Thread - Nostr Hypermedia

I've officially migrated all of my most important apps over to Obtainium and marked them as ignored in F-Droid. Previously I had used F-Droid for the majority of my apps (Aurora Store for everything else), but following some recent controversies regarding them misclassifying the sacred text of my Christisn faith as "not safe for work" and "pornographic", I decided that it was time to start moving away from them and just start grabbing apps from source directly. This was also inspired in part by @Vitor Pamplona. In a conversation, he mentioned that something like F-Droid centralizes all authority to one group of people, whereas Obtainium allows you to be fully in charge of what apps you use and when you download them. F-Droid compiles apps themselves, based on the original source code. Meanwhile, Obtainium allows you to grab the apps direct from their repositories, without any middle men. There's still a place for F-Droid. Because of the fact that they do compile things themselves, that means you're less likely to download a malicious app if it's something you never used before. But if you know the app and it's important to you, you should just download through Obtanium directly. #decentralization #obtaining #opensource

Replies (7)

semisol 🛡️ 1 month ago

There can be a repository of signed hashes of apps, by someone doing a reproducible build. And this can be verified before installing the app.

unSATiated 1 month ago

↩ replying to semisol

AppVerifier does something similar:

GitHub

GitHub - soupslurpr/AppVerifier: Verify apps easily.

Verify apps easily. Contribute to soupslurpr/AppVerifier development by creating an account on GitHub.

Billy Bapparoo 1 month ago

↩ replying to unSATiated

Android is Trust On First Use (TOFU). Obtanium allows you to share to AppVerifier on first install to verify it. From then on you dont have to worry as it'll only update if the signature is the same. Word of warning, AppVerifier only contains a small amount of signatures stored in itsinternally db [1]. Often a dev will include their signature on github and then you can paste that in to AppVerifier to double check. [1]

GitHub

AppVerifier/app/src/main/kotlin/dev/soupslurpr/appverifier/InternalVerificationInfoDatabase.kt at main · soupslurpr/AppVerifier

Verify apps easily. Contribute to soupslurpr/AppVerifier development by creating an account on GitHub.

unSATiated 1 month ago

I wonder which of F-Droid or individual projects' GitHub profiles are more likely to be used in a supply chain attack. How does one mitigate against that from either source?

Tim 1 month ago

↩ replying to unSATiated

Thing is f-droid uses the same github source. So a compromised project will simply affect everyone. On the otherhand f-droid could maliciously point to a different cloned compromised repo and end user wouldn't even know. So still best to take out the middle man and know your updating to the official repo and not a different unofficial clone.

unSATiated 1 month ago

↩ replying to Tim

That's true, but it's also possible for an attacker to compromise a GH account and publish a new "release", without even changing any source code. Only you have all the accounts to secure, and only one F-Droid. I use Obtainium too, but it's unclear to me how to weigh up these risks.

Tim 1 month ago

↩ replying to unSATiated

Very true, got to stay vigilant than I guess.