-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Links to IzzyOnDroid repo? #302
Comments
Thanks for your suggestion @IzzySoft. My reasons for not including 3rd party repos so far:
The official repo makes things easy: There's not much to care. However, your repo is some kind of special as it's somewhat known in the community already (and of course your role 😄). So in this case I do not have a strong opinion in either direction.
Is the label available on the client too? |
Reasonable questions to ask – so let me be reasonable as well and try to answer them.
My repo contains a details link which addresses this. In short: I maintain it, security measures are in place as outlined behind the link (automated scans by VT and my own library scanner, the latter is also used by F-Droid.org; results of both are clearly shown when visiting the repo with a web browser – unfortunately there's no way to transport that to the index itself; integrity of packages is ensured by "pinning" the hashes of their signing keys (
No cookies, no JavaScript, no trackers. Webserver logs are rotated to
Same library scanner again – and see Oh, and if an app which didn't have
Understandable. My argument on this is that my repo is the largest 3rd-party repo by far (as pointed out, ~1.1k apps) with only F-Droid.org itself being larger (currently ~4.2k apps) and "number 3" having far less than 100 apps (at least from the repos I know).
Yupp. Does not apply to mine I'd say, as outlined already.
They are minimal, depending on the client used. With NeoStore, my repo simply must be enabled. With the official repo, just scan the QR code to add it (spoiler: the official client will soon™ support the QR Code scan directly) or type in the address by hand. But admitted, yes: it's an additional step.
"They" being the apps in the repo, or the repo itself? I cannot "guarantee" for either. But given that my repo exists since … oof, 2015/2016 and is integral part of my "suit", I certainly hope it stays around the next years 😉
As I don't know what exactly you mean here, I must guess: Yes, all apps are "FOSS". I only accept apps with their source openly available, covered by a FOSS license approved by OSI/FSF (there are a handful older apps with unclear license which I'll probably "weed out" soon – those were from the very early days when I was still trying to get things working). As with F-Droid itself, licenses are clearly shown. Already said, but relevant here: FOSS vs F/LOSS. Some apps have few non-libre components, see
Only if the authors/developers provide such 🙈 But yes: my updater runs once a day to check the corresponding repositories and fetch the updates. For some apps which somehow "fell dormant" (no updates for a year), updates are only checked monthly. Very few apps require manual updates, which I try to check once a month as well (luckily those don't have frequent updates). And several apps simply no longer receive updates as their development ceased, their repository was archived or gone entirely. So again, pretty much the same handling as on F-Droid.org, just that updates in my repo are usually a little faster as I don't build apps from their sources myself but simply fetch the developers' APKs. Note: Should an app no longer receive updates, that's clearly pointed out as well. Either with the app's description (if the source still exists but development has come to a stand-still or the repo was even archived – or via the standard
Depends on which client we speak of here. The official client shows it as it shows the official anti-features (at least when using the latest version). NeoStore shows it but currently without any description, just stating something like "unknown anti-feature" (NeoStore still uses
I cannot deny either of this, thanks 😆 I hope my explanations help you decide. Being a maintainer at F-Droid.org as well, I aim for maximum transparency and try to implement as much of the "safe-guards" F-Droid offers (like the Should you have any additional questions, I try to answer them to my best knowledge. You find more details including most of the code etc. used with my repo here by the way – where people also can recommend apps I should take in, report issues or make other suggestions. |
PS: You might ask why I permit Should an app go the other direction (i.e. add more proprietary stuff than it initially came with when added to my repo) – see above. At one point updates will be disabled with the authors informed – and if it cannot be helped, the app is unlisted from my repo (which unfortunately had to do more than once already, but luckily not too often; more like it was just dependencies slipping in unnoticed, and the developers fixed that so the app could remain and receive updates again). Again you see, pretty much like it would happen on F-Droid.org 😉 There the corresponding build would be disabled (i.e. "no update"), and later either newer builds were fixed or the app would be archived. Only that my archive is |
Thanks for your detailed and extensive answer! Just to be clear, my concerns are about 3rd party repos in general, not specific targeting yours :-).
The repo itself, but applies to apps too. Your repo wont have issues with that 😉.
