(Go: >> BACK << -|- >> HOME <<)
Jump to content

F-Droid: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
→‎Client application: Use png instead of svg for "Get it on F-Droid" badge to show correct font
Eighthave (talk | contribs)
195 edits
update Key management paragraph
Line 54: Line 54:


=== Key management ===
=== Key management ===
Marlinspike has also been critical of F-Droid's approach to application signing in the main repository.<ref name="moxie-127-1">{{cite web|url=https://github.com/WhisperSystems/Signal-Android/issues/127#issuecomment-13447074|title= moxie0 commented Feb 12, 2013 |date=2013-02-12}}</ref> Applications distributed via the [[Google Play]] store are [[Digital signature|signed]] by the developer of the application, and the [[Android (operating system)|Android operating system]] checks that updates are signed with the same [[Key (cryptography)|key]], preventing others from distributing updates that the developer themselves did not sign.<ref name="moxie-127-1" /><ref>{{cite web|url=https://developer.android.com/tools/publishing/app-signing.html|title=Signing Your Applications|publisher=Google}}</ref> When F-Droid signs the binaries, the application user needs to [[Trusted system|trust]] F-Droid rather than the developer of the application, that no malicious update to an application is distributed.<ref name="moxie-127-1" />
In 2013, Marlinspike was also critical of how F-Droid manages the signing keys for applications in the main repository.<ref name="moxie-127-1">{{cite web|url=https://github.com/WhisperSystems/Signal-Android/issues/127#issuecomment-13447074|title= moxie0 commented Feb 12, 2013 |date=2013-02-12}}</ref>. The [[Android (operating system)|Android operating system]] checks that updates are signed with the same [[Key (cryptography)|key]], preventing others from distributing updates that are signed by a different key.<ref name="moxie-127-1" /><ref>{{cite web|url=https://developer.android.com/tools/publishing/app-signing.html|title=Signing Your Applications|publisher=Google}}</ref>. Originally, the [[Google Play]] store required applications to be [[Digital signature|signed]] by the developer of the application, while F-Droid only allowed it's own signing keys. As of 2017, Google Play encourages developers to let Google Play manage the signing keys,<ref name="play-stores-keys">{{cite web|url=https://android-developers.googleblog.com/2017/09/enroll-for-app-signing-in-google-play.html|title=Enroll for app signing in the Google Play Console & secure your app using Google’s robust security infrastructure |publisher=Google}}</ref> offering a similar service to what F-Droid has offered since 2011. And F-Droid now lets developers use their own keys via the reproducible build process.<ref>{{cite web|url=https://f-droid.org/docs/Reproducible_Builds/|title=Reproducible Builds|publisher=F-Droid}}</ref>



== See also ==
== See also ==

Revision as of 20:20, 10 July 2018

F-Droid
Developer(s)Ciaran Gultnieks, F-Droid Limited
Initial release29 September 2010 (2010-09-29)
Repository
Written inPython language (server), PHP (site), Java language (client)
Operating systemFreeBSD and Linux (server), Android system (client)
TypeDigital distribution of free software, Software repository
LicenseGNU GPLv3+
Websitef-droid.org

F-Droid is a software repository for Android system, similar to the Google Play store. The main repository, hosted by the project, contains only free libre software apps. Applications can be browsed and installed from the F-Droid website or client app without the need to register for an account. "Anti-features" such as advertising, user tracking, or dependence on nonfree software are flagged in app descriptions.[2] The website also offers the source code of applications it hosts, as well as the software running the F-Droid server, allowing anyone to set up their own app repository.[3][4][5]

History

Development of F-Droid data over time[6]

F-Droid was founded by Ciaran Gultnieks in 2010. The client was forked from Aptoide's source code.[7][8] The project is now run by the English non-profit F-Droid Limited.[8]

Replicant, a fully free software Android operating system, uses F-Droid as its default and recommended app store.[9][10] The Guardian Project, a suite of free and secure Android applications, started running their own F-Droid repository in early 2012.[11] In 2012 Free Software Foundation Europe featured F-Droid in their Free Your Android! campaign to raise awareness of the privacy and security risks of proprietary software.[12][13] F-Droid was chosen as part of the GNU Project's GNU a Day initiative during their 30th anniversary to encourage more use of free software.[14]

In March 2016 F-Droid partnered with The Guardian Project and CopperheadOS with the goal of creating "a solution that can be verifiably trusted from the operating system, through the network and network services, all the way up to the app stores and apps themselves".[15][16]

Scope of project

The F-Droid repository contains a growing number of more than 2,600 apps, compared to over 1.43 million on the Google Play Store. The project incorporates several software sub-projects:

  • Client software for searching, downloading, verifying and updating Android apps from an F-Droid repository;
  • fdroidserver – tool for managing existing and creating new repositories.
  • WordPress-based web front end to a repository.

