- cross-posted to:
- privacy@lemmy.ml
- cross-posted to:
- privacy@lemmy.ml
Something worth noting is that F-Droid is both an app to download other apps but they also maintains a repository of apps. You can use alternative store apps (like Droid-ify) with the F-Droid repository OR you could use the F-Droid app with a different repository (like IzzyOnDroid). You can mix and match to meet your needs.
I use the Droid-ify app with the F-Droid, IzzyOnDroid, microG, NewPipe, and Collabora repositories.
Once you start down this rabbit hole, give Obtanium a look.
Neostore is also a good alternative to the normal f-droid client
Yep. Their permission and tracker built in viewer is a super qol feature
Can you elaborate on what these different repos are and do? And, referring to a child comment, what is divest?
Don’t forget Divest, a must have repo. Also Molly for a foss signal client
I just have the basic f droid app, the layout is awful and confusing. Is there one you suggest?
I think he did suggest droid-ify with fdroid repo: https://github.com/Droid-ify/client
Looks good, I will try it out. You have it in F-droid :)
I’m a big fan of Droid-ify.
I would avoid adding other repositories because you are risking malware and anti features.
F-droid is slow to get updates but it also verifies each app
There is safety there, but you’re just as safe using the the developer’s own repository for their apps, like NewPipe, Collabora, or the Guardian Project.
Droid-ify is the best way to use f-droid imo
What are the perks of using this vs. the standard F-Droid app?
More built-in repositories and a nicer UI.
Does it have an update all button? That’s what prevented me to keep using it some months ago.
Why would you ever want to do that? Sometimes the older version is better for about a third of the apps on my device.
Running outdated versions of software, whether on your phone or the desktop, will generally expose you to more vulnerabilities and is not best practice from a security perspective.
People that don’t have a solid grasp on computing tend to think any and all updates are inherently good.
People that don’t have a solid grasp on computing tend to think any and all updates are inherently good.
Are they ever going to modernize the app? It feels really out of place in 2023.
You can use neostore or droid-ify for material fdroid
Are they updated to use the new difference-based repository format?
EDIT: I was curious so I searched, they don’t.
Not sure about neostore, but droid-ify takes like a half a second to fetch repo updates, and fdroid takes me like 10 seconds.
I have a lot of complaints about this too, but namely lack of seamless updates is baffling to me.
Luckily I found Droid-ify and solves both those problems. Also has the common repos frequently added, like IzzyOnDroid, easily pre-available to enabled in the settings.
This definitely replaced the archaeic fdroid client for me, they desperately need an overhaul as it’s a terrible first impression.
Try Neostore too…
^^^ This!
Don’t forget to add the New pipe repo!
I recommend the NewPipe-Sponserblock instead of default Newpipe
Why is the Newpipe repo necessary when NewPipe is also in the F-Droid repo?
Faster release, sometimes it takes a while for the F-Droid to build the new version and Google has a tendency to break it.
Been using Fdroid to the point where my first boot into a new phone is:
Open chrome > download fdroid > open settings > uninstall/disable every single application I can > open fdroid > install all the relevant apps I require for making my phone useful
I’m just waiting for a small life upgrade in order to be able to support some app developers; it will be money better spent than using the standard google apps.
You might want to consider your next phone to be a pixel+grapheneOS.
any lineage os supported device is enough, i think
LineageOS isnt degoogled by default
Fdroid basic allows automatic updates!
The guadian project repos are also preset, albeit not enabled by default.
So does Neostore and Droid-ify. Those are worth looking into.
I can't use F-Droid without the Play Store but I tend to check there first to see if there is something available there before installing something from the Play Store.
I’ve always had a niggling worry that downloading apps from 3rd party app stores came with a higher risk of getting apps with viruses and spyware.
any truth to this?
Not really.
Fdroid is a secure repositorie and the applications are reviewed before being made available for end users.
The repository is also highly focused on privacy and security and will warn if applications have security flaws or depend on non free services.
As an example, I use NewPipe instead of the standard YT app and it has a warning it depends on non-free services.
One other example I can give is Librera. It’s a very feature rich ebook/pdf/etc reader. At some point, a security flaw was discovered and the app was instantly flagged has having such problems and users were advised to not install it.
Fdroid is a secure repositorie and the applications are reviewed before being made available for end users.
Reviewed by who though? Malicious apps even get through apple and Google’s screening. I can’t see how fdroid can match the capabilities of those guys.
