Is it as safe as it is from fdroid official repo

I was looking for colabora office repo and bromite repo and session also but i could not understand why they don’t give that app in original f repo.
I think downloading apps from unknown repos is as same as downloading from play store both case no third party verify apps or compile it from source so give the best possible security.

F-Droid can’t ensure the apps are safe. You still need to trust the upstream developers. We only do some basic check. colabora office and bromite are difficult to build so they are not included in the official repo. Session relies on GMS.

1 Like

That is enough at least you check apps playstore don’t even do that.
In playstore every apps are spyware.

If session relies in GSM why it can be used without it? Is just about notifications? then is like signal

I guess GSM is used for push only.

2 Likes

That’s not quite true actually, on the Playstore they will check that you are not a competing app store but not necesarily if an app is spyware because Google’s own ad network is spyware to some extent and if the apps uses anything from Google, Google may get a small cut of revenue. Why would they actively take down apps that make it money especially if they don’t even have to make some of them.

I can’t agree with that there are most spyware are found on play store compare to apple app store and f-droid
Just search for vpn and scrol down you will find sheddy apps there
I was thinking just becasue i have seen google is not doing enough most of apps are not even mention how many what data are actually been collected.
I truly trust fdroid so i find apps don’t have in fdroid but can be downloaded by added with repos if those have a regulation from fdroid for follow certain rules not.
This should not be the next playstore.

Take in mind other repos are not built or reviewed by F-Droid. It’s third party.

1 Like

Hence it is as same as downloading from play right thanks.

Is it like Signal ( since it is based on it) where you could use Google Push Services or you could setup a webs socket instead?

What is being checked during the the basic check? And are any reports with results published?

When an app is submitted the first time, our issuebot scans the apk and reports permissions, trackers and non-free libs. We also check the apk with VirusTotals. Then we test it on a device to ensure it works well and there is no suspectious network connections. Our reviewers publishes thoes review in the comments of the MR. We don’t check it again for app updates. The fdroidserver scanner scan the repo for non-free libs only.

1 Like

I don’t know…

Thx for clarification. And then what network connections are considered suspicious? And what happens if such connections are revealed?

E.g., connections before any actions or connections to Google, Cloudflare etc. We’ll ask the developer for explainations and if there is no proper reason (it may be a mistake or the developer doesn’t realize the such connections are suspicious) we’ll require the developer change the app’s behavior. If there is connections with non-free network service we’ll tag the app with NonFreeNet Anti-Feature and if there is tracking connections we’ll apply Tracking Anti-Feature. Before the app is inclued we try our best to ensure all connections are reasonable or clarified.

1 Like

But what about the apps which we have to add custom repo for are those also following the ethnics of fdroid or not.

what about them?

No, we do not control what repo you can add.

Yes as i have thought it would be so i will recommended to just provide those in fdroid but it is not always possible as for some apps don’t it to be in fdroid and sometimes some are complex enough to compiled in fdroid so those verified with fdroid key those apps should be tested by fdroid for various security and privacy issues could be there once they are find fdroid can push them.else it may hampere security nobody knows what people are maybe don’t they may trust fdroid but completely miss that and add something which may cause some potential issue may be the way it can be implemented that you can provice your key and they will have to sign there app with this and fdroid will verify that to stop that kind of attack and like gurdian you should provide other fdroid known or trusted repos.