Well, in the past, there was just plain Firefox APK in F-Droid. A few years ago, however, it was kicked out because it violated purity rules (of course…). To me, that was already totally unnecessary.
They just should have kept original Firefox. It’s an open source browser, it was fine. You should support other open source apps. Even if they don’t fulfill all your standards in all components in the chain… (sometimes you have to take compromises)
Anyway, I don’t understand why Fennec is still not updated. That PR I linked above is finally merged. But still something in the process seems to block the update. I don’t get it. The real key to security is not open source purity rules, but speed. You need to get the updates to the user real quick, like in a matter of hours.
Two cents: seems to be a conceptual inconsistency here in some arguments.
“We need to guarantee timely security, so, let’s allow proprietary software, unknown code, to be part of F-Droid catalog, so we have all the possible insecurities that come with that.”
There’s no security at all in proprietary software/unknown code. At least, not one that users can really and freely rely on.
“Security by obscurity” should be a natural no-no in F-Droid, I suppose.
Kind regards.
Well, right now the APKs provided by Mozilla are more secure than what F-Droid provides by virtue of being more up-to-date. Yes, there is a risk incurred by some closed-source components (I don’t know the details of that but will take your word for it), but that risk is much smaller than the risk incurred by known CVEs.
Security is always a matter of trade-offs. Dogmatism has no place in security discussions.
Feel free to choose the trade-offs yourself. F-Droid can’t do that for all the users. F-Droid provides the FOSS build and you are free to choose it or Mozilla’s build.
right now the APKs provided by Mozilla are more secure than what F-Droid provides by virtue of being more up-to-date
That’s a pure-faith proposition. You simply can’t know. Not knowing the source-code you’re just dealing with binaries. You simply don’t know what’s inside.
there is a risk incurred by some closed-source components (I don’t know the details of that but will take your word for it), but that risk is much smaller than the risk incurred by known CVEs.
Another gratuitous affirmation. You simply don’t/can’t know.
Security is always a matter of trade-offs. Dogmatism has no place in security discussions.
Security ain’t the issue here. Users are informed and advised. There’s no security risk for no one. There’s no security in closed-source, just submission and faith…
Ah, I didn’t realize this was back in the repos… or maybe it has always been there but I stopped using it when Fennec became available. Thanks for the pointer.
That’s a ridiculous statement in a thread that is about F-Droid shipping a multi-month-outdated browser. Security bugs don’t go away when you “inform” about them. Furthermore, “we informed the user” is the poor excuse that data brokers use to justify their terrible deeds; I would expect better from open-source projects. Most users are not able to make an informed choice on questions like this, it is our responsibility as the ones who can make informed choices to ensure the rest of society gets the best possible technology. “We’re shipping you a browser full of security holes, but we told you about it” is not living up to that responsibility. (Also, the browser was full of wholes for more than a month before users were being told about it.)
There definitely is a substantial security risk from running an outdated browser. It seems silly to even have to state that.
This attitude is exactly what I meant when I said that security concerns are being downplayed here. You are doing open-source users a disservice with comments like this.
The world is not black-and-white, and Firefox is an open source project, so just because Mozilla’s build includes some proprietary components it doesn’t immediately degrade to a fully untrustworthy black box full of security issues.
A whole suite of known CVEs definitely poses a much bigger risk than the potential of an unknown CVE in the few proprietary components of the Mozilla build. If you disagree I’d like to see your detailed threat analysis, since it goes against all experience and common sense. On the one side, we have a definitely vulnerable browser, where clicking the wrong link can trivially lead to the attacker taking full control of the browser. On the other hand, we have a risk of such issues, but the chance of such an issue existing is undeniably below 100%, meaning that the definitely vulnerable browser is unquestionably less secure.
Put differently, which browser would you rather use to access a website that I specially crafted for you: the one that has a ton of known CVEs, or Mozilla’s official build?
This thread shouldn’t be marked as solved- the solution proposed from SkewedZeppelin a week ago wasn’t the solution.
There’s no further information given what would cause the delay except for a link to a gitlab repo with other rather cryptic errors, solved in one thread, but arisen again in other threads, a mentioning of missing manpower without further description for type of help needed.
