> F-Droid insists on building the APKs for the apps.
You could say that OpenAPK blindly redistributes whatever APK upstream is peddling whereas F-Droid builds from source. I see the merits of both systems but prefer reproducible builds so that we can have the best of both worlds
It's a reason why I don't really trust signal. They don't want to be recompiled by 3rd party. You must either trust them (or the app stores, which isn't better) or go through the hassle of figuring out how to build it yourself.
It's fairly reasonable to discourage people from using random third-party compiled signal variants though. If you can't figure out building it yourself, using the official one will probably be safer.
Not trusting signal's build and building it yourself is a reasonable thing to do.
Not trusting signal's build and then turning around and trusting some third party build seems strange. The official build probably has more eyes on it, and signal has more reputation to lose.
You don't need to run the binaries at all if you don't want, you can just get the standard VPN configs and use your OS's network stack. You won't get all the fancy features, but otherwise it works fine.
Shizuku's license disallow 3rd party recompilation of the APK, fork or not. Presumably this is done to provide an option to legally takedown fake Shizuku which could contains backdoor. (The original APK is redistributable) Hence Shizuku is not on F-Droid.
F-Droid, however, allow the developer's binary to be reproduced if they have tested that the APK is reproducible when replacing the APK's signature with the original APK.
It allows recompilation, just not using the official logo. Similar to Firefox in Debian kind of issue.
Reproducible builds would allow distributing Shizuku in F-Droid, that’s correct. (If Shizuku banned third party builds by the means of code license, it would not be FOSS and thus wouldn’t be eligible for inclusion in F-Droid altogether.)
Well, for starters it is just a whole lot less work and money to distribute and maintain binaries up from the distributers' side, for the developers it comes down to a lower-barrier of entry to not have to adjust their workflow to whatever x platform may demand for building on their servers and in the end that gives the users more choices to work with. Of course, this is all in a perfect world where the chain of trust isn't broken so easily, which isn't an easy feat but given platforms like Windows thrive in spite of it, it is probably not as bad as many people may think.
All of that said, not particularly speaking for OpenAPK here, given their motives seems rather unclear to me. If I am to be charitable, I guess they're just trying to provide a different platform than f-droid for discoverability, but for whatever reason they seem to be marketing the distribution-side of things more which is just odd to me, but alas.
> given platforms like Windows thrive in spite of it, it is probably not as bad as many people may think.
There is a lot of extra work done behind the scenes to "thrive in spite of it". Windows Defender (built into Windows after XP) has to periodically download updated virus definitions and always scans programs for potential malware, and still can't catch them all.
F-Droid can also redistribute the signed upstream APK. The requirement for that is that the build is reproducible.
This is the best of both worlds because the distributor (F-Droid) verifies that the published source matches the binary but does not possess the private key to sign the APK. This means the distributor cannot push a backdoored binary blob at some later date.
After reading the issue you linked I came away very strongly in favor of continuing to use F-Droid. Why would I want to switch to an alternative distributor whose policies would permit the WireGuard devs "I don't want to provide a clear explanation to end users" antics? (Of course I happen to trust the WireGuard maintainer, but individual cases should generally be irrelevant when setting policy.)
I am impressed to see the F-Droid maintainers sticking to their principles.
I haven’t taken more than a glance at the linked site so I don’t know if it’s better in this way, but I’ve always found F-droid difficult to navigate. It’s got a lot of junk, too. The bulk of its utility for me has been for installing apps that I’ve become aware of elsewhere.
I frequently learn of useful apps through its updated/new section that you see when opening the app. Back in the day when it didn't have this I used to scroll through all the categories - the catalogue was small enough to do this.
I wish the updated/new section would filter "update spam" better, but right now it works for app discovery, without requiring f-droid to collect usage data. The search function sorting by "recently updated" also helped a lot in finding well supported apps.
There's a lot of room for improvement of the search function though.
It's got a Search section for looking up new apps, and an Updates section for maintaining already installed ones. There's nothing else I need nor want from an "appstore".
The only gripe I have is that screenshots on individual apps pages can sometimes be slow to download, but that gripe is so small I'm looking at it through a microscope. :)
Neither you nor the linked comment provide any context for that. Is it not possible that Israel blocked because of a request by the Israeli government, and not because of a political statement?
I guess, good on them for at least blocking the country outright and being honest about it, and not sneakily distributing malware like some very good people did to Russians back in 2022.
I don't think your use of "surely" was very cordial, but I'll indulge your point, thanks for taking the time to respond. If I were a lawyer, I would label those points circumstancial at best:
(1) I'm not sure to which organisation you were referring, but on its own I don't think a link contitutes endorsement, especially when the context is the open source project and not political in nature. It's worth noting that there are a lot of external links in the readme, none looked at the surface level to be linked because of any reference to BDS therewithin. That said, I don't think we should argue this further, it's already innapropriate to comment on political topics such as Israel and BDS here on HN.
