In the GrapheneOS forum, I encountered a claim that F-droid is insecure (and not good at privacy as well). These links (and more) were given as an evidence:
- https://privsec.dev/posts/android/f-droid-security-issues/
- https://xcancel.com/GrapheneOS/status/1883895255142932816#m
- https://github.com/obfusk/fdroid-fakesigner-poc
While there are some attitude against FOSS app, I think the arguments are generally sound and in good-faith. Which makes me confused, as I’ve been hearing good words about F-droid in lemmyverse.
I am not good at assessing arguments, so I want to ask you guys for more aspects and information.
Also, if not F-droid, what should I use? Is Aurora store, a frontend of play store, not fine to use as well?
Wrong, F-Droid is and has libre software. We control it.
Meanwhile, GrapheneOS has Accrescent spreading software which fails to include a libre software license text file, software we do not control, dangerous!
Tech talk is a confusion strategy to derail us and ‘open source’ is another. With it, their scam cannot get more blatant.
Warning, Accresent from the GrapheneOS Store does this and Privacy Guides does this too, smuggling it mixed in with good information, so always think for yourself. This is one of the few ways to trick us that sometimes actually works, so watch out for it.
Can we use GrapheneOS with F-Droid and without Accrescent? Yes.
Aurora Store (libre) replaces the Google Store app (anti-libre) but spreads other anti-libre software, harm reduction but not harmless.
Obtainium does nothing to check apps are libre software.
Why does including a text file have anything to do with control?
Not any text file. Read that again.
I did I must be missing something…
Also what is “Accrescent spreading software”? I searched for it and it looks like it’s just an app store like f-droid?
Not any software. Read more than half a sentence.
Ok, I’ve been trying to understand what you mean and one-line snarky replies are not helping your case.
Let’s be careful to remember that there are different levels of effort and understanding required for different levels of security and privacy. GrapheneOS has taken the approach of offering harm reduction, with sane defaults and options that allow advanced users to take near-complete control over their device (within the limits of the Pixel hardware). This is obvious by their inclusion of the sandboxed Google Play Store as a major feature of the OS, as it is much better than the situation on Google’s Android. It is also not installed by default, forcing users to at least somewhat educate themselves in order to install it.
Accrescent is right in line with this philosophy, and is also not installed by default. Of course if your threat model (or desire) is to achieve the highest level of online anonymity and to have a completely FOSS system, you should not use it… of course you probably shouldn’t use FDroid either, in that case, and should build from source. However, you are clearly in a situation where your threat model does not require those lengths, and FDroid is more of a principled choice.
I think its pointlessly inflammatory to call Accrescent “dangerous” just because it allows for non-FOSS software. Now if you want to criticize whether or not it is fulfilling its stated goals, that is another story.
It is simple language and when you read the whole comment you will see harm reduction is not bad. They keep saying ‘Free and Open Source Software’ but remember what I said.