• FutileRecipe@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      Or “just get it from Accrescent and be done with it?” Are you implying if you get it from Accrescent, you’re somehow not done with it? Sorry, I don’t follow your logic.

      Also, no thanks on F-Droid as GrapheneOS recommends against and there are multiple security issues:

      F-Droid has far too many security and trust issues for us to recommend it. The vast majority of apps in the official F-Droid repository are built on their sketchy infrastructure and signed with their own keys. We’re concerned about a future mass compromise of F-Droid users.

      https://x.com/GrapheneOS/status/1803185925112934533

      https://privsec.dev/posts/android/f-droid-security-issues/

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        Graphene OS is not a good source of information. I call BS on anyone calling F-droid insecure. If you have a better option that is fine but Graphene does not have a better offering. F-droid is the best we have.

        • ᗪᗩᗰᑎ@lemmy.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          3 months ago

          I would trust GrapheneOS, but understand that everyone has their own tolerances for security and the Graphene project is probably at the highest levels.

          The GrapheneOS devs were right about F-Droid being less secure when they would sign other dev’s apps. This meant that if anyone were to hack F-Droid, they would get full access to every device using an app installed by them. This issue was fixed just last September.

          Now that F-Droid fixed this issue, the responsibility falls on each individual developer to secure their signing keys. Should an app’s signing key be compromised, it would now only impact users with that app installed. Security is about layers, not 100% foolproof solutions.

        • FutileRecipe@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          3 months ago

          Graphene OS is not a good source of information.

          They’re not a good source of information on Android security? Granted, they’re not perfect, but they are one of the leading teams in terms of Android security. I call BS on anyone calling GrapheneOS a bad source of information for Android security lol.

          News regarding vulnerabilities reported to Google and physical attack roadmap

          Improvements to factory resets by Google due to reports by GrapheneOS

      • ᗪᗩᗰᑎ@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        3 months ago

        That’s old info. Apps are now signed by the developers on F-Droid since about a year ago:

        but now with reproducible builds F-Droid ships APKs that are signed by the upstream developer(s).

        Source: https://f-droid.org/2023/09/03/reproducible-builds-signing-keys-and-binary-repos.html

        EDIT: I should note this doesn’t address the other issues in your second link (I have twitter blocked, can’t see that link) but it does fix the primary issue of the apps originally not being signed by the developer.