Hacker News new | past | comments | ask | show | jobs | submit login
Fossdroid.com: Free and open source Android applications (fossdroid.com)
408 points by SnaKeZ on Apr 19, 2015 | hide | past | web | favorite | 73 comments

I think some people are confused/missing the point.

This isn't competing with F-Droid, it IS F-Droid. Everything from the statistics to the APK downloads (notice the redirect) are sourced from https://f-droid.org/.

It's a beautiful front end and necessary improvement over what exists, but it's complementary not competitive.

My $0.02:

1. Link to download button to the app entry in F-Droid so I can download it from the Android client. (Getting the user to trust random APKs is not a responsible behavior.)

2. Clarify that this site is a viewer for F-Droid and non-UI contributions should be sent there.

Other misc notes:

Install F-Droid as a system app (root) in order to install packages using the client without having unknown sources checked.

Material design for the client is coming [1]

[1] https://gitlab.com/fdroid/fdroidclient/merge_requests/64

It's awesome to see this on the front page of HN, If you think these things are worth supporting, do so! https://f-droid.org/contribute

Yes, isn't competing with F-Droid...it's just a frontend for F-Droid with popularity data.

Your download links point to the most recent version of the app, which is not always the recommended version available from F-Droid. Recommended versions are marked with a star. For example, http://fossdroid.com/a/fdroid.html serves a download of 0.86 which is an unstable test version. All of this is handled better by the F-Droid client app. The way your site is set up now could lead to a poor user experience if they encounter problems with unstable versions of apps that shouldn't be downloaded by default.

Being open source, you're free to do whatever you like, but I suggest you talk with the F-Droid devs to make sure everything is mutually beneficial.

Ok thanks, i added this issue :) i hope to fix this soon.

Please include a short About section telling us so (can link to a longer About page).

Always imagine someone stumbles over your page, not knowing what it's about at all.

Thanks for the suggestion, I added an "About" page with a short info and changelog.

I really like the popular "popular" sections, the one thing that's missing from f-droid. What could be improved:

1. HTTPS, especially for APK downloads

2. Information about the APKs: built/signed by whom

Thanks for the suggestions :)

And if you're going to add signatures please don't make them MD5/SHA1. I don't understand why so many sites still offer those. Is it some default feature of some software stack where developers just "check" a button for signatures and it only supports MD5/SHA1? Otherwise I can't explain it.

In Windows world, you basically have to use SHA1 digests for digital signatures (though you use SHA2 certs to do the signing) as Windows XP doesn't support SHA2 at all, Windows Vista SP1 or SP2 prior to a patch a view years ago won't run the EXE or show an error due to a buffer overrun, and Windows Vista's Internet Explorer full patched will show the download as "reported unsafe" due to an unfixed bug in IE.

What do APK signatures have to do with Windows?

I was giving an example of a context when using something stronger than SHA1 doesn't work even though it is supported. To show that there are sometimes reasons other than laziness and on the off chance that there may be something similar with specific versions of Android or possibly some software that deals with APKs.

I recommend RSA (GnuPG) or Ed25519 signatures with two key pairs: A weekly/monthly signing key pair, and a long-term one that is only used to validate the short-term public key.


That's an excellent way to ensure nobody checks your signatures, though. Making it hard means they will be ignored.

Key rollover and certificate trust chains don't work in Android world.

Google has made it so you can't enforce APK signatures via PKI on android os. Gee, I wonder why!

Sure you can. Android itself just doesn't do it for you, but the F-Droid installer could very well verify the APK before installing it.

Verifying signing keys is one thing, but even better, f-droid.org can verify that the APK builds 100% from source, and that the APK f-droid.org builds matches the developer's official released APK: https://f-droid.org/wiki/page/Deterministic,_Reproducible_Bu...

No doubt. But it's pretty funny that Google refuses to add a few lines of code to do it via the OS installer.

What would the OS check the signature against, though? The certs that come with the OS are for validating sites, not apps, so passing a check wouldn't tell you much. It seems that Android would have to add a whole new cert store (and mechanism for adding certs), not just a couple of lines.

That's not true at all. CA and leaf Certs have extensions and policies and can be used for any particular purposes. All the cert verification has to do is check for the code signing extension / policy.

You can use self-signed certificate to sign APKs. Once you publish the signed package, you have to use this same certificate for the package forever.

When updating, the system checks, whether the newer APK is signed by the same certificate and refuses update, if the certificate differs.

It simply does not matter, whether your cert is vetted by CA or not. So using PKI would not make sense there.

The rationale was not forcing the developers to purchase signing certificates in order to publish for the platform. It does not make difference anyway.

The rationale was that Google doesn't want a secure code signing mode as it would undermine their thesis that turning off the Google Play store is insecure.

At least even MacOS has a App Store + Identified Developers. Though of course, iOS doesn't have that..

