this post was submitted on 15 Jun 2023
14 points (88.9% liked)
Jerboa
10135 readers
2 users here now
Jerboa is a native-android client for Lemmy, built using the native android framework, Jetpack Compose.
Warning: You can submit issues, but between Lemmy and lemmy-ui, I probably won't have too much time to work on them. Learn jetpack compose like I did if you want to help make this app better.
Built With
Features
- Open source, AGPL License.
Installation / Releases
Support / Donate
Jerboa is made by Lemmy's developers, and is free, open-source software, meaning no advertising, monetizing, or venture capital, ever. Your donations directly support full-time development of the project.
Crypto
- bitcoin:
1Hefs7miXS5ff5Ck5xvmjKjXf5242KzRtK
- ethereum:
0x400c96c96acbC6E7B3B43B1dc1BB446540a88A01
- monero:
41taVyY6e1xApqKyMVDRVxJ76sPkfZhALLTjRvVKpaAh2pBd4wv9RgYj1tSPrx8wc6iE1uWUfjtQdTmTy2FGMeChGVKPQuV
- cardano:
addr1q858t89l2ym6xmrugjs0af9cslfwvnvsh2xxp6x4dcez7pf5tushkp4wl7zxfhm2djp6gq60dk4cmc7seaza5p3slx0sakjutm
Contact
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Do you know why the signatures would be different? At my company we release our app on Google play, galaxy and Amazon store and I'm pretty sure we use the same signing key for each
because fdroid build all of their apps themselves, so every app on the fdroid repo uses the fdroid signing key
Interesting, I was not aware of that. sounds like a security risk, as you don't know who actually published it, but I guess since its open source that doesn't really matter as much
It's actually the opposite, an evil developer could upload in GitHub an apk with malware not included in the source, while fdroid guarantees that it matches with the source published
You know who published it. It's the fdroid devs. Fdroid follows very much the old Linux repository philophosy where the owner of the repo acts as a middleman, providing the central layer of trust. You don't have to trust the developers because the distributor has done their due diligence and checked it. That's why fdroid takes a couple of days to push updates. They are doing some basic quality control first.
This model made a lot of sense in the world of traditional Linux packaging, where every obscure distribution has their own package format and developers couldn't possibly be expected to support all of these. It makes less sense on Android (or in a word where flatpak exists for that matter).
Quite the opposite. From the user perspective, it's much easier to trust the repository than trusting every single developer not losing their password. In case of OSS it also ensures reproducible builds.
I'd recommend giving this article a read, just to inform you about f-droid client https://privsec.dev/posts/android/f-droid-security-issues/
An alternative client being Neo Store
i believe it's to make sure that the source code actually builds to the promised app, which i guess you could check yourself but fdroid makes it easier