

F-Droid: The Android Market That Respects Your Rights - glazemaster
http://www.thepowerbase.com/2012/08/f-droid-the-android-market-that-respects-your-rights/

======
Egregore
Actually it is good to have an Alarm app without having to give it full
Internet access and permissiouns to read your identity and use file system.

------
graue
Just heard about F-Droid in slightly unauspicious circumstances... Moxie
Marlinspike had a row with them over distributing an old (and slightly buggy)
version of TextSecure, after which they ultimately agreed not to distribute
his (fully open source) apps at all. I hope they patch things up and get
TextSecure and RedPhone back in, because I like what F-Droid is trying to do
here.

~~~
moxie
Interestingly, that was the first time I'd heard of f-droid as well. =)

I think my objections to f-droid are actually connected to the hesitations I
have around a lot of what's happening in the "open" Android space. The
"rooting" community is a perfect example: people want to be able to write
certain kinds of software for their devices, but aren't able to, and so
they've developed "open" solutions that allow them to. Their original
constraint, however, was the Android security model, and the problem is that
their solution was just to destroy it.

I really like the fact that Android has a security model focused on
application rather than user isolation (what typical PC environments do). My
only complaint is that I wish it were stronger. Rather than adapting this nice
security model to meet their needs (adding additional permissions, etc) the
"open Android" community converged on just running shit as root instead (a
reversion back to the PC environment).

I think f-droid is potentially another example of an attempt to make Android
resemble the PC environment. It feels to me as if they're trying to be the
"debian" of Android, in the sense that they're taking random OSS software that
they find, packaging it, and distributing it through their own repository.
There's a tool to pull down packages from a repository and install them, just
like with Debian.

The first big problem with this approach comes with application signatures.
Where signatures in Debian are only relevant to the debian tool itself,
signatures in Android are relevant and _enforced by_ the system. The owner of
the key for a signed APK is the only person who can distribute future versions
of that application, meaning that as a developer, I'm not capable of
distributing software to users who've installed the f-droid version without
f-droid's assistance. In the case you mentioned, users were running a version
of my software that needed to be updated, but I had no ability to give them
the update.

Given the way f-droid works, this also means that all the signing keys for all
software are being stored _online_ in one place, which probably isn't a great
idea and will almost certainly bite them eventually.

I could go on about why I'm not enthusiastic about this project, but all of my
objections are connected to this theme. I think it's possible to develop an
open ecosystem that's as secure or even more secure than what Android's
default security model provides, but I think it requires making choices that
are going to be more work than just flattening the security model back to PC-
land.

~~~
graue
Glad you shared this. I just got my first Android not too long ago and haven't
hacked it yet, so it didn't occur to me that the modding community was
achieving their goals by defeating Android's security model.

With F-Droid, if they were to just distribute preexisting APKs that correspond
to free/open-source software — like your TextSecure APK — it sounds like it
would have your signature on it, and updates wouldn't be a problem. But they
compile the apps themselves to let you be "absolutely sure the binary
package[..] is identical to the source". So ironically, they're actually
adding a kind of _security_ feature, and it is this that takes away your
ability to provide updates (they might say by design, since you could
otherwise push a closed-source update to their users).

Theoretically that problem could be avoided if you signed the source code,
F-Droid distributed that, and any necessary compilation was done directly on
the smartphone. I suppose this is impractical, but such a setup might work on
Mozilla's forthcoming Firefox OS where all the apps are written in HTML5/JS.
Just as long as you signed a non-minified copy of the code, it wouldn't be an
issue.

On the other hand, I think the problem with updates, if we're continuing the
F-Droid/Debian analogy, really comes down to how much you can trust the
"distro". I use Ubuntu on my desktop and if there's (say) a Firefox
vulnerability, the security update for that will come from, and be signed by,
Ubuntu, not Mozilla. And it works because I trust Ubuntu. They monitor high-
profile applications like Firefox and if a fix is needed, they'll ship it
ASAP. Whereas, the F-Droid people were apparently not watching TextSecure
closely enough, and either didn't notice there was a new release, or couldn't
be bothered to update their copy in a timely manner. I'm not convinced their
model is inherently insecure; it just requires I put my trust in them rather
than in you (in this case perhaps a questionable decision).

------
noamsml
Good to know there's a place where RMS can get apps for his phone.

~~~
jla
RMS refuses to have a cell phone because they are tracking and surveillance
devices.

------
mr337
F-Droid has some really cool apps. While browsing all I can think of is why I
didn't think of that.

