this post was submitted on 25 Oct 2024
66 points (98.5% liked)

F-Droid

8080 readers
17 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 3 years ago
MODERATORS
66
submitted 3 weeks ago* (last edited 3 weeks ago) by Imhotep to c/[email protected]
 

any info on this?

edit: I just saw there's already a post
https://lemmy.sdf.org/post/24219041

top 22 comments
sorted by: hot top controversial new old
[–] [email protected] 19 points 3 weeks ago (1 children)

It's probably related to this: https://gitlab.com/relan/fennecbuild/-/merge_requests/63

F-droid Fennec had build problems lately due to google removing big dependencies from its android package repo or whatever, so it's well out of date for now. The latest version there has at least that one well-known security problem that was in the news a few weeks ago. I don't know why you're getting notified about it now, I have it installed and didn't see that. But if you're risk-averse then you probably shouldn't currently be using it to visit websites that might be malicious.

Recent comments over there suggest that progress is being made at last.

[–] [email protected] 3 points 3 weeks ago (1 children)

I use mull from f-droid, and f-droid started showing that when upgrading Today to version 1.21.1. No idea why until this f-droid app upgrade.

I guess the mull issue is the same. Both fennec and mull are at the same version on f-droid, 129.0.2, and both show in their anti-features that the app contains a known security vulnerability, indicating firefox has fixed several security vulnerabilities since 130.

Is it right to hope that once fennec can get distributed on f-droid, then mull will follow? I'm not planning to move away from mull.

Thanks !

[–] [email protected] 3 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

I use mull from f-droid, and f-droid started showing that when upgrading Today to version 1.21.1. No idea why until this f-droid app upgrade.

I guess the mull issue is the same. Both fennec and mull are at the same version on f-droid, 129.0.2, and both show in their anti-features that the app contains a known security vulnerability, indicating firefox has fixed several security vulnerabilities since 130.

divestOS repo is on 131.0.3 for mull

[–] [email protected] 4 points 3 weeks ago (1 children)

Oh, you mean using divestos-fdroid-repo? Well, before it became part of official f-droid I used to do that. I'm not sure how long it'll take to fix the official f-droid.org builds though, since I'd like to go back to it. The sad thing is that to move from one repo to another one loses all configurations/settings, :( But perhaps it's truly unsafe to wait until the build on f-droid.org gets fixed, if it ever does it.

Anyone aware if there are efforts to get it back building for f-droid.org? Does it depend on the Fennec issue getting resolved?

[–] [email protected] 1 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Yes, there are efforts to build these two and more apps affected by the issue preventing updates to be built

The issue preventing updates should be resolved soon thanks to @linsui fixing it!

Source: https://forum.f-droid.org/t/fennec-vulnerability-recommended-to-uninstall/28826/2

[–] [email protected] 1 points 2 weeks ago (1 children)

Cool, many thanks ! I'll just wait a littloe longer then...

[–] [email protected] 1 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

I'm not sure that's a great idea. I understand wanting to avoid the hassle of reinstalling Mull and having to go through all the Settings again (I just did that a couple of days ago), so if you want to keep your current F-Droid Mull install I'd recommend installing another updated flavour of Firefox, like Fennec or Iceraven, using FFUpdater (https://f-droid.org/packages/de.marmaro.krt.ffupdater/) and using that one until the updated Mull is pushed to the F-Droid official repository.

[–] [email protected] 1 points 2 weeks ago

good idea, thanks !

[–] Papanca 6 points 3 weeks ago (1 children)
[–] [email protected] 7 points 3 weeks ago

You can install Mull via the divestos f-droid repo: https://divestos.org/pages/our_apps#repos Here's a discussion on this on a German IT security forum: https://www.kuketz-forum.de/t/sicherheitswarnung-fennec-und-mull-bei-f-droid/10025

[–] [email protected] 5 points 3 weeks ago (2 children)

Wasn't Fennec a couple of major revisions behind due to build issues, and one of said major revisions was a zero-day fix, so yeah, Fennec would be vulnerable.

(I dumped it about two weeks ago once I noticed that it was behind the security patch curve.)

[–] [email protected] 5 points 3 weeks ago (1 children)

Next time make a post 2 weeks ago. Best to voice concern over things you notice. The person who discovered the XZ backdoor did that and it caught a disaster.

[–] [email protected] 1 points 2 weeks ago

Fennec being a delayed build has been a thing for years at this point: it's a pain in the ass to get built and in f-droid. I mean, just google 'fennec f-droid out of date' and you'll see people talking about this going back to 2020.

I didn't exactly find a stunning shocking unknown thing: Fennec is slow on builds, it got outdated, there was a zero-day in older Firefox versions, and so bam: there's a security issue in Fennec.

Might be worth adding the Firefox security RSS feed for anyone using Firefox or a derivative browser so that you've got the best information about issues like this.

[–] Imhotep 1 points 3 weeks ago (1 children)

So what do you use instead?

[–] [email protected] 7 points 3 weeks ago (1 children)

I just installed standard Firefox until they've sorted out their build issues.

[–] Imhotep 2 points 3 weeks ago (3 children)

From the Play store/Aurora, or is there another way? I remember an app on fdroid that would install different mozilla browsers but I can't find it

[–] [email protected] 5 points 3 weeks ago (1 children)
[–] Imhotep 3 points 3 weeks ago

That's the one. It doesn't come up when I search either firefox or mozilla

[–] [email protected] 5 points 3 weeks ago (1 children)

I'm not deGoogled, so I just did the play store version, so I'm not sure where else you might grab it.

[–] [email protected] 2 points 2 weeks ago

APK Mirror?

[–] [email protected] 3 points 3 weeks ago

Iceraven is one alternative worth considering.

[–] [email protected] 2 points 3 weeks ago* (last edited 3 weeks ago)

Don't use the unpatched version. I'd uninstall it personally. I fixed mine (Mull) by switching to the Divest repo.