undefined | Better HN

0 pointsDraiken2mo ago0 comments

TIL!

IDK if I would consider not blindly trusting an unknown third party to read all my notifications being paranoid, but if it is, then yeah, I guess I am.

I've used F-droid merely due to the open source guarantee, so how fast these apps are patched isn't a deal-breaker for me, but I'll definitely look into Obtanium now.

Thank you!

0 comments

ranger_danger2mo ago

As a developer, the fact that F-Droid now compiles all your packages for you, using their own keys, is a non-starter for me. It means they are free to modify my code however they want or inject malware etc. (whether by mistake or not), and it's totally outside of my control, but still has my name on it.

DraikenOP2mo ago

I guess we can't win, can we? I worried more about random developers getting compromised since the surface area is much larger, but at the same time one entity compiling all packages makes them a more attractive target.

We've seen the released bundles being different to the source code before too AFAIR, so whether it's a single repository or F-Droid, both can easily screw users up if compromised.

I don't want to be paranoid but the world's not making it easy.

ranger_danger2mo ago

What I'd like to see is enforced reproducible builds from multiple sources with publicly published and verifiable results that don't fall out of date.

j / k navigate · click thread line to collapse

0 pointsDraiken2mo ago0 comments

TIL!

IDK if I would consider not blindly trusting an unknown third party to read all my notifications being paranoid, but if it is, then yeah, I guess I am.

I've used F-droid merely due to the open source guarantee, so how fast these apps are patched isn't a deal-breaker for me, but I'll definitely look into Obtanium now.

Thank you!

0 comments

ranger_danger2mo ago

DraikenOP2mo ago

We've seen the released bundles being different to the source code before too AFAIR, so whether it's a single repository or F-Droid, both can easily screw users up if compromised.

I don't want to be paranoid but the world's not making it easy.

ranger_danger2mo ago

What I'd like to see is enforced reproducible builds from multiple sources with publicly published and verifiable results that don't fall out of date.

j / k navigate · click thread line to collapse