> it would undermine their thesis that turning off the Google Play store is insecure.

I don't quite understand. How do you turn off the Play store?

It is necessary to make a distinction between what you want to believe and the reality. The reality is, that requiring validated keys would put the keys to the "official Android" kingdom into CA's hands. In addition, because Android is an open-source project, any alternative distribution would disable that. It would cause real fragmentation of the platform, where apps would run on one distribution and not on another, the difference would be only the signature. Google (correctly) decided, that they do not have to fight this fight.

A side note: getting CA verified can be problem in some parts of the world. What if you are Chinese? Crimean? You can still use Android as it is; you can't use any platform, that requires to be "Identified" by CA.

It is worth keeping in mind that the download stats which determine popularity [0, 1] should consumed with care. They represent HTTP requests which hit the server to download a particular apk file. Thus, things such as web crawlers can trigger downloads, which result in incrementing the download count.

Having said this, they definitely seem to be useful as a general rule of thumb about how apps are more popular, _relative to other apps_.

[0] - https://gitlab.com/fdroid/fdroiddata/blob/master/stats/total...

[1] - https://gitlab.com/fdroid/fdroiddata/blob/master/stats/total...

Now Fossdroid in on HTTPS

Great site and nice UI. Congratulations.


1. Couldn't find an option to add my app.

2. Screenshots of apps would be nice (some people might be more interested in the app itself than in the source code).

>Couldn't find an option to add my app

You can add your app by submitting it to F-Droid. This is just a front end.

Yeah screenshots would be a huge improvement.

Any advantages or differences over F-Droid, sans the glossier UI?

Popularity data, just this...it's a side project :)

Why not contribute to F-Droid, rather than 'reinvent the wheel?' https://f-droid.org/contribute/

Your site looks great and I don't mean to take anything away from it, but when I see something like this I think of it as merely an art project, something I might see on Dribbble. I would never download APKs from here for example, but have no problem trusting F-Droid's APKs.

I know, it's a side project to learn Symfony 2. I love F-Droid project so i made this web app, I've contacted the authors of F-droid before doing this. Thanks :)

Your project looks great! Is its source available?

It'd be nice to add a link the the f-droid page for each application, where such a page exists.

I will do it! Thanks for the suggestion.

Excellent, good to know that.

Competition is contribution.

The relationship between LLVM and GCC is an example for this aphorism.

Fragmentation can severely negatively impact a project as well.

LLVM exists because no amount of contribution to GCC will accomplish LLVM's goals (licensing and modular design).

> Fragmentation can severely negatively impact a project as well.

Natural selection. The losers die so the winners can take up more ressources. That'd be a contribution to the shared goal.

> LLVM exists because no amount of contribution to GCC will accomplish LLVM's goals (licensing and modular design).

The reason why the competition exists doesn't matter. But the competetive pressure that results from its existence does.

In real life, it doesn't work that way.

Imagine there is an open-source project. Its development is active, many people are contributing patches, all is well.

Then, the maintainer disappears. Forks start to appear, but as there is no centralized development any more, all you can find is a dozen forked GitHub repositories, each with a few improvements - but, without getting your hands dirty, you have to choose only one.

Eventually, someone comes along and rallies together the forks and revives the project. You may think that all is well again, but suddenly the original project maintainers return and continue development in a direction incompatible with the main fork. Neither project's leaders show interest in uniting the forks back together.

What's worse, now you have a bunch of other open-source projects that depend on the original version, and a bunch which depend on the fork. In many cases (e.g. libraries) you can't use both the original and the fork simultaneously, meaning you can't use any components that depend on both forks in the same project. And now you have a huge mess on your hands.

This or similar situations have happened many times before. I can name 3 projects that have suffered this fate off the top of my head, projects that I've been personally involved with.

Fragmentation is bad. Forking should be a last resort.

Could you name these 3 projects?

I almost completely agree with CyberShadow, though the problem with fragmentation isn't only caused by forks...my rant on this http://gondwanaland.com/mlog/2013/10/22/open-source-prolifer...

But fragmentation is going to happen and occasionally something really better comes along that wouldn't have from improving existing things. So I'm just as interested in making 'natural selection' work better. Now, it's extremely hard for it to operate, because it's hard to discern differences among similar projects, let alone which is better. Popularity data might help a little bit.

Has anyone figured out how to distribute an android wear app outside of the play store? How would i get it on f-droid?

In development i can load the APK directly to the watch, but how will my users do it? Android Studio packs the wear.apk inside of the mobile.apk but your phone won't upload the wear.apk to your watch unless it comes from google. (at least in my experience.

1. Resize the browser so the hamburger menu is shown,

2. Click it twice,

3. Resize the browser to its original size,

4. The sidebar has vanished forever.

Thanks, i will fix it :)

IMHO a big missing app in FOSS Android is a good offline maps & nav program. Nokia Maps are great, but closed. QT's Marble could fill in this gap, if ported.

