Recent searches
Search options
Administered by:
Good news, the @protonmail android app is now available on F-Droid. (EDIT: through the IzzyOnDroid repository)
Is it official? I do not install something like that without official confirmation. (EDIT: It is not endorsed by Proton, it is not official)
@ploum @protonmail I only see the ProtonVPN app on F-Droid. What's the URL for the ProtonMail one?
@aaribaud @ploum @protonmail
Same, I dont see it atm.
@ploum @LenticularCloud @aaribaud @protonmail IzzyOnDroid is not F-Droid. When you add a third party repository to F-Droid, you get apps directly from that repository without *any* checks from F-Droid.
Izzy is pretty trustworthy, his repo grabs apps straight from GitHub/GitLab/etc. of the developers, but there are no checks if the .apk file matches the source code in question and apps may contain proprietary code.
But yeah, Proton Mail is not in F-Droid. It is in IzzyOnDroid. Not the same.
@SylvieLorxu @LenticularCloud @aaribaud @protonmail : for something as sensible as Protonmail, it would be interesting to know exactly who have pushed this and how we can trust that person.
@ploum @LenticularCloud @aaribaud @protonmail I mean, if you use the IzzyOnDroid repository you trust @IzzyOnDroid to pull it in from the official source and not do anything weird :)
I personally do trust him a lot and I think he has a well-deserved reputation of trustworthiness after years of running IzzyOnDroid.
For context, his website on https://apt.izzysoft.de/fdroid/index/apk/ch.protonmail.android states the .apk file comes from https://github.com/ProtonMail/proton-mail-android
@SylvieLorxu @ploum @LenticularCloud @protonmail @IzzyOnDroid
For the record: in the risk scenario(s) that I imagined with the "fetch APKs" model, IzzyOnDroid never was the bad actor -- after all, they could not tamper with the APKs they fetch without ruining the cryptographic signatures.
The actual risk scenario would be that a github repo owner build an APK from sources other than those on the repo and upload it to the repo, then have IzzyOnDroid fetch it.
[1/2]
@aaribaud @SylvieLorxu @ploum @LenticularCloud
"The actual risk scenario would be that a github repo owner build an APK from sources other than those on the repo and upload it to the repo"
That indeed is a real risk as I have no means to check that. There are other checks in place (library scanner, VT etc) which should reduce the risk of "bad stuff" – but a little risk always exists. So you need to trust the developer, too…
@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : wait a minute… You mean that IzzyOnDroid repository is a one-person-project ?
If that’s the case, good job! Thanks for that, it is really useful.
@ploum it indeed mostly is. The entire framework and all (see https://gitlab.com/IzzyOnDroid/repo/). There were some contributions, and I got some help on questions – but for the most part (95%?) it's just me… Same with the companion site at https://android.izzysoft.de/ and my eBook server at https://ebooks.qumran.org/ (see my profile here). Glad to read you find it helpful! 
@aaribaud @SylvieLorxu @LenticularCloud
@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : I’m a bit confused about the F-droid process. Who decide what goes on the F-droid official repository and how do you ensure you don’t duplicate too much with them ?
@IzzyOnDroid@floss.social@ploum @aaribaud @SylvieLorxu @LenticularCloud F-Droid has its own inclusion process via its own GitLab repos. I'm one of the maintainers there, too, so I get an idea what ends up there. And my framework also includes a "duplicate checker": once an app from my repo appears at F-Droid, I usually remove it from mine (unless the author explicitly asks me to keep it). In the other direction, I usually do not include apps already at F-Droid, with very few exceptions (e.g. updates stuck there).
@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : so your repository is akind of an "experimental" one? With the ultimate goal of having everything on F-Droid?
How could an update be stuck on F-Droid if you can update it on your repo and are also a maintainer of F-Droid?
(might be silly questions, sorry for that, trying to learn)
@ploum @aaribaud @SylvieLorxu @LenticularCloud experimental: not really. My inclusion criteria are a little less strict, so I can cover apps F-Droid can't. And give devs a chance to "step up". So far almost 500 apps started in my repo have moved on to F-Droid exclusively.
And updates can get stuck if builds fail, e.g. because of technical problems with the code/build. Most of those fails are fixed quickly, but not all can. Eg a minor non-free component is not allowed at F-Droid but maybe here.
Hey @IzzyOnDroid
Great job, as I learn IzzyOnDroid is a one-man band !!!
I knew about this repo but never tried it.
After seeing this thread, very masto-like (open-minded, respectful and constructive), I'll add it to FDroid and give it a try !
Cheers!