Some background information needed

Now that G%&$e was sued for forcing Phone companies to pre-install their Android version with all their malware included I hope Fairphone will consider providing some FP2s to be shipped with Fairphone Sibon (new name of FP Open) pre-installed.

I think Fairphone is considering shipping devices with Open/Sibon preinstalled. Their Updater app is available on all Fairphone devices, and it makes it quite easy to flash and reboot into Fairphone Open/Sibon. It is totally a click-through experience, no technical skills needed. So it is pretty close to shipping with the device.


Sounds promising.

Just noticed “Shiftphone” is a device, not just a ROM. Their list of installed apps is funny: all the Google crap except for Playstore? Guess they rather forgot to mention that app :rofl: But yes, with that one we have at least one group of devices (3 if I read that correctly – each with multiple generations, making it 8) coming with F-Droid pre-installed.

For the record, all Phhusson Treble floss images includes FDroidPrivilegedExtension

Is there any against obfuscation (proguard) ?

Is there any page where I can get some details on “Phhusson Treble floss images”? What are they, where are they used? First time I’ve heard about them, so I’ve got no idea (apart from thinking I remember him authoring his own superuser).

As for proguard and obfuscation: what good should that be with the app being open source anyway?

proguard and obfuscation are totally fine, since we require the full source

1 Like

Continuing the discussion from Question about inclusion of FOSS app with complicated dependencies:

Thanks a lot! So basically, a custom ROM that’s available for a list of devices, all of them using the same image – did I get that right? And it comes in 3 flavors, one of them being FLOSS and including F-Droid (according to their FAQ)?

aosp floss flavor is more than a “custom”, it’s a true Generic System Image (with Phhusson anticipated added known compatibilities per hardware/oem).
Starting with brand new devices based on Oreo, GSI/aosp is an obligation to all OEMs to get their android “certification” complete: Vendor Test Suite (VTS); also all future GSIs versions of android will be back-compatible with Oreo (& P,Q…)Treble devices without changes to all specifics (closed source) kernel vendor boot…

Everything explained in common English here

It also means that every floss patch added before compilation will be available without root/su needed (SafetyNet…) : microG, DozeSettingEditor , etc/host , bin/aapt & curl, and pre-built apk like Exchange2, ScreenRecorder or upgradable F-Droid/client, Fennec…
If Treble appears to be truly functional, F-Droid should build his own (CVE/monthly ?) GSI (shouldn’t it ? @contributors )

1 Like

Urn, one point forgotten:

Is there a feature for “device migration” – like the “restore” with Google stuff – so when moving to a new device one can migrate F-Droid apps + settings?

I guess the answer is “App Swap”, but no data – though I might have missed something.

1 Like

Some other questions that came up in the wake:

  • we have no “age check” or matching filters. IMHO we neither have any app that would require one – or did I miss something?
  • data collection: I know F-Droid doesn’t collect user data. Only thing in this context are the webserver logs. How long are they kept?
  • security check: Is there any document giving some more details on how apps are vetted? I think e.g. of the bot (what checks does it perform?) – and what “human actions” are taken to ensure an app is “kosher”.
  • app coverage: Is there a list of “prominent apps” – and of what kind of apps are missing altogether? Eg. if a user wants to fully replace Playstore with F-Droid, where are the gaps and where’s the ice thin?

Thanks in advance for helping out with facts (and please, also consider the question in my previous post) :heart:

You can now export the list apps installed via F-Droid from the “Manage Installed Apps” screen. It just gives you a CSV. That could then be used with fdroidcl.

  • I believe no logs are kept on the webservers
  • the only process docs I know of are in, but there are also some CI checks in both fdroidclient (lint, pmd, errorprone) and fdroidserver (pylint, pyflakes, bandit, .
  • prominent apps include Adaway, Riot, Firefox Klar, Davdroid, AntennaPod, Amaze, K-9 Mail, Tutanota, LibreOffice, NewPipe, Nextcloud, Silence, Transportr, Offi

And let’s not forget OsmAnd~ and Maps.


Thanks a lot, Hans! Considering the “average Joe”: couldn’t that installed_apps.csv file be imported by the client again, which would (maybe after a confirmation) result in those apps being “queued for install”? Joe is afraid of CLI tools.

Security check: thanks, that’s a good starter. Though I’m not sure I’ll understand the technical details. For the article (addressing our Joe) I’ve got to compress that into a single paragraph or two – optimally convincing the reader the best measures are taken. I vaguely remember we had that process checked and got “certified” it’s secure? Or was that just the infrastructure in general?

Thanks for listing prominent apps, Hans & Coffee! Some of those I hadn’t on mine (which was rather short: DAVDroid, K-9, Öffi/Transportr and OSMand~ where the ones coming to my mind. Maybe that’s because I use most of them).

If someone wants to add some names, please do. Also, if some “sections” are missing others might feel important: AFAIK we e.g. have no banking apps (they shouldn’t be on a smartphone anyway IMHO), very few games (not that I miss them, but others certainly do), no photo editors and quite few gallery apps (those we have are not even in the Graphics category? Got to fix that, TL :wink:).

@Izzy: About prominent apps… There should be some from Simple Mobile Tools (Simple Contacts and Simple Gallery) and Lawnchair.

1 Like

Unfortunately, those concentrate on the F-Droid system itself (client, server etc) – but there’s no document describing the “Release Process” for apps other than fdroidclient. What steps does e.g. your bot perform (to identify “unwanted content”)? What other steps do we follow to make sure a new app (or an update to an existing app) is “kosher”? There’s no document about that (or I missed it). If we could collect those details, such a page could (and should) be created.

Further, apart from lint/pylint (which are rather syntactical than security/content related), I have no idea what the others do (and eg. “bandit” is a quite generic term to search for). Some links would be welcome :wink:

@HenriDellal Thanks!

1 Like

Regarding app list I find “My App List” (now in archive) the best in class.

About webserver logs, I would like to switch to using privacy-preserving logging as proven by Tor and Guardian Project. So many projects, so little time…


about the security review process, the most important thing is that we require all apps to be 100% built from source for every build. Plus we release a source tarball that we generate for each APK that we build. With that there is the implied threat that the code can be audited by anyone at anytime. In practice, that rarely happens, but that threat is enough to keep malware away. Look at Debian, Ubuntu, FreeBSD, Gentoo, Fedora, RHEL, etc. Technically, it would be easy to add malware to those distros without getting caught. And yet there are no documented cases of malware getting into those distros.

There are a couple of technical checks that the RFP issuebot does:

  • binary libraries with no source available
  • binary APKs flagged by Virustotal
  • bad security practice with gradle repos (e.g. using plain HTTP for repos)

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.