I use OsmAnd all the time:





The interface took a little while to become used to, but in general I've found it to be an excellent GPS navigation tool.

Maps are downloaded, so everything works offline. I've used it extensively around Europe and especially in Austria.

Thanks, it was a bit buggy last time I tried. Besides, is navigation working well when offline?

Navigation works fine offline. To be honest, I don't think I've ever used it online.

I drove from Graz to Vienna last week. I know the way generally, but didn't really know where to go in Vienna. OsmAnd navigated me to where I needed to be, no problem. Then back out of the city and on to Krems. That's about a 275km journey.

I have had the app crash a few times, but that's only been when I'm out walking in the hills and using it as a walking GPS. Even though it's not open source I now use ViewRanger for this instead (apk available directly from their website, so you don't have to go via Google Play, although it is available there too).

I've used OsmAnd very successfully on both a Geeksphone Revolution and a Motorola Moto G 2nd Gen.

It works fine, way better than Gmaps does.

What rom do you use as a base?


I absolutely love this! Great job. For anyone looking to figure out how to build android apps and looking for source examples this is awesome. And the interface is much more accessible than f-droid.

My only suggestions would be to make the source and tracker links more prominent and flip newest so its first or consider making separate menu points for each.

Also any link to the fossdroid src, quick google search for fossdroid didn't turn up anything for me.

Some of the best samples are from Google - https://developer.android.com/samples . They are some of the best examples of how to program Android, especially in terms of keeping to best practices and avoiding now-deprecated techniques.

The quality of Fossdroid/Fdroid apps are hit and miss - some are good, some not. I should know, some of my ports to Android are on it ( http://fossdroid.com/a/truly-creative-live-wallpaper.html ) where I'm still very nervous that critical sections survived my port safely.

Interesting design philosophy. I'm used to reading vertical lists, e.g. https://f-droid.org/repository/browse/?page_id=0&fdcategory=...

Reading a list sideways feels bizarre: http://fossdroid.com/c/system/

Intuitively I feel like my eyes are trained to flick sideways to read a short line and then down. Recalibrating to flicking sideways to read a short line, then moving sideways again a variable distance feels difficult.

Thanks for this!

Will try and learn how to make my own apps by reading the source of others.

we need to thanks https://f-droid.org :)

Would be nice to have a 'Suggest an app' feature on the site.

fossdroid.com looks quite nice, a great start. As a big contributor to FDroid, I think it makes sense to run fossdroid.com as a separate project right now so it can develop fast on its own. Then we can figure out how best to integrate it with f-droid.org.

One thing that MUST be addressed before considering it something that people actually use is the total lack of HTTPS. This is not optional, and indeed should be mandatory like with https://f-droid.org and https://play.google.com.

I'd love to see more thinking about the detail view of the app. For example, there should be a "buy/donate" button, since many apps on fdroid have a way to accept donations. You can scrape that from the standard metadata or the `index.xml`. I think it would be best to present it like https://elementary.io does: force the user to click "Buy" with a recommended value, but let them set any value including 0.

Thanks for the reply: i added HTTPS and donate/license info.

I am so unbelievably stoked about your efforts, SnaKeZ! Thanks so so so much! Definitely keep conversation open with the f-droid devs!

Nice, how do I add mine? I'd like to keep the sources available on my wiki (mostly because that way I get a download count)

Something of a tangent, but i really wish it was possible to whitelist specific apps to act as "stores". Right now if i want to use F-Droid or similar i have to either leave my device open for others to also be able to install, or constantly juggle the "unknown sources" option.

You can! You just need to make the F-Droid app a System app, then it can install applications without having to keep the "unknown sources" options on.

You can use this app to do it: https://f-droid.org/repository/browse/?fdid=de.j4velin.syste...

You can also disable the "install" script and have it install stuff without any prompts like the play store, just go into the settings, scroll to the bottom and enable "Expert" and "Install using system-permission".

While we love more people testing the system/priv-app and root support in FDroid, keep in mind it is very very beta and not ready for general use. We did just have the core functionality professionally audited, and have fixed the issues they found.

Everything here implies one has root.

This is a nice way to feature and popularize open source software. It would be nice to have a way to integrate the repo with each individual app. May the play store should have a section like this.

Half the value in this is that it's not the Play store which is blocked in China and practically inaccessible on a phone without the Play store app pre-installed. And they won't let you install it yourself. You've really got to fight to get access.

Nice Job. How do you accept new entries?

Do you have/plan to build an installer app like the f-droid project? That app itself could use a modern design like you have done :-)

You submit new apps to F-droid. This is just a front-end to their database.

From blackberry user perspective which of these apps need google services to work. Would love to have apps that don't depend on google ecosystem.

Good to see a list of apps with source code!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact