How f-droid works?

qtum · March 26, 2023, 4:37pm

Hello! this is my first topic on the f-droid forum.
And I have a few questions, please answer them all.

1; Is it safe to update confidential apps through fdroid official store on phone. (like, confidential data will not go anywhere and will not be transferred?

2; When will the guardianproject repository start working? I know that this repository is not owned by fdroid, but on the forum they said that fdroid made this mistake.

3; When dropping traffic, fdroid connects to domains: s3.amazonaws.com, mirror.osspla.net, ftp.lysator.liu.se, etc. This is fine? After all, Amazon is not open source.

4; How to check the number of fdroid store hashes? And is there an instruction?

Please answer these questions in the same order.

(translated by google)

TheLastProject · March 26, 2023, 5:59pm

I personally trust the official repositories completely. But with any app store, you have to trust both the app’s developers and the app store in question. However, F-Droid is working hard to make more and more apps reproducible, so people can confirm that F-Droid did not change anything to make F-Droid even more trustworthy.
I’m sorry, I don’t know anything about the Guardian Project repo or what issue you are talking about.
To make F-Droid as reliable as possible, there are many “mirrors” that provide the same content. All cryptographically signed to keep it safe. If you want F-Droid to not connect to some of those mirrors, you can go to Settings → Repositories → F-Droid and uncheck all of the mirrors you don’t want to use. However, the more mirrors you disable, the more unreliable F-Droid will get, as it won’t be able to work if all the mirrors you allow are offline.
You mean the PGP Signature listed on https://f-droid.org/F-Droid.apk.asc? FAQ · Wiki · F-Droid / wiki · GitLab should help.

qtum · March 27, 2023, 12:19am

Thanks, can I ask the f-droid team to enter the hash of the sum sha 256 (or something similar) for a more convenient and faster check of the hash sums?

Licaon_Kter · March 27, 2023, 6:44am

“enter” where?

vdbhb59 · March 31, 2023, 5:01am

I suppose the ask is to provide shasum/hash values of each apk that gets generated to be more secure.
@qtum that is available on the website of f-droid for every package.
On the app, I too have not seen it, I trust.

system · May 30, 2023, 5:02am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.