F-Droid builds apps from publicly available and freely licensed source code. The project is run entirely by volunteers and has no formal app review process.[17] New apps are contributed by user submissions or the developers themselves. The only requirement is that they be free of proprietary software.[18]

Client application

"Get it on F-Droid" badge

To install the F-Droid client the user has to allow installation from "Unknown sources" in Android settings[19] and retrieve the APK (installable file) from the official site. Installation is not available through the Google Play store due to the non-compete clause of the Google Play Developer Distribution Agreement.[20]

The client was designed to be resilient against surveillance, censorship, and unreliable Internet connections. To promote anonymity it supports HTTP proxies and repositories hosted on Tor hidden services. Client devices can function as impromptu "app stores" distributing downloaded apps to other devices over local Wi-Fi, Bluetooth, and Android Beam.[21][22] The F-Droid client app will automatically offer updates for installed F-Droid apps. When the F-Droid Privileged Extension is installed updates can also be conducted by the app itself in the background. [23] The extension can be installed via rooting, or by flashing a zip file on the device.[24]

The main F-Droid repository uses its own keys to sign packages, so apps previously installed from another source must be reinstalled to receive updates.[25]

Criticism

F-Droid has received criticism for distributing out-of-date versions of official applications and for its approach to application signing.

Out-of-date versions

In 2012, security researcher and developer Moxie Marlinspike criticised F-Droid for distributing out-of-date versions of TextSecure which contained a known bug that had been fixed in the official application. F-Droid removed the application from the repository at the request of Marlinspike.[26] Marlinspike later criticised the project's handling of the issue, stating that they "mischaracterized the scope of [the] bug" and were "incredibly immature" in their post announcing the removal, after he received email from users who had been misled by F-Droid's announcement.[27]

Key management

In 2013, Marlinspike was also critical of how F-Droid manages the signing keys for applications in the main repository.[28]. The Android operating system checks that updates are signed with the same key, preventing others from distributing updates that are signed by a different key.[28][29]. Originally, the Google Play store required applications to be signed by the developer of the application, while F-Droid only allowed it's own signing keys. As of 2017, Google Play encourages developers to let Google Play manage the signing keys,[30] offering a similar service to what F-Droid has offered since 2011. And F-Droid now lets developers use their own keys via the reproducible build process.[31]


See also

References

  1. ^ "Repository Maintenance". F-Droid. F-Droid. Retrieved 18 April 2018.
  2. ^ "Client 0.54 released". F-droid.org. 5 November 2013. Archived from the original on 26 April 2015. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
  3. ^ "F-Droid is the FOSS application store for your Android phone". androidcentral.com. 27 November 2012.
  4. ^ Tom Nardi (27 August 2012). "F-Droid: The Android Market That Respects Your Rights". thepowerbase.com. Archived from the original on 3 December 2013. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
  5. ^ "F-Droid Server Manual".
  6. ^ "Commits by year and month of F-Droid data reported by gitstats". 2017. Retrieved 19 July 2017.
  7. ^ "F-Droid initial source code". F-Droid. 19 October 2010. Archived from the original on 10 December 2014. Retrieved 2014-12-10. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
  8. ^ a b "F Droid About". Retrieved 28 January 2014.
  9. ^ "FDroid: a free software alternative to Google Market". Replicant Project. 26 November 2010. Retrieved 17 January 2015.
  10. ^ "FDroid". Replicant Wiki.
  11. ^ "Our New F-Droid App Repository". The Guardian Project. 15 March 2012.
  12. ^ Walker-Morgan, Dj (28 February 2012). "FSFE launches "Free Your Android!" campaign". H-online. Retrieved 27 July 2014.
  13. ^ "Liberate Your Device!". Free Software Foundation Europe. Retrieved 27 July 2014.
  14. ^ "GNU-a-Day". GNU Project, Free Software Foundation. Retrieved 23 July 2014. Day 9: Have an Android phone? Install F-Droid, a repository with hundreds of free software apps. {{cite web}}: External link in |quote= (help)
  15. ^ "Copperhead, Guardian Project and F-Droid Partner to Build Open, Verifiably Secure Mobile Ecosystem".
  16. ^ "CopperheadOS wants to bring better security to Android".
  17. ^ "Contribute". Retrieved 29 March 2015.
  18. ^ "Inclusion Policy". 4 April 2014. Retrieved 29 March 2015.
  19. ^ "Android Open Distribution". 31 October 2012. Retrieved 31 October 2012.
  20. ^ "Google Play Developer Distribution Agreement". 31 October 2012. Retrieved 31 October 2012.
  21. ^ "Client 0.76 Released". 14 October 2014. Retrieved 28 March 2015.
  22. ^ Russell Brandom (10 June 2014). "Your survival guide for an internet blackout". The Verge. Retrieved 2 August 2014.
  23. ^ "F-Droid Privileged Extension | F-Droid - Free and Open Source Android App Repository". f-droid.org. Retrieved 19 June 2018.
  24. ^ "org.fdroid.fdroid.privileged.ota_2070 | F-Droid - Free and Open Source Android App Repository". f-droid.org. Retrieved 19 June 2018.
  25. ^ "Release Channels and Signing Keys". 12 August 2014. Retrieved 29 March 2015.
  26. ^ "Security Notice – TextSecure". F-Droid. 23 August 2012.
  27. ^ Moxie Marlinspike (24 August 2012). "SMS Plain text leak via LogCat".
  28. ^ a b "moxie0 commented Feb 12, 2013". 12 February 2013.
  29. ^ "Signing Your Applications". Google.
  30. ^ "Enroll for app signing in the Google Play Console & secure your app using Google's robust security infrastructure". Google.
  31. ^ "Reproducible Builds". F-Droid.

Further reading

External links

Retrieved from "https://en.wikipedia.org/w/index.php?title=F-Droid&oldid=849709598"