheneos.camera signed with our keys and then the Play variant with a suffix like app.grapheneos.camera.play with Play Signing, and we encourage people to use our App Store.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 28-Jan-2025 11:56:05 JST Rich Felker

     in reply to

     • :umu: :umu:
     • Doerk

     @GrapheneOS @a1ba @NebulaTide Last I tried the camera app it felt completely useless. No exposure time control or anything. Just press button and get whatever bad results come.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 11:56:07 JST GrapheneOS

     in reply to

     • :umu: :umu:
     • Rich Felker
     • Doerk

     @dalias @a1ba @NebulaTide There's a lot of pain releasing apps through the Play Store in general aside from this, but the same applies to most alternatives to it.

     The delay for app review is at least generally down to around 1 day right now. There were times in the past where it took a week or more to get an update approved and there's no way to get it accelerated for a critical update.

     There are some very painful policies and it can be very painful to get the allowed exceptions approved.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 11:56:07 JST GrapheneOS

     in reply to

     • :umu: :umu:
     • Rich Felker
     • Doerk

     @dalias @a1ba @NebulaTide We haven't focused much on improving those standalone apps since OS improvements make a much bigger difference for GrapheneOS users and it's hard to build any kind of community with the Play Store users to get anything back from it. Our Camera app did end up with >5m downloads with >1m active users but it hasn't resulted in any contributions to it. We're going to start much more active work on it soon but odd form of success it had on the Play Store isn't a factor.

   • Embed this notice
     idkrn (idkrn@infosec.exchange)'s status on Tuesday, 28-Jan-2025 19:55:48 JST idkrn

     in reply to

     • j@mastodon

     @jcast what's the issue with installing an app you want? Fdroid isn't actually stopping you from getting malware so what's the point of their "curating"

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 19:55:48 JST j@mastodon

     in reply to

     • idkrn

     @idkrn

     Well I understand the standards are low with FDroid, but I still think most people are better off with their curation than using random apps from the internet.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 20:17:41 JST j@mastodon

     in reply to

     @GrapheneOS

     You replied to my comment on Wireguard choosing very deliberately to hide background updates from users with an adhominem on Izzy.

     Not taking his side, and understandably you have removed your trust from them, but this doesn't look good on you.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 20:17:42 JST GrapheneOS

     in reply to

     • j@mastodon

     @jcast Izzy is directly involved in the attacks towards security researchers including extreme harassment aimed at silencing them. He participated in harassment towards a GrapheneOS community member leading to them deleting a post they made with accurate criticism of F-Droid. His repository isn't safe or trustworthy, and we strongly recommend our users avoid it for their safety. He has demonstrated extremely malicious behavior towards not just our project and team but our broader community.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 20:23:18 JST j@mastodon

     in reply to

     @GrapheneOS

     I've read Izzy's comments on several forums for many years now, and I never witnessed nothing but either praise or constructive criticism of GOS.

     Your mileage might vary, but from my perspective it just sounds you're each fiercely defending your ground. GOS focusing on security and FDroid on the 4 freedoms.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 20:49:17 JST j@mastodon

     in reply to

     @GrapheneOS

     I wasn't aware of that privacy vs. security controversy.

     I'm in no way affiliated with FDroid and am seriously taking notes of your concerns and criticism.

     I also appreciate your availability to communicate so transparently, and usually in a very mature way.

     Just noting two things here: Wireguard opaque attitude, and you not replying to that concern.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 20:49:18 JST GrapheneOS

     in reply to

     • j@mastodon

     @jcast

     Izzy regularly spreads misinformation about GrapheneOS and has participated in harassment towards our team. Call it what you want, doesn't change what it is.

     GrapheneOS is a privacy project. No matter how many times you folks misrepresent what it is and falsely claim it cares about security over privacy and all the other misinformation.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 21:15:31 JST j@mastodon

     in reply to

     @GrapheneOS

     You're replying to me as if I was defending Izzy.
     I'm not, I see things got ugly.

     But you're still choosing to go down the path of attacking him instead of replying to a legitimate concern about Wireguard's choices.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 21:15:32 JST GrapheneOS

     in reply to

     • j@mastodon

     @jcast F-Droid's development team is thoroughly dishonest and do not truly care about anything more than themselves. They aren't in it to bring people freedom or privacy. They're in for themselves. They want power over people and they love exerting that power over a repository used by many people. None of them has stood up against extreme harassment. All of them are either directly involved or complicit. The harassment has targeted other people too, not only a GrapheneOS developer.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 21:15:32 JST GrapheneOS

     in reply to

     • j@mastodon

     @jcast F-Droid developers have spread harassment content on YouTube very clearly consisting of spin and fabrications with the aim of harming GrapheneOS. They know that these things are lies but they do what is in their interest and harming GrapheneOS along with our development team is something they've decided to heavily commit to doing. Making accurate technical criticisms of F-Droid and pointing out their libel and harassment is not aggression. The thread above was made in response to attacks.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 21:15:33 JST GrapheneOS

     in reply to

     • j@mastodon

     @jcast See https://gitlab.com/ironfox-oss/IronFox/-/issues/7 for an example of an other F-Droid developer playing the victim and spreading fabrications about the archived GitLab thread above. This is part of a very concerted effort by multiple F-Droid developers to spread fabricated stories about one of our developers while also engaging in vile bullying and harassment towards them. Every member of the F-Droid team stands behind this. This is a tiny little peek at the massive about of lies and harassment from them.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 21:15:34 JST GrapheneOS

     in reply to

     • j@mastodon

     @jcast You can't see the full thing from that archive since it doesn't include where it started on Matrix but we do have another archive of that and subsequent harassment on Matrix, Telegram and elsewhere by multiple F-Droid project members. They engaged in a cover up, partly visible from the current version of the page. They've subsequently spread endless lies about what occurred as part of pretending to be victims and portraying someone as insane. That includes as recently as the past week.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 21:15:35 JST GrapheneOS

     in reply to

     • j@mastodon

     @jcast We did no such thing. You're downplaying extreme harassment towards our team. F-Droid keeps spreading fabricated stories about us and engaging in vile bullying including repeatedly calling one of our team members insane, delusional, schizophrenic, etc. with fabricated stories about them. An example of this by multiple members of the F-Droid team occurred around https://archive.ph/j7qql where they began engaging in harassment on Matrix due to technical discussion and then brought it there.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 21:32:09 JST GrapheneOS

     in reply to

     • j@mastodon

     @jcast WireGuard openly implemented and documented a self-update system for their app. It's not their problem that F-Droid doesn't review things and ended up having an issue with it half a year later. Nearly all the users would have been updated to a version with it already so F-Droid dropping it wouldn't have cut off a large amount of the users from updates. F-Droid did cut some people off from updates. It shows one way their attempt at integrating reproducible builds is poorly thought out.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 21:32:09 JST j@mastodon

     in reply to

     @GrapheneOS
     Sure that shows two things:

     - FDroid review system is to say the least flawed.
     - Given that the new WG version on Izzy's repo does not even prompt the user for opt-out bg updates, WG chooses to be opaque, which I find concerning.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 21:34:25 JST j@mastodon

     in reply to

     @GrapheneOS

     I find WG behavior a concern in terms of both security and privacy.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 21:40:49 JST j@mastodon

     in reply to

     @GrapheneOS

     Makes sense thanks for clarifying.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 21:40:50 JST GrapheneOS

     in reply to

     • j@mastodon

     @jcast An app can't update itself without the user explicitly granting the update permission. The way unattended updates work is that apps granted that permission can do unattended updates for apps where they're the current installer already or for themselves. GrapheneOS is considering eliminating the special case where apps can do an unattended update for themselves after granting the permission before they already updated themselves once but it's a very minor thing and not clear we should.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 28-Jan-2025 21:43:57 JST Rich Felker

     in reply to

     • Doerk

     @NebulaTide @GrapheneOS This is a domain where all the players are shit in different ways.

