It may still be too early for me to ask such question. I would like to know if it’s acceptable to publish an open source paid/subscription application in FDroid?
My application(Non-Android at current moment and uses Windows) which consists of total endpoint encrypted(does not involve any user’s secret on server side which includes password/passphrase and uses only PKCS[Public Key Cryptography System]) file storage and a secure database client application(does not really need to post to FDroid due to it’s mostly used in server/application) which both uses PayPal instead of Google or IOS store payment.
Currently my application requires certain fixes and patches before I can work on Android version through Xamarin. It also currently runs in PayPal Sandbox instead of production environment.
Here’s my application:
I would like to know if my projects can upload to F-Droid when the time’s right because … it is POSS instead of FOSS…
The FOSS part covers the code, not the functionality. We have apps that connect to sites, either if you need to pay or not for an account is something else, not the point of F-Droid. Better yet, it might be a good thing for FOSS, to make it sustainable.
Thanks for your clarification and response.
But currently we can’t build Xamarin apps so your app can’t be published on F-Droid.
Don’t worry , because I wasn’t sure if I can make it work on Android yet… regardless if it’s using Xamarin or plain Android…
We already have a few projects on F-Droid that are part of a paid service, like SimpleLogin. So sure, as long as the app itself is libre.
Are there any official format for signing the application and releasing the public key? Can I just use libsodium open source cryptography library to do it instead of relying on OpenSSL or certificate or PGP? In C#, there’re 3 suitable data types to distribute the signed application and public key which are Byte-Unsigned 8 bits integer array in C#/Byte-Signed 8 bits integer array in Java, Char and String, majority of cryptography community settle down on using Base64 encoded string to distribute any cryptography related content, does the public key and signed application needs to be in Base64 encoded string?
Here at F-Droid, the machine will build and sign the APK with the F-Droid key…
Oh okay thanks for informing
(Let me know if I should make a new post instead of posting here).
I would like the people on F-Droid with either Linux/Windows machine to be a tester in using my applications. I really need suggestions or feedbacks from you guys on how I can make it better.
Linux Application(Launched by terminal access by web browser):
I would appreciate any suggestions/feedbacks. If there’s none I will be using the code and the logic to start to make a mobile version.
Some (armchair) feedback:
For the web version:
- there are many GET requests which ought to be POST
- using .txt files for a database will become a headache later on, use a real DB. furthermore I suspect these files are inadvertently made publicly accessible!
- source files are missing license header
- consider moving the systemd unit from the readme into a .service.example file
- filtering for valid characters in SecureIDGenerator seems questionable, just encode the raw bytes instead perhaps?
- there are many hardcoded hostnames
- in Program.cs you have “validation data” that is random bytes? that seems absurd
- consider using SRI where possible
- many files are just stubs? perhaps note them with comments?
- why is Required_Files a zip and not just included as is in the repo?
- why does it need to run as root?
For the non web version:
- import function can be used to write out of self
- lots of redundant code, please DRY
- none of your docs concisely explain what exactly this is or why someone would use it
- add some screenshots maybe
- consider learning the basics of git instead of having many copies of different versions in the repository
- you have some docs that are .pdf files??? make them plaintext please
Non web version reply:
- Mind giving an example?
- I’ll remove the redundant code
Other things reply:
- I will include some documents as to why people would use it. The reason behind this application seems to be clear to me. To eliminate any need of using password/passphrase or any forms of user secrets on server side because in my document I have made a statement which is both users and developers may not know what they are doing. In most cases, if an attacker get the hashed form of a password(regardless properly deal and processed), the chances is if they are able to crack one, the cracked password/passphrase may be the passwords in their social account(Facebook/Meta), bank account, google account, microsoft account, github account and this list goes on… This is a chain reaction that definitely will occur as long as the server or the services(service provider’s server) involve with user’s secret. That’s why for both privacy and security community, the server/service provider in the long run mustn’t use any of the user’s secret in logging in or performing encryption/decryption on user’s behalf when the service asked for user’s secret such as password/passphrase(this’s also the reason why my application encrypts and decrypts on user’s device instead of server[Storage] and only user’s device can decrypt[Database]).
Confidentiality/privacy can only be achieved if both party knows what they are doing. By making the server user secret-less, it’s not in adversary or hacker’s interest as the server has lost the value to be attacked. This application or my other application relies on cryptography RNG to ensure each key(symmetric encryption key and private/public key) was generated with strength equal to a random strong password. As the server stores only the publicly disclosable information, finding the user’s private key through public key was impossible(before big alien quantum computer). If relying on cryptography RNG, it means that any private or symmetric encryption key mustn’t be lost else there’s no way to recover.
There may be more reasons why server needs to achieve almost perfect user secret-less is the only option in the long run for both privacy and security community… I will put my reasoning and what exactly this is in the documents.
- What could be the screenshots people want? I may need an idea else… I don’t know what kind of screenshot should I take.
- Alright, will do.
- Your plaintext is it refers to text file such as .txt ? or can be other format?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.