Sorry, some of my points are written more like bullet points without much context 🙈. If all entries are FOSS it's simple to stay FOSS only; if not, one has to figure out on it's own.
Indeed, thank you very much for doing this! 😄 You have answered all concerns and I don't have any objections 👍. So what's to do now?
I'll create a PR for those. |
Understood that from the start – but I was applying for my repo 😊
That's putting it mildly. Some link to their git repos (usually Github) so it's "easy" to verify – others just "claim" to be FOSS (fat chance to go searching and find out)…
Yay, thanks! And yes, you can use that link syntax – or simply the same as with F-Droid:
if I can help with details, just let me know. I certainly could e.g. produce a link of package names available in my repo, connected with their source location (that one is easy: |
I'm closing here, there are PRs with links in the pipeline already, contribution guide is updated 👍 Feel free to reopen at any time if there's still something missing. Thanks again! 😄 |
And to you! Great to see the list growing 🥳 |
@IzzySoft Little bit offtopic question, is there a way to contribute to your repo list for categories of apps? Or you don't allow new* categories to sync your categories with official F-Droid list of categories? In that case I think I'll create a discussion on F-Droid though little hope for such change, because of different opinions. |
@shuvashish76 All categories available at F-Droid are available in my repo, too – plus some more. So if it works with F-Droid.org, my list is even more granular. As meanwhile custom categories are possible, I'm open to suggestions – but I wouldn't add too many of them (usually a category should at least have about 10 apps using it to make sense). |
Yes that does makes sense, users can use keyword specific searches in their choice of F-Droid clients anyway. 👍 |
Izzy has done really great job by compiling all the sources to a single list. I propose to add the https://android.izzysoft.de/applists/perms to "Tutorials and Guides" section as "Permissions by IzzySoft", @offa what do you think? |
Note: Thanks to @shuvashish76 pointing it out to me, the mentioned list was just brought up to date (removal of dead links, adding fresh ones, updating risk ratings of perms according to OWASP, and some more). |
Info: Small comparison F-Droid vs Izzy repo. Article by IzzyOnDroid: https://www.kuketz-blog.de/android-apps-auf-dem-seziertisch-eine-vertiefte-betrachtung/ |
Thanks for sharing! 👍 |
Note that article triggered some activity at F-Droid finally, so the red fields for "Intent Filter" and "Self-Updater" might need to be changed into yellow "partials" (only at app inclusion, as they were just implemented a few days ago with F-Droid's Issuebot – which to my knowledge only runs automatically on RFP, i.e. Requests For Packaging of new apps, and manually on merge requests for new apps if someone remembers to trigger that). Not sure how reliable Issuebot is, as it seems to miss results from some modules every now and then; e.g. for my apk library scanner, I didn't see any results for months (and it would always report if it ran, and simply state if it didn't find anything – but not even that is mentioned in any reports for quite a while now). More background in a different version of that blog article here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo |
The IzzyOnDroid Repo is the largest 3rd-party F-Droid repo with currently about 1.100 apps listed. It can be easily added to the official F-Droid client (and is even pre-configured with several others like NeoStore). Maybe you can add links to it as well where FOSS apps are available which are for some reason NOT (yet?) at F-Droid.org? If you wish to filter for eligible candidates: the repo features a custom anti-feature
NonFreeComp
(app contains non-free component(s)) for apps you'd rather wish to skip. Apps not carrying that AF should meet your criteria (as well as F-Droid's).Disclosure: I'm the one running that repo.
Disclosure 2: I'm also one of the F-Droid maintainers.
Answering the not-yet-asked question: Some authors wanted their apps in my repo and not at F-Droid, for different reasons. And some apps are difficult to build by F-Droid and thus are not (yet) listed there. My repository basically follows the same guidelines as F-Droid's, with 3 exceptions: it does not build from source but uses the APKs provided by the developers, it accepts apps which are almost-but-not-fully meet F-Droid's inclusion criteria (those apps are marked
NonFreeComp
as they have a very limited amount of non-free libraries) – and there's a size limit as my repo runs on personal resources.I gladly answer any questions when there are some left. Thanks in advance!
The text was updated successfully, but these errors were encountered: