|
|
Subscribe / Log in / New account

F-Droid?

F-Droid?

Posted Aug 27, 2025 4:45 UTC (Wed) by hmanning77 (subscriber, #160992)
In reply to: F-Droid? by smurf
Parent article: New restrictions on Android app sideloading

Unfortunately "register your package names" is listed in the "how it works" page linked on the blog post. How FDroid will make that work is probably not considered at all yet. Hopefully the developer dashboard will have an API endpoint to automate that task.

It also raises the question about publishing at multiple sources. FairEmail, for example, is published on Google Play, FDroid, and directly on GitHub. I wonder whether the same package name can be registered against both FDroid's certificate and the original author's certificate?

to post comments

F-Droid?

Posted Aug 27, 2025 8:24 UTC (Wed) by smurf (subscriber, #17840) [Link]

Probably not. Given the fact that many apps are going to be somewhat different anyway (e.g. Firebase vs. whatever) I don't see that as too much of a problem.

F-Droid?

Posted Sep 1, 2025 22:20 UTC (Mon) by GNUtoo (guest, #61279) [Link] (1 responses)

There is also another problem.

I've looked a bit and as I understand you're supposed to sign a (potentially bogus) APK with your private key. Then you can tie the key to the application.

Now, as I understand, F-Droid builds applications offline so it could still sign APKs to prove their ownership of the key, and maybe it would be possible for them to register many application names.

But the original application authors might also want to claim the exact same name with a different key.

And since nor the original author nor F-Droid would have each other keys, I'm unsure how this would work if cases like F-Droid are not taken into consideration.

A possible solution would be to simply enable F-Droid to publish any package.

Individuals might also be affected by this: you may not be able to easily just rebuild (and potentially modify) someone else's application and simply publish it on some website without changing the name unless you build the application in a reproducible way and just somehow attach the original owner signature (I'm unsure if this is possible but I don't see why it shouldn't).

Though here it might be a good practice to do that anyway since the applications settings/data are tied to the application name and the signing key and as an individual you probably don't have a huge number of existing applications that use the exact same name than the same application published by the original author / F-Droid.

F-Droid?

Posted Sep 2, 2025 8:01 UTC (Tue) by smurf (subscriber, #17840) [Link]

> A possible solution would be to simply enable F-Droid to publish any package.

"Simply" isn't so simple here. If that were possible I could replace my banking app with one of the same name from F-Droid, which would enable me to extract my login data or whatever, which shouldn't be possible without root. Well, if you already have root you don't need all these shenanigans anyway.

Alternately if replacing the app with a differently-signed one destroys the data, then you could just as well deploy the new app under a different name and avoid all that hassle.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds