Developer-signed apk on f-droid #63
Comments
|
I agree with this completely. It is especially necessary since the Google Play Store runs as root on android devices, while the normal user does not. This inherently gives Google the ability to force silent updates onto android devices, making it all the more reason to have developer-signed APK's - aside from generally respecting the user by ensuring the integrity of the app. |
|
I don't believe this app is distributed through the Google play store yet; just f-droid. That said, all the issues you mentioned will still apply when root functionality is re-enabled in f-droid. |
|
https://github.com/raatmarien/red-moon/releases/download/v2.7.4/red-moon-v2.7.4.apk Is this what you are looking for? |
|
That exists, but the version on f-droid is signed by f-droid, not by @raatmarien |
|
This seems like a great solution to the problem of F-Droids trust model, however I'm not sure if it is possible to make Red Moon's build reproducible.
I interpret this as that it is near impossible to make android builds reproducible right now, but if anyone knows how to do it, please correct me! |
Someone is selling it on Google Play: https://play.google.com/store/apps/details?id=com.jmstudios.redmoon They are linking to this repo, so they might be adhering to the GPS if that counts as distributing the source. I would love to have my girlfriend pay for the app, I just want to be certain that the build is trustable and that the money will support the project and not some troll. The whole point of not installing via f-droid on her phone is not having to enable "any source" installation. I'm afraid she'd accidentally install malware if I would. |
This is indeed the official Red Moon on Google Play, buying it would be greatly appreciated! The only difference between the F-Droid and Google Play version is that the Google Play version gives the user the option to rate Red Moon. |
|
This one is especially high on the list of things that aren't going to happen. Particularly since I like the idea of maintainers (separate from the developer). If I ever return to Red Moon development (see #281), I likely will not pursue this. |
|
The linked article was very good, though personally I don't feel like it really applies to the F-Droid situation. It's not like there are curated Android package repositories like there are on traditional Linux. (Obviously I don't expect you to work on adding the app to F-Droid regardless). |
|
Well, Red Moon is already on F-Droid, no plans to change that; this issue was just about also using a developer-signed apk in addition to the current one, signed by f-droid only. And F-Droid is a curated package repository, they just have a fairly broad inclusion policy. But they do distribute some builds with proprietary dependencies patched out. And there are some 3rd party repos: the guardian project repo, that comes with the main f-droid app (but disabled by default); izzy's repo (contains some proprietary apps, I think); and newpipe's repo. |
|
Ah, I didn't realize this issue was about dev-signed APKs on F-Droid, that makes WAY more sense. |
smichel17
added
the
wontfix
Advantage: increased trust/security.
Disadvantage: the current process seems a little cumbersome.
I'm not sure if this is something worth the hassle of doing right now, but it is something I'd encourage you to set up in the long term, so I figured I'd create an issue of it.
The text was updated successfully, but these errors were encountered: