https://lwn.net/Articles/896240/ This is a special feed containing comments posted to the individual LWN article titled "F-Droid: Our build and release infrastructure, and upcoming updates". en-us Fri, 03 Oct 2025 21:47:40 +0000 Fri, 03 Oct 2025 21:47:40 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/896827/ https://lwn.net/Articles/896827/ mathstuf <div class="FormattedComment"> I think I&#x27;ve seen a few apps &quot;migrate&quot; keys with an explicit opt-in. The F-Droid maintainers may have a path to use here (though save data may be lost, so an export/import option may be warranted).<br> </div> Wed, 01 Jun 2022 16:38:18 +0000 https://lwn.net/Articles/896826/ https://lwn.net/Articles/896826/ agateau <div class="FormattedComment"> Oh, nice! I didn&#x27;t know about this.<br> <p> I guess it would not be a good idea to apply it to apps which have already been published using F-Droid key, though, since existing users would not be able to update.<br> </div> Wed, 01 Jun 2022 16:20:38 +0000 https://lwn.net/Articles/896683/ https://lwn.net/Articles/896683/ mathstuf <div class="FormattedComment"> Ah, they *support* using developer signatures (they don&#x27;t get your key). Basically, they can take your source and your signature, and if they can reproduce the same binary, apply your signature to the application.<br> <p> https://f-droid.org/docs/Reproducible_Builds/<br> </div> Tue, 31 May 2022 13:15:40 +0000 https://lwn.net/Articles/896678/ https://lwn.net/Articles/896678/ agateau <div class="FormattedComment"> I don&#x27;t think F-Droid reuses the developer&#x27;s signing key. They sign all builds with their own key.<br> <p> I have one game hosted on F-Droid and I am sure F-Droid does not have my signing key.<br> <p> This is why when you try to switch from a Google Play version (signed with the developer key) to an F-Droid version (signed with F-Droid key) or the other way around, Android warns you and the new version cannot access data stored by the old version. <br> </div> Tue, 31 May 2022 09:50:34 +0000 https://lwn.net/Articles/896585/ https://lwn.net/Articles/896585/ mathstuf <div class="FormattedComment"> <font class="QuotedText">&gt; F-Droid, on the other hand, rebuilds all applications from source, so the apk is not the same.</font><br> <p> AFAIK, F-Droid prefers Reproducible Builds. This allows them to build the source on their hardware yet reuse the developer&#x27;s signing key.<br> </div> Mon, 30 May 2022 11:39:42 +0000 https://lwn.net/Articles/896578/ https://lwn.net/Articles/896578/ agateau <div class="FormattedComment"> <font class="QuotedText">&gt; What is that Google dislikes so much about F-Droid, but finds OK about binary releases on GitHub?</font><br> <p> Google Play distributes apk built and signed by developers (for now), so it is highly probable that the apk of the GitHub binary release is the exact same binary as the one served by Google Play.<br> <p> F-Droid, on the other hand, rebuilds all applications from source, so the apk is not the same.<br> </div> Mon, 30 May 2022 09:10:22 +0000 https://lwn.net/Articles/896550/ https://lwn.net/Articles/896550/ dtlin <div class="FormattedComment"> You may have multiple configurations - for example, changing which APIs the key is allowed to be used with - in different app versions, with the same app signature.<br> </div> Sun, 29 May 2022 05:58:55 +0000 https://lwn.net/Articles/896548/ https://lwn.net/Articles/896548/ intelfx <div class="FormattedComment"> Why is the whole secret thing needed then, if we (we == Google Play Services) trust the package signature check? Can&#x27;t we just authenticate the application via this check?<br> </div> Sun, 29 May 2022 04:41:23 +0000 https://lwn.net/Articles/896492/ https://lwn.net/Articles/896492/ floppus <div class="FormattedComment"> Interesting. Does microG allow bypassing that?<br> </div> Fri, 27 May 2022 16:45:36 +0000 https://lwn.net/Articles/896387/ https://lwn.net/Articles/896387/ dtlin <div class="FormattedComment"> Authorizing to Google services from an Android app is mediated by Google Play Services, which checks that the package signature matches what was registered with Google. So extracting the &quot;secret&quot; from the app gives you nothing of use.<br> </div> Thu, 26 May 2022 18:06:56 +0000 https://lwn.net/Articles/896354/ https://lwn.net/Articles/896354/ brunowolff <div class="FormattedComment"> Except on really locked down systems this fake security. Since the key is in the app and not something tamper resistent like a TPM, and running on a machine the user controls, the key can be extracted.<br> <p> Microsoft does some other fake security with their oath stuff. They only let you login via their web (not REST) interface to keep you from using stored credentials. (One might want to do that to retrieve email automatically and not have to manually reauthenticate when the system periodically breaks when you can no longer refresh your token.) Because their login page is needlessly a javascript mess, logging automatically is hard, but it is in theory doable. I haven&#x27;t been motivated enough to actually do it, but I have been motivated enough to look around to see what tools exist that might help in doing that.<br> </div> Thu, 26 May 2022 14:28:56 +0000 https://lwn.net/Articles/896301/ https://lwn.net/Articles/896301/ mathstuf <div class="FormattedComment"> For the user, no. But it does give service providers a lot more control over what (kinds of) clients are allowed to use their services. *They* love it.<br> <p> As a user, I like the *idea* of being able to give specific apps access to specific facets of my account instead of free-for-all credentials, but it is needlessly difficult to do it for FOSS apps (e.g., registering as a developer and generating my own key). But I don&#x27;t think it&#x27;s worth not being able to use better apps for it.<br> </div> Thu, 26 May 2022 10:49:49 +0000 https://lwn.net/Articles/896270/ https://lwn.net/Articles/896270/ bartoc <div class="FormattedComment"> I absolutely despise the whole client secret situation in OAuth, it&#x27;s often it&#x27;s just pointless theatre and secures nothing.<br> </div> Wed, 25 May 2022 21:17:53 +0000 https://lwn.net/Articles/896269/ https://lwn.net/Articles/896269/ randomguy3 <div class="FormattedComment"> My assumption for OAuth is that it&#x27;s related to the client secret (a secret token that identifies the client, allowing servers to reject connections from clients they don&#x27;t trust even if the user credentials check out) - it&#x27;s one thing for the app author to hold it and embed it into their builds, but another for it to be used in public build infrastructure like F-Droid&#x27;s.<br> </div> Wed, 25 May 2022 20:32:26 +0000 https://lwn.net/Articles/896268/ https://lwn.net/Articles/896268/ callegar <div class="FormattedComment"> I have been happily using F-Droid for a long time now. I still have a question that remained unanswered about it, so if someone could shed some light on the matter, I would be grateful. <br> <p> Apparently Google prevents apps delivered via F-Droid from using some services. For instance, Fair Email is generally capable of doing OAuth, but not in the F-Droid build. I was expecting Google to favor versions delivered via its store. Yes, the same apps obtained from other sources different from the play store are fully capable. For instance the GitHub binaries of Fair Email can do OAuth.<br> <p> Indeed, the FairEmail page on F-Droid states &quot;OAuth was not approved by Google for the F-Droid build. For this you&#x27;ll need to use the Play store version *or the GitHub release*.&quot;<br> <p> What is that Google dislikes so much about F-Droid, but finds OK about binary releases on GitHub?<br> </div> Wed, 25 May 2022 20:28:45 +0000