Mention Neo Store in DivestOS recommendation

[JustLuckNoSkill]

• Please check this box to confirm you have disclosed any relevant conflicts of interest in your post.
• Please check this box to confirm your agreement to publish your work under the Creative Commons Attribution-NoDerivatives 4.0 International license, and to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project.

The current DivestOS recommendation lists F-Droid as a positive, which contradicts the F-Droid section at the bottom of the Android page. This PR adds a warning against using F-Droid despite it being installed by default. Alternatively, the F-Droid mention could be deleted entirely.

[github-actions]

🎊 PR Preview 226b9f7 has been successfully built and deployed to https://privacyguides-privacyguides-org-preview-pr-1829.surge.sh

🕐 Build time: 100.246s

_{🤖 By surge-preview}

[matchboxbananasynergy]

Thank you for spotting this. We should re-word this, but it is not a black-and-white situation when it comes to DivestOS, because they use their own F-Droid repo to distribute and update their own software, so we cannot suggest that people disable or not use F-Droid on DivestOS.

It might perhaps make sense to suggest that people disable it and use Neo Store instead, if that's possible, but I don't know what the best course of action is. Perhaps @SkewedZeppelin can provide some more information/guidance here.

[SkewedZeppelin]

There is a section here on this: https://divestos.org/index.php?page=faq#altDroid

tl;dr without it users won't have browser or WebView updates

I recently went through and checked 8 of the alternative clients and none of them support repository overrides like F-Droid does.

[matchboxbananasynergy]

@SkewedZeppelin If we were to theoretically recommend that people disabled F-Droid, installed Neo Store and enabled the necessary repos, would there be a problem with that? Or do you think it's best that people stick with the default configuration.

I cannot remember off the top of my head whether you use F-Droid's privileged extension or not, are updates of these components unattended?

[SkewedZeppelin]

@matchboxbananasynergy
As long as users add the repos I don't care what client they use.

PrivExt was removed in April, so updates aren't unattended.

[SkewedZeppelin]

The updated version still isn't correct and would result in users missing critical WebView updates.

The available (Sept 10th) builds of DivestOS are currently shipping Chromium 105.0.5195.79.
But I've pushed out 105.0.5195.124, 105.0.5195.136, 106.0.5249.65, and 106.0.5249.79 via the WebView repo since then: https://divestos.org/misc/ch-dates.txt

[matchboxbananasynergy]

@SkewedZeppelin What do you think about the wording now? My only concern is that people may improperly configure Neo Store and not enable the DivestOS repos as we instruct and end up missing critical security updates. On the other hand, I'd prefer that people didn't leave the official F-Droid app enabled due to its SDK and other issues. (I am correct in assuming that the F-Droid app can be disabled but not uninstalled, right?)

Also, another question I had is why are there two separate repos instead of including everything in one repo?

[SkewedZeppelin]

What do you think about the wording now?

Wording could be a bit stronger, but looks fine.

I am correct in assuming that the F-Droid app can be installed but not uninstalled, right?

Default installed, can be disabled.

two separate repos

When I switched to the Mulch webview I wanted to maintain compatibility with all previous builds (because some users sadly only update every few months, and I didn't want any transition period), this mean signing the WebView for each device. So there are actually 120+ copies of the WebView apk in the repo.
Furthermore fdroidserver is very slow and buggy at processing Chromium apks, so it is actually a patched version to allow it to even generate and separate to prevent taking 5 minutes to regenerate for updates of the other apps.

It also has the benefit that if for some reason (like the time they broke scrolling for some apps) there is a bad webview update, I can just move the old repo back into place.
For example you can see the previous version still there: https://divestos.org/fdroid/webview-106.0.5249.65-1/index-v1.json

And lastly the official repo contains apps that can be used on any device, no need to clutter with with DivestOS specific apps.

[dngray]

Think we should provide a link somewhere there, to what these "security issues" are. This will be a contentious topic amongst free software enthusiasts.

[matchboxbananasynergy]

Not sure if we should link to the wonderfall article in the DivestOS section when we mention the security issues with F-Droid, or if we should just have a link to our F-Droid section below, especially as there are plans to expand it with more context/info. Thoughts @dngray?

[dngray]

Not sure if we should link to the wonderfall article in the DivestOS section when we mention the security issues with F-Droid, or if we should just have a link to our F-Droid section below, especially as there are plans to expand it with more context/info. Thoughts @dngray?

I'm thinking expand the section on the android page to be a brief synopsis of some of the points in the wonderfall article. We should elaborate on that sentence:

However, there are notable problems with the official F-Droid client, their quality control, and how they build, sign, and deliver packages.

I think I would like to see this sentence elaborated into a single paragraph. The wonderfall article is quite lengthy, and I think its points won't be read by readers. I'm not saying we need to mention all of the points there, but I do think 1-3 are most relevant. Especially 3.

[privacyguides-bot]

This pull request has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.org/t/v2-27/1084/1