this post was submitted on 13 Sep 2023
330 points (98.0% liked)
Asklemmy
42502 readers
1432 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy π
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- [email protected]: a community for finding communities
~Icon~ ~by~ ~@Double_[email protected]~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
#2 can be solved by using one of several alternative clients with root permissions. Yes, manual APK install is tedious but not inherently insecure, and the only option for nonroot devices without an ADB host.
#4 is not really true. They are just very lenient, mostly just flagging apps with problems (known vulnerabilities, telemetry, non-FOSS services/assets/libs, ads).
#5, #6 and #7 are actually advantages. It's nice to know that all apps are FOSS and correspond to source, and I can install old apps / earlier versions on old phones β as opposed to Google Play, which denies an appβs existence if your device is incompatible, resulting in shady alternatives and adware typosquatters topping search results.
2 - Manual installation methods can be insecure because a lot of people don't update their apps all the time. Obviously rooting a phone is insecure, but having no auto updates in 2023 is crazy.
4 - It is very true, having zero quality control on new apps. The flagging of apps with problems is just following the FOSS philosophy. Any FOSS app can be added to F-Droid.
5 - Not sure why you would want to install abandoned apps on F-Droid, let alone use an EOL device. A lot of people don't check if apps are maintained because they trust their app store.
6 - FOSS doesn't automatically mean its secure or private. Also, why is it that I have to install proprietary apps only on the Google Play Store?
7 - FDroid signing keys isn't an advantage because it requires an extra layer of trust. I'm already trusting the developer by installing their app, so the developer should be signing the keys. This is a reason why Signal is not on F-Droid.
2 - You cannot really fix this unless an alternative F-Droid client is installed as a system app by the manufacturer, or they allow relocking the bootloader. Good luck convincing them.
5 - I can run anything of any age on my devices, accepting the security risk. I want to be able to factory reset and use one of my Android 4.4 phones with an unmatched speaker as an Internet radio receiver instead of throwing it out. F-Droid explicitly tells you how long itβs been since the last update and ranks old apps low in lists and searches.
This is why Accrescent is amazing. It has automatic updates for Android 12+. Also leaving the bootloader unlocked is a security risk. Using stock or GrapheneOS (better option) on Android is best because you can lock the bootloader.
I don't mind Fdroid being around. If you're okay with the security risk, I have no problem. I've explained to you the security issues and the misinformation that people give that FDroid is secure. I was just explaining their security vulnerabilities and explaining why Accrescent is a much better option for installing apps.