Hi
I am new to F-Droid. Can you answer me following:
What does this mean? How removed by builds?
And which services it connects to track users if it is written that telemetry removed?
Also some time ago it was marked as “Vulnerable” (even on this forum) but now no longer marked. So does that mean that vulnerability was fixed in new version? And it is safe to use it?
Sorry for dumb questions, I am new to FOSS and decided to fully degoogle and move to fully Open Source.
yes
use a firewall app like Netguard to see those
before the app is built that code is removed
1 Like
That’s a complicated question, which you cannot simply answer by “yes” or “no”.
At this moment in time I’m writing this to you, the answer is yes, it is safe to use. It has all the known security issues patched and you won’t get any safer than that.
Generally speaking, the answer is more complicated: “sometimes yes, sometimes no”. You have to understand that the underlying issues that caused Fennec to be flagged as insecure it not solved. It can happen anytime in the future again. The issue is that Firefox uses some non open source libraries and build tools for which no alternative is available. This violates F-Droid mission. So what they do is they take Firefox, remove these features and modify the build script. But over time, this becomes more and more complicated. Every time Mozilla adds a new non-free library, the custom build scripts needs to be adapted. F-Droid is run by volunteers and no one knows if at the time where they need to update their build script, they have the capacity to do so. Totally understandable, what people do in their free time is their and only their decision. But there would be an easy solution: just publish Firefox as-is as an interim version. This, however, is strictly disliked by the F-Droid devs. They rather publish no update at all, leaving its users with a version full of security issues. They take their open source mission very seriously. There is no backup solution, no plan B. In the case you mentioned, there was no update for several months.
What makes it worse is that it took them two months to put out the warning. Much to late, because Fennec was already several major versions behind. Already for several weeks, its users have been subject to known vulnerabilities and no one informed them about it. Only after very recently.
And it is very likely that this will happen in the future again. So you need to decide: do you want to take the risk or not?
1 Like