Since simple mobile tools will soon become a spyware and I use 3 of their apps regularly, yesterday I installed F-Droid after reading many Lemmy recommendations.
Wow, I’m pleasantly surprised.
A new app I’ve tested is Spotube (Spotify open source alternative; edit: apparently it uses Spotify metadata but it streams from YouTube. My bad.).
Any other underrated app y’all recommend?
I moved a lot of my foss apps over to f-droid. But i’m a little worried about security.
The odds of a bad actor being able to takeover f-droid and update my keepass app with a malicious version seems a lot higher than someone being able to do the same google play, right?
https://f-droid.org/docs/Reproducible_Builds/
Why not have both developer signed builds and repository verified source matches the binary?
This F-Droid-like model (also popularly implemented by Linux distributions) is usually considered an improvement in security.
The thing with FOSS is that ideally you don’t have to trust the developer at all.
In theory, you could read the entire source code and compile it yourself. Then you’d know for sure that no malware is included.
Obviously, in practice, you can only hope that some nerds dig into the source code and notify journalists of malware-like behaviour.
It is no perfect protection. But it is the only tangible protection that FOSS actually delivers.
What does not protect you, is to trust each individual developer. They could publish innocous source code and then build the release binaries from a version with the malware-like behaviour patched in.
But because you likely don’t want to compile each app yourself, you might still feel compelled to entrust that work to a third party. This is where the F-Droid team comes in. Rather than trusting each developer, you just have to trust a single team.
Well, and if an app is built in a reproducible build, then even the work from the F-Droid team can be verified.
I trust the debian repo because fortune 500 companies run debian and rely on it
F-droid repo doesnt have the same level of scrutiny
Yeah, that is a valid opinion to hold. I am saying that trust is garbage.
You could consider compiling the KeePass app yourself, if you’re worried about that one in particular.
A guy I used to study with, decided that he just wouldn’t have a password manager on his phone.
I’ve certainly considered switching to a Linux phone for that, among many other reasons…
You consider using Obtainium instead? It installs (and updates) directly from source release (Github repo, etc). That puts you directly in control of everything then.