F-Droid (FOSS Android App Store)

Malware in an app that you got from F-Droid? Check the source code. If source code is clean then F-Droid team did it. As easy as that. Developers can also choose to include or exclude their apps from F-Droid repository. So this point doesn’t really hold any water.

Does PG team have any thoughts on this?

That is an interesting take. I guess I’d like to have some insights about it as well.

The question is what’s the realistic alternative to F-Droid really.

RSS or Obtainium? Not as convenient (e.g. no unattended updates possible) and again you have to trust more parties (namely all the individual developers rather than the F-Droid team) to not give you a bad update.

Download APK from the developer’s website (e.g. Whatsapp, various crypto wallets)? Rarely available and you won’t be notified of updates.

Aurora Store? Connects to Google, tends to not work with the anonymous login and otherwise requires a Google account to work. Using it is against the TOS so your account might get banned, or Google could one day close the APIs that Aurora connects to. This should be used as a last resort, e.g. to get a banking app that’s only available on the Play Store.

There’s not really anything else.

Personally, I run the triple strategy of (1) use F-Droid when available (either in the main repo or an official repo from the developer), (2) use Obtainium for other stuff that’s on Github but not on F-Droid (e.g. the MEGA app which is source-available but non-free), (3) Aurora store for whatever I can’t get otherwise (e.g. banking app).

So is Whatsapp and I bet it’s also super duper secure. PG recommendation when?

So youre using extremely invasive apps/services from one of the most evil companies in the world (that makes most of their profit from collecting data to sell ads), and you think it’s preferable to using completely FOSS alternatives just because your running it in a “sandbox”? Your entitled to that opinion of course but it shouldn’t be the “official” guidance on a website like PG.

I’d like to add that play store sandboxing is only available on a pixel with a really specific ROM. So unless PG stance is to tell everyone to just ditch their phone and get a googlephone, it’s not that much useful as a main recommendation

Fdroid does have a client issue. The official client is awful. Neo Store is OK but doesn’t reliably notify about updates. I have Droid-ify to get the notifications and Neo Store because the download/update process is better.

If you don’t like the client, it doesn’t mean that it’s awful.

Why would you need to get notified about updates when the client can do them in the background seamlessly?

Either way, use the F-Droid Basic client. It’s the best one.

You do know that you yourself can continue to use and recommend F-Droid without Privacy Guides doing so right ? I love F-Droid myself and don’t feel I have to agree with every part of PG.

The amount of reproducable builds is increasing rapidly: Reproducible builds, signing keys, and binary repos | F-Droid - Free and Open Source Android App Repository

Calyx is helping F-Droid with client issues: CalyxOS & F-Droid

I’m going to mark this thread as rejected, because I think we are all in agreement that F-Droid Basic is a better client if we do recommend their first-party clients again, and that discussion is here:

Feel free to reply to this thread only if you have something to add about the official, traditional F-Droid client app, and not F-Droid Basic (because that is being discussed at the link above) or the F-Droid service/repos in general (because those already aren’t recommended against in the first place).

A Gecko-based browser just got added to recommendations and Gecko-based browsers just like F-Droid have some security concerns and issues, so I think it would be fair to revisit this.

Both F-Droid and Gecko-based browsers have some technical security concerns or issues that aren’t proven to be an issue in the real world for most people. But we recommend a Gecko-based browser and explicitly state that we currently don’t recommend F-Droid.

The only difference is that F-Droid is the only reasonable alternative to the Play Store unless you want to use Obtainium and go hunt for apks in the repos like a caveman. Meanwhile, we have 3–5 good Chromium-based browsers that we can recommend for mobile users.

Obtainium isn’t an app store, so you need to know what you’re looking for, and we also have this:

@SkewedZeppelin has also made a good point about Obtainium:

I still believe it is a huge footgun by removing the curation aspect.
Users getting random apks from GitHub repos just sets us a decade back.

Users will end up installing something they think is open source (“because GitHub”) despite being proprietary.
And users will end up installing some fake typo-squatted repo with actual malware.

As I said elsewhere, we don’t explicitly recommend against F-Droid anymore.

We do recommend F-Droid Basic over F-Droid though, is there a reason you’d prefer the traditional client over that one?

I’m aware of that, but I believe that F-Droid should be one of the recommended ways of obtaining applications.

Most of the new apps published on F-Droid are reproducible, which means that they’re signed by the developers. As for the rest of the apps, developers can choose to publish reproducible builds to F-Droid at anytime but they choose not to do that, and this isn’t the fault of F-Droid.

F-Droid recently made a change to their inlusion policy that allows for self-updating apps in their main repository. (Self-updating has to be opt-in.) So if the app is published as a reproducible build and there is a big security issue or the app is completely unusable, the user can choose to enable self-updating and get the update straight from the developer ASAP.

Also, in cases of big security issues or the app being unusable, F-Droid can also publish the fixed build ASAP:

So I fail to see why F-Droid isn’t a good recommendation.

There is no reason to currently use F-Droid over F-Droid Basic.

Well yeah, this is why Recommend F-Droid Basic instead of Neo Store was approved and this thread was rejected. I’m still not sure what exactly you want us to change.

We only recommend F-Droid as a way to obtain apps which cannot be obtained via the means above.

This sentence makes F-Droid look like the last resort option and the worst one out of all the recommendations, and I highly disagree with that.

Aurora Store:

• Is unreliable and constantly breaks.

• Is buggy and doesn’t have good UX.

• Is completely reliant on Google, and Google could pull the plug at any moment, which would render Aurora Store unusable.

• Play App Signing.

• Some apps check if they’re installed from Play Store, and if they aren’t, they will not work.

• Services like Play Asset Delivery, Play Feature Delivery and app / content license checks aren’t available.

• A lot of data gets sent to Google, like your IP adress, your device model, your app list, etc.

GrapheneOS App Store: barely has any apps.

Obtainium: F-Droid (FOSS Android App Store) - #32 by Lukas

So what makes these better than F-Droid?

Highly important edit: if you use Aurora Store, there is a high chance that your apps will come with some proprietary libraries, and some functionality of the apps, like notifications, will depend on Google Play Services.

For example, if you get an app from Aurora Store, it will rely on Google Play Services for notifications, but the F-Droid build will have a different FOSS implementation.

Also, some apps come with Google Maps integration when downloaded from Play Store and OpenStreetMaps implementation when they’re downloaded from F-Droid, etc.