Can you guys admins lookinto it and try to solve issue as fdroid is the only trusted and security first store. So any flow shoud be patched asap.
I think this is false, apps are not signed on a server.
GrapheneOS is well known for being slightly inflammatory in its statements.
But i know they are well known for a privacy friendly secure google alternative os. I could be wrong and they also could be wrong but as they have stated we should provide graphene a statement and shot it out
Tbvh, no one OS is fully secure. No matter what and how much you try, there are always flaws. F-Droid is maintained literally by people who aim to make it as secure as possible. Still if some OS or company states otherwise, then they should approach with a solutuon rather than just stating it is this or that. @Morgoth, first of all I apologies for my behaviour on other topics with you. Even if we agree to disagree on anything, I simply think my approach was incorrect and we are all here to make the community secure. Agreed we all have our opinion, understanding, ideas and all, but one (read=Myself), should be open to thoughts and be more fact secure.
For @human, trust me mate. F-Droid even if as per GOS way behind is still the only store that gives what it takes for people to get. GOS or eOS and all can say what they want, but they do not come forward with solution, and then they expect others to be flammed by stuff otherwise.
Micay (GrapheneOS primary) may be a talented programmer, but I would never trust his judgment or believe statements like this or
The primary person working on it is a known malicious actor involved in underhanded attacks on GrapheneOS.
from the same tweet link, without proof. For one reason why, see Micay’s statement: https://web.archive.org/web/20201105202650/https://grapheneos.org/legal/Micay_%20Copperhead_%20Statement%20of%20Defendant%20and%20Counterclaim.pdf , particularly item 22 at bottom of page 6.
That said, nothing is completely secure, and everything can be improved.
Yes i know that but we can minimize the attack surface by resolving the issue if any that graphene mentioned we can ask graphene in twitter about a constructive suggestion and what is the issue actually so we can think and resolve that they provide something about signing method of fdroid so it is not a big issue so we can look into it.as there are lots of us trust fdroid blindly and there is no reason not to trust so i hope you guys understand what my concert is.
I would happily address any known security issue in F-Droid. Graphene mostly tweets out handwavey claims with little to back them. And then they’ve blocked most F-Droid and CalyxOS devs on Twitter so we can’t respond there. Daniel Micay is a talented programmer when it comes to hardening. Security is more than hardening, it involves understanding people, risks and tradeoffs.
- “They also use flawed legacy signing for metadata” - index-v1.jar uses JAR Signatures. They have had vulnerabilites. Our use of JAR signatures in index-v1.jar has not been affected. If you disagree, please show me otherwise.
- “many apps along with targeting API 25” - this is true, but the features enabled by setting
targetSdkVersionbreak features that apps use. Google puts those kinds of restrictions in because users don’t trust proprietary apps, since most are constantly trying to steal user data. F-Droid reviews all apps from source to prevent that, so we don’t need to break features to gain privacy.
- “Apps are built and signed on a server” - apps are built in a disposable VM on a server. They are then manually transferred to an offline, airgapped machine for signing, then published.
This is what GrapheneOS looks like for me on Twitter:
I strongly dislike Twitter, but it’s fun to see how much more I see in this case by ignoring the SignUp and LogIn buttons. Blocking selected accounts is funny, but it can have its place…
PS. Can we do away with that login with Microsoft github thing around here?
They are in a plan of harassment and demolition. It gives me that they want to keep what is only ours is safe, private and others… And not the rest…
Because we were also talking here Privacy On Phone - #79 by gallegonovato for this article F-Droid: how is it weakening the Android security model? | Wonder's Lab
If you can it would be very good
Issue is there about signing please do look at it also
We talked about that in Privacy On Phone - #82 by Licaon_Kter
That article basically says “Google keeping signing keys is good, F-Droid
keeping signing keys is bad”.