this post was submitted on 08 Jul 2023
200 points (98.5% liked)

Android

17722 readers
40 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

🔗Universal Link: [email protected]


💡Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.


Support, technical, or app related questions belong in: [email protected]

For fresh communities, lemmy apps, and instance updates: [email protected]

💬Matrix Chat

💬Telegram channels / chats

📰Our communities below


Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to [email protected].

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to [email protected].

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

Chat and More


founded 1 year ago
MODERATORS
 

Awesome app. It is somehow not listed on android-foss list so maybe someone didn't know about it.

Obtainium allows you to install and update Open-Source Apps directly from their releases pages, and receive notifications when new releases are made available.

GitHub page: Link.

you are viewing a single comment's thread
view the rest of the comments
[–] itadakimasu 3 points 1 year ago (1 children)

The developer(s) could slip something nefarious in easily. We're putting all our faith into developers that could be anybody

[–] [email protected] -3 points 1 year ago (1 children)

The developer of obtainium or the packages we're installing? I'll assume the former. If you're skeptical about obtainium you could still use it as a source to monitor && notify and then do your install manually.

[–] [email protected] 0 points 1 year ago (1 children)

No, the developers of the apps you are installing through obtainium.

[–] [email protected] 3 points 1 year ago (1 children)

How does f-droid solve this problem? From my understanding they confirm that the .apk provided by the dev matches what compiles from source and run it through Virus Total. Those are trivial steps for a malicious dev to take to slip in something nefarious.

At that point you're relying on the community to check every commit for nefarious code $x. Not to mention they could simply build up community trust for some time before slipping in the code, since they'd effectively be burned once (if?) their very first shady code commit is found.

I can't imagine f-droid would go on the hook and say everything they build is also code reviewed for malicious stuff, right?

[–] [email protected] -2 points 1 year ago (1 children)

They don't just confirm it, the apk you download from fdroid is compiled by them from the source code. And sure, they're not reviewing all the source code for all apps they build, but it's still one added layer of security.

[–] [email protected] 1 points 1 year ago

The apk isn't always what f-droid compiles. There's two scenarios where they publish the apk signed by the developer.

https://f-droid.org/docs/Reproducible_Builds/

It's one added layer of security to you, but to others it's a man in the middle that could be an extra attack vector.

If you don't trust the dev to put out an apk that's compiled from their public source why are you trusting any of your data with them?