Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recommend F-Droid Basic over Neo Store #2293

Merged
merged 1 commit into from Nov 1, 2023
Merged

Recommend F-Droid Basic over Neo Store #2293

merged 1 commit into from Nov 1, 2023

Conversation

jonaharagon
Copy link
Member

Changes proposed in this PR:

  • Recommend the first-party F-Droid Basic client now that it supports unattended upgrades.
  • I have disclosed any relevant conflicts of interest in my post.
  • I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project.
  • I am the sole author of this work.
  • I agree to the Community Code of Conduct.

@privacyguides-bot
Copy link
Collaborator

This pull request has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.net/t/recommend-f-droid-basic-instead-of-neo-store/14311/2

@netlify
Copy link

netlify bot commented Oct 6, 2023
edited

Deploy Preview for privacyguides ready!

Name Link
🔨 Latest commit b69edfe
🔍 Latest deploy log https://app.netlify.com/sites/privacyguides/deploys/65429b6ada46a200087748ac
😎 Deploy Preview https://deploy-preview-2293.preview.privacyguides.dev
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 4 paths audited
Performance: 74
Accessibility: 91
Best Practices: 98
SEO: 88
PWA: -
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify site configuration.

jonaharagon added a commit that referenced this pull request Oct 6, 2023
@jonaharagon
Recommend F-Droid Basic over Neo Store (#2293)
95e44a0
@dngray
Copy link
Member

dngray commented Oct 7, 2023

Agreed, I think the language can be softened a bit as they have made some progress according to their blog.

@matchboxbananasynergy
Copy link
Contributor

Agree with the change, though the unfortunate thing is that the F-Droid apps don't have a way to show you an app's targetSdk, which is what I personally liked about Neo Store, since F-Droid doesn't remove or hide apps with old targetSdk levels, and as far as I'm aware also doesn't prevent them from getting on to the store/updating their apps. Being able to see what the targetSdk level is at a glance is quite significant.

@dngray dngray added the c:software self-hosted/decentralized software and related topics label Oct 7, 2023
@dngray
Copy link
Member

dngray commented Oct 9, 2023

@matchboxbananasynergy iirc, that was the original and main reason for not really recommending F-Droid as much as we used to initially. As F-droid allows apps with lower-API levels, that means weaker sandboxing for those apps, than if they were in Google Play etc.

dngray
dngray requested changes Oct 9, 2023
View reviewed changes
docs/android.md
@@ -381,17 +381,17 @@ If you download APK files to install manually, you can verify their signature wi

![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px }

==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages.
==We only recommend F-Droid as a way to obtain apps which cannot be obtained via the means above.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are some security-related downsides to how F-Droid builds, signs, and delivers packages:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if we remove the privsec link here we should mention that apps in Google Play have to target a higher API level, and therefore have stronger sandboxing. We should perhaps show this article https://developer.android.com/google/play/requirements/target-sdk

@jonaharagon
Copy link
Member Author

A forum member pointed out that F-Droid Basic does show a warning on apps with a low target SDK. My understanding is that minimum target SDK for when this warning will appear will advance similarly to Google Play's policy with each new Android release:

The app that's being installed targets API level 29 (Android 10) or higher. (Google notes that the target API level requirement will advance in future Android versions, a policy that's in line with Google Play policy on API target requirement.)

https://www.xda-developers.com/android-12-alternative-app-stores-update-apps-background/

jonaharagon added a commit that referenced this pull request Oct 9, 2023
@jonaharagon
Recommend F-Droid Basic over Neo Store (#2293)
8028958
@jonaharagon jonaharagon added this to the v3.17 milestone Oct 14, 2023
jonaharagon added a commit that referenced this pull request Oct 14, 2023
@jonaharagon
Recommend F-Droid Basic over Neo Store (#2293)
6bc2c5e
@privacyguides-bot
Copy link
Collaborator

This pull request has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.net/t/remove-note-about-getting-f-droid-apps-from-obtanium/14440/4

@dngray
Copy link
Member

dngray commented Oct 19, 2023

that F-Droid Basic does show a warning on apps with a low target SDK

It looks like it does, but it only says that it won't auto update. I think we should mention something which summarizes:

Every new Android version introduces changes that bring security and performance improvements and enhance the Android user experience. Some of these changes only apply to apps that explicitly declare support through their targetSdkVersion manifest attribute (also known as the target API level).

@jonaharagon
Copy link
Member Author

I really don't see that change as critical given that:

  1. We say:

    Additionally, the requirements for an app to be included in the official F-Droid repo are less strict than other app stores like Google Play, meaning that F-Droid tends to host a lot more apps which are older, unmaintained, or otherwise no longer meet modern security standards.

  2. We also say:

    You should use your best judgement when looking for new apps via this method, and keep an eye on how frequently the app is updated. Outdated apps may rely on unsupported libraries, among other things, posing a potential security risk.

  3. F-Droid Basic displays a prominent warning on apps with a low SDK, and that the cutoff to display that warning automatically increases with new Android releases

So... I don't know how to word the additional changes you're suggesting to fit it in cleanly on the page tbh, but if you want to commit a change adding that somewhere you think is best, that's fine w/ me.

@dngray
Copy link
Member

dngray commented Oct 24, 2023
edited

That is fair I guess.

Maybe we should say:

modern security standards.

@jonaharagon jonaharagon mentioned this pull request Oct 24, 2023
Closed
blacklight447
blacklight447 approved these changes Nov 1, 2023
View reviewed changes
Copy link
Member

@blacklight447 blacklight447 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looked it over, everything looks perfect.

jonaharagon added a commit that referenced this pull request Nov 1, 2023
@jonaharagon
Recommend F-Droid Basic over Neo Store (#2293)
ebce060
@jonaharagon
Recommend F-Droid Basic over Neo Store (#2293)
b69edfe 
Signed-off-by: Daniel Gray <dngray@privacyguides.org>
Signed-off-by: blacklight447 <github.ef27z@simplelogin.com>
@jonaharagon jonaharagon merged commit b69edfe into main Nov 1, 2023
3 checks passed
@jonaharagon jonaharagon deleted the jonaharagon/fdroid-basic branch November 1, 2023 18:40
@privacyguides-bot
Copy link
Collaborator

This pull request has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.net/t/v3-17/15136/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heeresbach heeresbach heeresbach approved these changes

@dngray dngray dngray approved these changes

@blacklight447 blacklight447 blacklight447 approved these changes

@freddy-m freddy-m Awaiting requested review from freddy-m

Assignees
No one assigned
Labels
c:software self-hosted/decentralized software and related topics
Milestone
v3.17
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@jonaharagon @privacyguides-bot @dngray @matchboxbananasynergy @heeresbach @blacklight447