Awesome app. It is somehow not listed on android-foss list so maybe someone didn’t know about it.

Obtainium allows you to install and update Open-Source Apps directly from their releases pages, and receive notifications when new releases are made available.

GitHub page: Link.

  • bluejay@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    Am I missing something? In my experience using Obtainium it pulls apks from sources I tell it to, usually the developers git releases and even sometimes f-droid repos. This app doesn’t compile anything.

    The main benefit is watching for updates directly from developers which, again in my experience, has been quicker than waiting on f-droid. You could even have it do just the notification and you can manually go download and install if you’re the cautious.

    • itadakimasu@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      The developer(s) could slip something nefarious in easily. We’re putting all our faith into developers that could be anybody

      • bluejay@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        The developer of obtainium or the packages we’re installing? I’ll assume the former. If you’re skeptical about obtainium you could still use it as a source to monitor && notify and then do your install manually.

          • bluejay@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            How does f-droid solve this problem? From my understanding they confirm that the .apk provided by the dev matches what compiles from source and run it through Virus Total. Those are trivial steps for a malicious dev to take to slip in something nefarious.

            At that point you’re relying on the community to check every commit for nefarious code $x. Not to mention they could simply build up community trust for some time before slipping in the code, since they’d effectively be burned once (if?) their very first shady code commit is found.

            I can’t imagine f-droid would go on the hook and say everything they build is also code reviewed for malicious stuff, right?

            • nodiet@feddit.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              They don’t just confirm it, the apk you download from fdroid is compiled by them from the source code. And sure, they’re not reviewing all the source code for all apps they build, but it’s still one added layer of security.

              • bluejay@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                The apk isn’t always what f-droid compiles. There’s two scenarios where they publish the apk signed by the developer.

                https://f-droid.org/docs/Reproducible_Builds/

                It’s one added layer of security to you, but to others it’s a man in the middle that could be an extra attack vector.

                If you don’t trust the dev to put out an apk that’s compiled from their public source why are you trusting any of your data with them?