With recent shakedowns in social media, I’ve been leaning back towards less spy-heavy whatnot*. Moving over to Mastodon, I’ve learned about FOSS and here, F-Droid. I really like the concept!
My main question is this - Is there a way to tell if an app listed here is by the same organization that has it listed elsewhere? i.e. how can I tell that the DuckDuckGo Browser app here is published by DDG themselves?
I ask as I come from dealing with my Dad’s Kindle Fire that only has the Amazon App store on it and it is rife with apps published by third parties and not their host organization.
Thanks for all the help! I hope to be able to move more into this kind of a space.
*Mastodon, trying to Linux in a VM again, Protonmail, etc.
For each app, there’s a “Links → Source code” option in the app which links you to the source code repository the app is built from.
While @Licaon_Kter is technically correct to say nothing on F-Droid is published by the developers (the developers publish the source code, F-Droid builds from that source code so you can be sure what you run matches the source code) it doesn’t really answer the underlying question: how can you be sure what’s on F-Droid is legitimate and not an existing app republished with hidden malware?
You can be sure everything on F-Droid is legitimate because every new app submission is reviewed by the app review team and people have to submit source code instead of pre-built APK files (apps). This should make it really difficult and thus quite unlikely to be able to sneak something like that in. Many developers will also link to F-Droid from their official domain to make it extra clear. For example, DuckDuckGo has a very small “F-Droid” link on the bottom of DuckDuckGo — Privacy, simplified..
IIUC, those links go to where the app source is, was, or has been developed, and where F-Droid initially got the source; however, the source actually used in F-Droid builds is the “this source tarball” links, which are found on the F-Droid website.
Is there a way to tell if an app listed here is by the same organization that has it listed elsewhere?
Sometimes it is easy, sometimes more difficult. Due diligence effort is necessary if it is important to you. Case in point, OsmAnd is more difficult to confirm, because their website does not advertise the connection (and the F-Droid version is supposedly semi-independent, or something).
I ended up tweeting at the DDG page yesterday and asking. Their CEO replied! Told me that it was them uploading the f-droid version. Given the overnight DDG news, it’s not the best look for the CEO responding to random minor questions, but I guess I still appreciate it?
That is good to know about their being a review policy. It’s an extension of my lack of trust of Amazon in general, but the AAS seems hinky as all get out.
