1
0

mention droid-ify

This commit is contained in:
Wonderfall 2022-01-03 16:30:31 +01:00
parent bbcfb628ca
commit 5dd401b39b

View File

@ -56,7 +56,7 @@ It turns out the official F-Droid client doesn't care much about this since it l
F-Droid also **doesn't enforce a minimum target SDK** for the official repository. Play Store [does that quite aggressively](https://developer.android.com/google/play/requirements/target-sdk) for new app updates, and while it may seem bothersome, it's a necessity to keep the app ecosystem modern and thus healthy. F-Droid's approach sends the wrong message to developers (and even users) because they should care about it, and this is why many of us think it may be even harmful to the FOSS ecosystem. Backward compatibility is often the enemy of security, and while there's a middle-ground for convenience and obsolescence, it shouldn't be exaggerated. F-Droid also **doesn't enforce a minimum target SDK** for the official repository. Play Store [does that quite aggressively](https://developer.android.com/google/play/requirements/target-sdk) for new app updates, and while it may seem bothersome, it's a necessity to keep the app ecosystem modern and thus healthy. F-Droid's approach sends the wrong message to developers (and even users) because they should care about it, and this is why many of us think it may be even harmful to the FOSS ecosystem. Backward compatibility is often the enemy of security, and while there's a middle-ground for convenience and obsolescence, it shouldn't be exaggerated.
## 4. General lack of good practices ## 4. General lack of good practices
The F-Droid client allows multiple repositories to coexist within the same app. Many of the issues highlighted above were focused on the main official repository which most of the F-Droid users will use anyway. However, having **other repositories in a single app also violates the security model of Android** which was not designed for this at all. As a matter of fact, the new unattended update API from Android 12 that allows seamless updates for third-party clients without privileged access to the system won't work with F-Droid. The F-Droid client allows multiple repositories to coexist within the same app. Many of the issues highlighted above were focused on the main official repository which most of the F-Droid users will use anyway. However, having **other repositories in a single app also violates the security model of Android** which was not designed for this at all. As a matter of fact, the new unattended update API from Android 12 that allows seamless updates for third-party clients without privileged access to the system won't work with F-Droid. It should be noted that [Droid-ify](https://github.com/Iamlooker/Droid-ify/issues/20) is trying to figure out a way to make it work, although the underlying issues about F-Droid infrastructure remain.
Their client also lacks **TLS certificate pinning**, unlike Play Store. Certificate pinning is a way for apps to increase the security of their connection to services by bundling known-good certificates for these services. This can avoid some cases where an interception (*man-in-the-middle*) could be possible and lead to various security issues considering you're trusting the app to deliver you other apps. Their client also lacks **TLS certificate pinning**, unlike Play Store. Certificate pinning is a way for apps to increase the security of their connection to services by bundling known-good certificates for these services. This can avoid some cases where an interception (*man-in-the-middle*) could be possible and lead to various security issues considering you're trusting the app to deliver you other apps.