From 7223ed75daeb349f4070c6d27998d8373a5e8683 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Thu, 13 Jan 2022 02:39:24 +0100 Subject: [PATCH] at least they tried --- content/posts/fdroid-issues.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/posts/fdroid-issues.md b/content/posts/fdroid-issues.md index c5c46fb..42e6131 100644 --- a/content/posts/fdroid-issues.md +++ b/content/posts/fdroid-issues.md @@ -100,6 +100,8 @@ It is an important security feature that is also straightforward to implement us ``` +To be fair, they thought several times about adding certificate pinning to their client [at least for the default repositories](https://gitlab.com/fdroid/fdroidclient/-/issues/105). [Relics of preliminary work](https://gitlab.com/fdroid/fdroidclient/-/blob/1.14-alpha4/app/src/main/java/org/fdroid/fdroid/FDroidCertPins.java) can even be found in their current codebase, but it's unfortunate that they haven't been able to find [any working implementation](https://github.com/f-droid/fdroidclient/commit/7f78b46664981b9b73cadbfdda6391f6fe939c77) so far. Given the overly complex nature of F-Droid, that's largely understandable. + F-Droid also has a problem regarding the adoption of **[new signature schemes](https://source.android.com/security/apksigning)** as they [held out on the v1 signature scheme](https://forum.f-droid.org/t/why-f-droid-is-still-using-apk-signature-scheme-v1/10602) (which was [horrible](https://www.xda-developers.com/janus-vulnerability-android-apps/) and deprecated since 2017) until they were forced by Android 11 requirements to support the newer v2/v3 schemes. Quite frankly, this is straight-up bad, and **signing APKs with GPG** is no better considering [how bad PGP and its reference implementation GPG are](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) (even Debian [moved away from it](https://wiki.debian.org/Teams/Apt/Spec/AptSign)). F-Droid should instead enforce v3/v4 signatures. It is worth mentioning that their website has (for some reason) always been hosting an [outdated APK of F-Droid](https://forum.f-droid.org/t/why-does-the-f-droid-website-nearly-always-host-an-outdated-f-droid-apk/6234), and this is still the case today, leading to many users wondering why they can't install F-Droid on their secondary user profile (due to the downgrade prevention enforced by Android). "Stability" seems to be the main reason mentioned on their part, which doesn't make sense: either your version isn't ready to be published in a stable channel, or it is and new users should be able to access it easily.