   • Embed this notice
     Doerk (nebulatide@mastodon.bsd.cafe)'s status on Tuesday, 28-Jan-2025 21:43:58 JST Doerk

     in reply to

     • Rich Felker

     @GrapheneOS @dalias Sounds to me like it’s better to avoid F-droid.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 21:43:59 JST GrapheneOS

     in reply to

     • Rich Felker
     • Doerk

     @dalias @NebulaTide F-Droid repeatedly not giving users Firefox updates for months because they have to slowly update their patches removing things they dislike is an example of how much of a disaster it ends up being. Users getting browser security updates is critical.

     They've also had a long history of doing weird things like rolling back security critical dependencies compared to what apps use themselves. They do similar things for their own apps too to support ancient Android versions.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 28-Jan-2025 21:44:00 JST GrapheneOS

     in reply to

     • Rich Felker
     • Doerk

     @dalias @NebulaTide Accrescent is a project we recommend as an open source replacement for what the Play Store used to be but it's still in an early phase without a lot of apps. Makes sense to use it for the apps in it though.

     It's a secure way to distribute developer builds where developers upload their releases. It's therefore not going to be a similar single point of failure, but it's also only going to exerting a small amount of influence on the app developers.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 21:50:41 JST j@mastodon

     in reply to

     @GrapheneOS

     In practical terms, this means WG installs from FDroid, using Izzy repo updates without ever requesting user permission for background updates.

     So it really sounds at this point you're purposedly misleading and obscuring this fact.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 21:55:15 JST j@mastodon

     in reply to

     @GrapheneOS

     This process is completely opaque to the user, and no, an explicit permission for background updates is not requested at any point either by the installer or by the app itself.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 22:00:50 JST j@mastodon

     in reply to

     @GrapheneOS

     So, despite the shortcomings of the FDroid team, I wouldn't be any wiser with regards to this without their efforts.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Tuesday, 28-Jan-2025 22:20:14 JST j@mastodon

     in reply to

     @GrapheneOS
     To clarify, I'm not using GOS, but another AOSP based OS.

     Maybe GOS is more has more explicit permission model, but my issue is with WG, not GOS in any case.

   • Embed this notice
     idkrn (idkrn@infosec.exchange)'s status on Wednesday, 29-Jan-2025 01:29:32 JST idkrn

     in reply to

     • j@mastodon

     @jcast what curating do they do? All they do is try to check for libraries they don't like. They didn't realize that their build of a nextcloud app for hijacked, and they didn't realize that wireguard had openly ignored their rules on self updates for several months. They don't do much

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Wednesday, 29-Jan-2025 01:29:32 JST j@mastodon

     in reply to

     • idkrn

     @idkrn

     Some filters are better than no filters.
     Not downplaying their shortcomings either.

   • Embed this notice
     j@mastodon (jcast@mastodon.social)'s status on Wednesday, 29-Jan-2025 02:47:02 JST j@mastodon

     in reply to

     • guenther

     @guenther @GrapheneOS

     Yep its a great app, verifies signatures and all.

   • Embed this notice
     guenther (guenther@chaos.social)'s status on Wednesday, 29-Jan-2025 02:47:03 JST guenther

     in reply to

     • j@mastodon

     @GrapheneOS @jcast

     fwiw, they do ship an app called FFUpdater, which, as far as its UI suggests, downloads the packages from Mozilla/Github. Updates are still manual, though does mostly cut out the F-Droid-in-the-middle.

   • Embed this notice
     GrapheneOS (grapheneos@grapheneos.social)'s status on Wednesday, 29-Jan-2025 02:47:05 JST GrapheneOS

     in reply to

     • j@mastodon

     @jcast It is their way of shipping Firefox and they don't rebrand it from org.mozilla to the org.fdroid namespace. It is what we're referring to.