Back

@aaribaud @ploum @protonmail
Same, I dont see it atm.

@LenticularCloud @aaribaud @protonmail : I have it in the Izzyondroid repository:

https://apt.izzysoft.de/fdroid/index/apk/ch.protonmail.android

@ploum @LenticularCloud @aaribaud @protonmail IzzyOnDroid is not F-Droid. When you add a third party repository to F-Droid, you get apps directly from that repository without *any* checks from F-Droid.

Izzy is pretty trustworthy, his repo grabs apps straight from GitHub/GitLab/etc. of the developers, but there are no checks if the .apk file matches the source code in question and apps may contain proprietary code.

But yeah, Proton Mail is not in F-Droid. It is in IzzyOnDroid. Not the same.

@SylvieLorxu @LenticularCloud @aaribaud @protonmail : for something as sensible as Protonmail, it would be interesting to know exactly who have pushed this and how we can trust that person.

@ploum @LenticularCloud @aaribaud @protonmail I mean, if you use the IzzyOnDroid repository you trust @IzzyOnDroid to pull it in from the official source and not do anything weird :)

I personally do trust him a lot and I think he has a well-deserved reputation of trustworthiness after years of running IzzyOnDroid.

For context, his website on https://apt.izzysoft.de/fdroid/index/apk/ch.protonmail.android states the .apk file comes from https://github.com/ProtonMail/proton-mail-android

@SylvieLorxu @ploum @LenticularCloud @protonmail @IzzyOnDroid

For the record: in the risk scenario(s) that I imagined with the "fetch APKs" model, IzzyOnDroid never was the bad actor -- after all, they could not tamper with the APKs they fetch without ruining the cryptographic signatures.

The actual risk scenario would be that a github repo owner build an APK from sources other than those on the repo and upload it to the repo, then have IzzyOnDroid fetch it.

[1/2]

@aaribaud @SylvieLorxu @ploum @LenticularCloud

"The actual risk scenario would be that a github repo owner build an APK from sources other than those on the repo and upload it to the repo"

That indeed is a real risk as I have no means to check that. There are other checks in place (library scanner, VT etc) which should reduce the risk of "bad stuff" – but a little risk always exists. So you need to trust the developer, too…

@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : wait a minute… You mean that IzzyOnDroid repository is a one-person-project ?

If that’s the case, good job! Thanks for that, it is really useful.

@ploum it indeed mostly is. The entire framework and all (see https://gitlab.com/IzzyOnDroid/repo/). There were some contributions, and I got some help on questions – but for the most part (95%?) it's just me… Same with the companion site at https://android.izzysoft.de/ and my eBook server at https://ebooks.qumran.org/ (see my profile here). Glad to read you find it helpful! @aaribaud @SylvieLorxu @LenticularCloud

@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : if you ever open a French library, ping me! I will send you my own books.

@IzzyOnDroid : of course! Thanks a lot for you work and your time explaining it.

(BTW, your @Liberapay account is not configured to accept donations)

@ploum Yeah, @Liberapay currently does not offer a "payout" option I could use. When I set up my account there, it was still possible to withdraw via SEPA transfer – but their payment provider for that stupidly kicked them out (for reasons that would also apply to Flattr, which they to my knowledge still support). I still hope one day SEPA will be possible again. Until then, please see https://android.izzysoft.de/help?topic=support_us for alternative options. Thanks a lot for considering!