[This comment has been deleted by an automated system]
Even small companies have to deal with, “supply chain”, attacks, criminals putting code into open source repositories to steal data and get access to servers. App stores are major targets too.
There have been weather apps that need your location to show you weather and oops we also send your location history to our data center in China and sell that data.
There have been, “document scanner”, apps that help you take pictures of things like credit card statements and did we not mention we send those images to Russian servers?
Do use a major brand phone like Samsung, keep your OS up to date, and don’t expose private info to these apps or give them special privileges, especially, “accessibility”, or, “screen reader”, and you should be okay.
Does anyone have a good foss ebook and pdf reader?
Thanks!
Librera reader is pretty good
It’s awesome
Unless you submit a FOSS app and they don’t feel like including it.
I use iOS now though had f-droid installed on my old android phones :)
If you sell your IPhone now it may not be too late for you! :-)
What kinda good stuff is on F Droid they the average User might want?
deleted by creator
Newpipe - A YouTube client without ads.
Literally can't say enough good stuff about Newpipe.
Everything YouTube SHOULD be, this is. LISTEN TO A VIDEO IN THE BACKGROUND!!!11. Playback speed infinitely adjustable- good for lectures, interviews, etc. No ads. No bullshit.
Love F-Droid but be aware of the risks and always try to use a developer repo when possible…
[This comment has been deleted by an automated system]
Doesn't affect the end user… beyond diminished security. Are you implying I should trust Fdroid devs as much as I would trust Google devs?
[This comment has been deleted by an automated system]
The diminished security resulting from the increased likelihood of a (single point of failure) supply chain attack.
Yes its possible for malicious devs to trojan apps, but due to apk signing it is much more difficult for a third party entity to induce a supply chain attack, which is my real concern when it comes to phone security.
If you have a lower threat model, this post isn't for you…
[This comment has been deleted by an automated system]
If you think Fdroid security is on par with Google security… then I got a bridge to sell you
I actually would go for the main repo as all the software in the main repo is reviewed by the main Dev team
Did you even read the article? F-Droid signs all the apps in the main repo…
The author of this article completely misses the point of F-droid. They clearly are used to a world of proprietary software that takes "security" over freedom
So yes I did read the article and no it doesn't change anything. If your going to make an argument you shouldn't just link to someone else's work. Part of the problem with the internet is no one thinks for tuemselves
Sure, I'll spell it out for you since apparently the point went right over your head. Fdroid devs are a single point of failure by signing every application themselves. This introduces a potential for supply chain attack, not to mention Fdroid running on EOL servers.
When you use an individual dev repo, you can avoid any trojanized apps from Fdroid because the developers maintain their own infrastructure and sign their own apks.
That's called… D I S T R I B U T E D T R U S T
The reason F-Droid builds from source is to ensure that they can enforce their inclusion criteria. If you go outside F-Droid you lose that guarantee. For example, self-published apks in github or google play may contain anti-features or proprietary code that are forbidden by the F-Droid standards.
From another point of view, what you call a single point of failure is a third party that represents the interests of the user community, independent from individual developers. This is the same model used in GNU/Linux distributions, and Drew DeVault explains here the role that software distributions play in the free software community.
Of course, this represents a trade-off, in that you are placing trust in the software distribution instead of or in addition to the upstream developer. The question is, how can you solve the problem without foregoing F-Droid's inclusion standards? The answer is reproducible builds, where F-Droid builds from source and compares to the developer's apk, and publishes the developer's apk with their signature if the build reproduces successfully.
Until Reproducible builds are the norm in the Android free software world, I accept the trade-off because I value having software freedom in my computing, and I know I can't trust upstream developers to care about that as much as F-Droid or I do.
Sure, atleast you admit there's a trade off (security) for (FOSS) and maybe some additional privacy.
People should be made aware of the risks and choose according to their threat models, which is why I've highlighted some of these issues to begin with.
It’s also a buggy piece of crap…
Update notification? Sweet! Gotta click it, right? Oh, some obscure error message that doesn’t let me update the apps. I guess I start the app itself then, right? Oh, it immediately crashed with an even more obscure error message. And what’s this? It shows me updates for apps that I have already removed. I wonder why? Maybe I should clean the cache and update the repositories. Huh? Oh, the update is stuck somewhere and doesn’t move forward anymore and now I can’t even search for anything.Neostore may be a better client for you.
I never had any issues with it