Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
floss.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
For people who care about, support, and build Free, Libre, and Open Source Software (FLOSS).

Administered by:

Server stats:

685
active users

floss.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

F-Droid

We got a report of a bug in our certificate pinning code. We confirm that this bug exists and currently does not affect f-droid.org. This bug can only be exploited when an upstream project is compromised first, and only new installations will be affected. Therefore, we consider this bug of low urgency. We're looking into the reporter's patches + thank them for their work.

Further work on this gets tracked at gitlab.com/fdroid/fdroidserver

GitLabAllowedAPKSigningKeys can be bypassed for APKs with v1-only signatures (#1251) · Issues · F-Droid / fdroidserver · GitLab(Since we've been discussing this on an internal chat, I couldn't find an issue for this I'm starting a new one to keep track of this)
Jan 10, 2025, 04:02 PM·Public
30boosts·63favorites
Quiet public
Tinx

@fdroidorg please do look into it. Supply chain attacks are a thing lately.

Quiet public *
uniq

@tinx @fdroidorg this is not a classical supply chain attack. It's just about one of F-Droids safeguards malfunctioning under very specific conditions. It's fixed. I've also looked into it, and as far as I can tell on f-droid.org only 14 apps were susceptible and I couldn't find any evidence for active exploits.

(Unsurprisingly so, because for this to work an attacker would have to hack an app upstream first. When an attacker is in that position, there are way easier routes to do damage.)

Explore
About