So it clearly is expected that you are an insider to read and write here- as a simple F-Droid user you’re not supposed to be here and I certainly don’t have the knowledge to support this process.
F-Droid is announced as a reliable and safe source for open source software for ‘normal users’ many places, several journals recommended it the last years.
But the attitude shown here contradict this assumption- F-Droid definitely spoils user security for FOSS dogma. That makes it an unreliable repo regarding the security of the apps for me.
You may indeed call this a matter of convenience, but not all people have the time and / or the knowledge to follow the security update sequence so close.
Most of the F- Droid users will just search for updates in F-Droid but not expect that they have to examine if these updates are really the latest version. (Yes, there’s now a reminder that F-Droid Fennec is outdated but it came quite late).
Maybe the less frustrating way for both developers and users would be to keep software highly depending on timely applied security updates (for example a web- browser) out of F-Droid if one can’t guarantee updates to a certain degree timely (for example within about 2 or 3 weeks?). This way F-Droid can stay both a reliable repo and a true FOSS place.
Thanks a lot to you all for providing Fennec on F-Droid up to version 129.02!
What @ralfj said about downplaying the issue is 100% correct.
They even try now to alleviate the alert message when a software is outdated. The very correct sentence “We recommend uninstalling this app immediately” is about to get removed: knownvuln - reword scary text (!1468) · Merge requests · F-Droid / Client · GitLab
It is “too scary”. LOL!
They believe so much that open source purity will be the savior that they downplay any other risks and want to hide the truth from the user.
This proofs again that F-Droid is not meant to be used in real life. It is nothing more than a tech demo or a toy example that showcases how far you can get with 100% open source in the chain. But in real life, you need to balance things out between open source dogmatism, timely updates, security features etc. F-Droid will not provide that for you. And unfortunately you can’t switch back and forth between Fennec from F-Droid and Firefox from other app stores seamlessly. So the only logical consequence is you should use real Firefox and dismiss Fennec. They have proven to the world that they are not mature for real use cases.
Well, the PR 1468 was not mentioned before by anyone and I am indeed shocked that their only solution to the scary fact that F-Droid shipped a browser full of security issues is to weaken the alert message and denounce users who were critical of the current dogmas. “Shoot the messenger” is what you are doing here now.
P.S. No one in this thread said the alert message should be weakened. People were scared because of their web browser being full of security issues, the message just truly laid out the consequence of that: stop using the app. To put out this message was actually a very responsible thing. If you want people to be less scared, prioritize fast security updates over FOSS purity, but don’t weaken the message.
If the message is scary, it is problematic, F-Droid should abandon FOSS, F-Droid should host Firefox built by Mozilla from Google proprietary code, F-Droid should do this and that
If the message is not scary, it is problematic as well
There’s no winning move ever…
Nobody comes to help in the open issues about Fennec and Mull
That’s why we can’t have nice things, we only have complains
And I know it better than most, I started by complaining, then I started helping fix my own complains as much as possible, or the complains of others so the people that can fix the hard stuff don’t need to waste time on the low hanging fruit.
Feel free to immediately close this topic. I just want the F-Droid team to see this after they had to deal with all those entitled people in Fennec vulnerability? Recommended to uninstall - #38 and unfortunately the thread was closed before I could create my account.
I’m not a developer (I tried and gave up when I was in my teens), so all I can do is donate via liberapay to the project what I do gladly for years despite having major political and philosophical issues with the team. (I miss the times when neutrality and free speech had actual meaning in the open source community: Public Statement on Neutrality of Free Software | F-Droid - Free and Open Source Android App Repository )
The F-Droid team is doing very important work that no one else is doing and despite them being flawed ideologically as well es having some logistical issues (due to lack of resources/manpower) the fact stands that they are the very best we have. There is no other project that provides such a wide range of guaranteed pure and top to bottom no compromise open source software on android with easy auto updates.
No matter how annoyed you might be about late updates or build issues: Take a moment, chill and be thankful that there are a bunch of guys taking a lot of time out of their week, every week, to provide this service to you for free. If you don’t pay (donations are not pay!) and if you don’t contribute code, then you don’t get to complain. Move along!