(2) Again, the exact cause for this is not clear. There are possible explanations which suppose good faith, and others, bad faith.
(3) While personally I'd lean towards your interpretation (especially considering the use of quotation marks by the poster), it's still not explicit and could be a communication failure.
> I'm not sure to which organisation you were referring [...] It's worth noting that there are a lot of external links [...] none looked at the surface level to be linked
Literally the first link in the README.
website -> Incubator -> "list of projects we’d love to get started!":
> ### Built with Israel
> Many companies and NGOs unwittingly use tools created by Israel
> ### BDS in your bank account
> Build an app that can apply BDS to your bank account.
or
website -> Blog -> "T4P Incubator Alum Boycat Is Teaming Up With BDS"
If you can't figure out what the first website link is in the README that's on you. I'm not gonna promote that hateful organization's website.
izzyondroid is generally not meant to replace apps that are already provided in f-droid, unless there's a feature discrepancy or other reason to have it available in both repos.
The idea behind OpenAPK - https://www.openapk.net is to follow the app developer releases directly by serving unmodified official binary downloads! All updates are available right on the after the release (no need to wait for F-Droid build). By installing official binary downloads signed with the developer signature you avoid signature mismatch issues caused by F-Droid builds for example.
For most app there is an Obtainium download badge of you want to follow the updates automatically.
Slightly off topic but is it still practically impossible to build APKs without agreeing to EULAs and using proprietary blobs?
It's great we are seeing more effort be put into open source android apps, but being forced to use restricted tooling to develop and build them leaves an extremely foul taste in my mouth.
The big difference between a dedicated banking app and the one in the browser is permissions.
It sends me notifications when money arrives or is spent. Scanning a QR code to pay for something is much less clunky than doing the same in a browser. And it integrates into my phone authentication system so I only need to scan my fingerprint to open the app instead of remembering a password and waiting for a one-time code.
What do I do on the app? I check the balance on my accounts, I move money between my accounts to get more interest, I pay for my kid's remedial classes, I pay my trainer, I scan QR codes to pay online when the shop provides this payment option so I don't have to type in my card details, I check my virtual card details when I do have to enter them, I buy and sell stocks.
> It sends me notifications when money arrives or is spent. Scanning a QR code to pay for something is much less clunky than doing the same in a browser. And it integrates into my phone authentication system so I only need to scan my fingerprint to open the app instead of remembering a password and waiting for a one-time code.
All this is possible in browser nowadays. And scanning QR codes doesn’t have to be clunky – it’s just that developers are sloppy.
In the EU you are more and more required to use a phone to use your bank account. SMS TANs and TAN lists are deprecated, photoTAN is often unsupported (and clunky of course) and going to the bank is still possible, but cumbersome (and there are fewer and fewer bank branches every year).
FOr 20€ I got a TAN generator from my bank, a small device with a simple camera that scans QR codes on the banking website and presents me TANs to verify. So no matter PC or smartphone, I like that solution.
i never downvote on this site. And i apologize if this feels like i singled you out specifically; this is just something i've been noticing a lot of on HN the past few weeks, especially as it pertains to the advanced data protection apple stuff in UK, the firefox EULA change (or whatever it was) that had everyone saying it doesn't work with their banking sites, etc.
it's all so reminiscent of "you must use IE6 to access this site"
I've been lucky so far to have banks that don't block my rooted phone, but that is not the case for everyone. With an increasing number of "modern" banks that rely on an app instead of a website as primary interface this could get worse in the future.
There’s also Google Wallet, née Google Pay, née Google Wallet. It doesn’t like rooted devices either, but seems to be okay with apps installed from third party stores.
Weirdly enough I've yet to encounter a "major" app that objected to LineageOS, microG, or an unlocked bootloader. I'm sure they exist but it seems at least some of the big players in the US aren't so unreasonable about it.
From a security perspective it makes sense. If an app actively abuses such information it would be easy enough to hide it in a future build. The only way around that is an attestation scheme such as SafetyNet.
Weird. I've experienced the issue with various apps getting upset when another one is displaying over it. I like to have a little YouTube video playing in a popout and some buttons will refuse to press when this is present. I can't imagine this plays well will magnifiers or other assistive tech, but I understand their worry that a malicious developer could contrive to make you click a wrong button by covering the relevant context.
As for getting upset about sharing a phone with unapproved apps, I think this is a failure of sandboxing. The app should see as much of the phone as I want it to and no more.
Really don't know how it works. There are many reports of people just clicking one link and the entire phone gets taken over, bank accounts drained.
These days banks have KYC and should know who finally gets the money. Even across borders except perhaps in North Korea etc. for those countries that don't co-operate entire SWIFT system must be blocked.
But for some reason they try other things, blame users but never claw back
