App Manager | Chat - Public Room Timeline

	App Manager \| Chat	222 Members
	Official room for App Manager. Read community guidelines here: https://gist.github.com/MuntashirAkon/ee30789d2d3db2f97402baa60d89e04d	18 Servers

Load older messages

Sender	Message	Time
30 Apr 2024
永雏糖肥	* Oh, thanks. I am so sorry for raising the same issue.	11:47:59
永雏糖肥	* Oh, thanks. I am so sorry for raising the same issue. (But it shows this feature is needed by more than one)	11:53:30
Muntashir Akon	In reply to @tsuame:mozilla.org Wireless debugging mode using paircode cannot be completed in ROMs without freeform windows mode that can be displayed in Settings(of course includes Development Options ) App Manager can get the port but the pairing code needs typing manually, but once the focus switches from Settings to others, the pairing code becomes invalid immediately. Some apps like Shizuku use a notification to solve this problem, like these screenshots below. Can App Manager add this feature in the future? Thanks The feature is already in beta.	14:35:40
	WMCB Tech (marcusz) changed their profile picture.	15:09:19
5 May 2024
Muntashir Akon	⚠️ Important. From now on, if you want to contact me via email, please send it to am4android [at] riseup [dot] net. This shall be enforced with the release of the next stable release, which means that any attempt to contact me via any other email addresses will be ignored and may be reported as spam. Also, due to a high volume of emails of late, I may not be able to reply to all of them, especially the ones that does not contain any helpful info such as crash reports or the steps to reproduce the issue. If you're blocked on GitHub for your misconduct, chances are your messages will be filtered in my email client as well. This is a part of the ongoing measure to ensure the safety and longevity of my projects by blocking anybody who tries to harm the projects by any means. It should also be noted that only official sources should be used to download the applications. Third-party sources may provide modified version of the applications which may contain malware. Third-party app stores should also take note of my message and take necessary actions to update the email address.	17:16:47
8 May 2024
	Scott changed their display name from Scott They/Them to Scott.	11:50:15
11 May 2024
	永雏糖肥 changed their display name from tsuame to 永雏糖肥.	22:20:44
	永雏糖肥 changed their profile picture.	22:27:10
24 May 2024
	@catsalad:infosec.exchange left the room.	05:50:11
28 May 2024
Incognito	hello	15:36:31
29 May 2024
☘Eknom☘	even though I never really used the word updates anywhere nor was I implying this would be the purpose to use obtainium, but rather to simply obtain apps, I do still appreciate the insights. I understand that F Droid has a method to maintain a safer approach to verifying and testing apps, ensuring they meet specific criteria before being signed and by providing an F-Droid signed apk, however there are many people who simply cannot trust this process and there are currently no AI that can do a full security audit yet. For this reason it is still justifiable that people do not fully trust the method of signing apks used by F-Droid (not that I myself am one of those people, I have been using F-Droid for many years) and for those people giving them an option to download an unmodified apk directly downloadable through github (the sourciest of source) can be beneficial and help more people make the transition to open source apps.	23:08:08
30 May 2024
§	still justifiable that people do not fully trust the method of signing apks used by F-Droid There is no point in trusting the apk files from GitHub either. On what basis you'd trust them? You never know 1. if some parts are proprietary, 2. by using obtainium you never verified them using VirusTotal or Pithus as it has no.built in mechanism for it 3. never checked what permission they use (izzyrepo check some of them vs F-Droid at least shows general permissions before you download them. help more people make the transition to open source apps. Obtainium is great for personal use but it’s the worst one for general users. Yes F-Droid has issues but unlike F-Droid, it's wrong to assume downloading from GitHub = all FOSS. Fundamentally there is no difference between a sketchy/pirated site & GitHub (the sourciest of source). I hope AM will handle this in a better way.	06:39:40
§	* still justifiable that people do not fully trust the method of signing apks used by F-Droid There is no point in trusting the apk files from GitHub either. On what basis you'd trust them? You never know 1. if some parts are proprietary (F-Droid build them, now supports reproducible builds), 2. by using obtainium you never verified them using VirusTotal or Pithus as it has no.built in mechanism for it 3. never checked what permission they use (izzyrepo check some of them vs F-Droid at least shows general permissions before you download them. help more people make the transition to open source apps. Obtainium is great for personal use but it’s the worst one for general users. Yes F-Droid has issues but unlike F-Droid, it's wrong to assume downloading from GitHub = all FOSS. Fundamentally there is no difference between a sketchy/pirated site & GitHub (the sourciest of source). I hope AM will handle this in a better way.	06:50:54
§	* still justifiable that people do not fully trust the method of signing apks used by F-Droid There is no point in trusting the apk files from GitHub either. On what basis you'd trust them? You never know 1. if some parts are proprietary (F-Droid build them, now supports reproducible builds), 2. by using obtainium you never verified them using VirusTotal or Pithus as it has no.built in mechanism for it (AM has built in option for both Pithus & VT) 3. never checked what permission they use (izzyrepo check some of them vs F-Droid at least shows general permissions before you download them. help more people make the transition to open source apps. Obtainium is great for personal use but it’s the worst one for general users. Yes F-Droid has issues but unlike F-Droid, it's wrong to assume downloading from GitHub = all FOSS. Fundamentally there is no difference between a sketchy/pirated site & GitHub (the sourciest of source). I hope AM will handle this in a better way.	06:52:00
2 Jun 2024
Muntashir Akon	I agree with @[§] on this. “Trust” is a quite complicated matter in security and privacy. When you install an app from GitHub, you trust the person who released the app along with the signer installed in your browser or device that verified the GitHub’s certificate. For F-Droid repo, you also trust F-Droid. Although F-Droid says that the app supplied by them is guaranteed to be reproduced from the source they supplied with it. But I don’t know if they actually verify this. It’s possible to use external sources in a way that doesn’t ensure such reproducible builds.	14:59:52
	@daneelgod:matrix.org changed their profile picture.	16:21:19
5 Jun 2024
LjL	In reply to @muntashir:matrix.org I agree with @[§] on this. “Trust” is a quite complicated matter in security and privacy. When you install an app from GitHub, you trust the person who released the app along with the signer installed in your browser or device that verified the GitHub’s certificate. For F-Droid repo, you also trust F-Droid. Although F-Droid says that the app supplied by them is guaranteed to be reproduced from the source they supplied with it. But I don’t know if they actually verify this. It’s possible to use external sources in a way that doesn’t ensure such reproducible builds. For the main, official F-Droid repository, it's "verified" in that we definitely build from the source that is also provided as a tarball on f-droid.org, but of course it's still a matter of trust because you have to take F-Droid's word on that... unless the app features reproducible builds, in which case it's externally verifiable, but in that case it's signed with the original signature (not F-Droid's) as well. You're right also that the F-Droid app allows adding arbitrary third-party repos and F-Droid as an organization has no control or oversight on those. It's an open ecosystem and guarantees are only made about the official repository.	19:43:00
7 Jun 2024
Muntashir Akon	In reply to @LjL:matrix.org For the main, official F-Droid repository, it's "verified" in that we definitely build from the source that is also provided as a tarball on f-droid.org, but of course it's still a matter of trust because you have to take F-Droid's word on that... unless the app features reproducible builds, in which case it's externally verifiable, but in that case it's signed with the original signature (not F-Droid's) as well. You're right also that the F-Droid app allows adding arbitrary third-party repos and F-Droid as an organization has no control or oversight on those. It's an open ecosystem and guarantees are only made about the official repository. Yes, I was specifically talking about the former. Providing a binary along with its source doesn’t guarantee reproducibility. It must be independent of time and network connection which isn’t possible in most cases. F-Droid should make a rule to guarantee reproducibility or mark them as untrustworthy. This way we can also sufficiently trust builds signed by F-Droid itself. I would also suggest assisting developers with signature rotation or providing end users with options to check the reproducibility in case the former isn’t possible.	20:18:30
LjL	Muntashir Akon: a small percentage of apps actually has a reproducible build recipe, F-Droid can't possibly lose the vast majority of its apps... and neither does it have the resources to help all developers with it, it barely does to keep the existing recipes up to date :(	20:22:15
8 Jun 2024
§	Official client should show which versions are reproducible builds. Currently there is no way to distinguish between FD signed builds vs reproducible builds. FD definitely has the resources to improve the client in a better way. BTW LjL what's your position at FD? social platforms moderation?	05:02:17
LjL	In reply to @shuvashish76:matrix.org Official client should show which versions are reproducible builds. Currently there is no way to distinguish between FD signed builds vs reproducible builds. FD definitely has the resources to improve the client in a better way. BTW LjL what's your position at FD? social platforms moderation? I agree with that, client development has seemed too slow to me and there's sometimes been an amount of resistance to changes	15:48:04
LjL	In reply to @shuvashish76:matrix.org Official client should show which versions are reproducible builds. Currently there is no way to distinguish between FD signed builds vs reproducible builds. FD definitely has the resources to improve the client in a better way. BTW LjL what's your position at FD? social platforms moderation? Yes, just moderator on Matrix and IRC and I run a not that posts repository updates	15:48:27
9 Jun 2024
	WMCB Tech (marcusz) changed their profile picture.	12:07:21
14 Jun 2024
	noobzhang	08:29:18
15 Jun 2024
	@daneelgod:matrix.org changed their display name from goddaneel to daneelgod.	19:49:37
	@daneelgod:matrix.org left the room.	19:51:11
21 Jun 2024
	WMCB Tech (marcusz) changed their profile picture.	06:01:46
	WMCB Tech (marcusz) changed their profile picture.	06:02:24
teardrops12	Download 477.png	22:12:25
teardrops12	Download 476.png	22:12:27

Show newer messages

Back to Room ListRoom Version: 10