Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> reproducible build available at F-Droid

It's not available at F-Droid. They have an F-Droid compatible repository that you can manually add to your F-Droid client where they ship binaries.

I also can't find any mention of reproducible builds on their website, and their builts seem to include proprietary binaries.

The issue [0] to publish the app on F-Droid is still open.

0: https://github.com/oxen-io/session-android/issues/73



Indeed, from reading that issue, it appears their app cannot be bundled for the official F-Droid repository because it uses Google Play Services for notifications.

The ticket also mentions spyware like Crashlytics and Firebase analytics, which according to Exodus Privacy [0] have been removed in version 1.2.3 (good): https://reports.exodus-privacy.eu.org/en/reports/search/netw...

I understand why some apps need to distribute updates outside of f-droid.org repo because it's too slow to vet/build updates: for example Newpipe needs to update as quickly as Youtube breaks 3rd party clients, and F-Droid's update vetting process takes too much time for that. But i don't understand why an app like Session would setup their own repo and not try to push to f-droid.org repo without the Google trash. [1]

At least, they're not actively trying to shut down libre forks (with spyware removed) like Signal did to LibreSignal years ago, that's already a very good point for them!

[0] Exodus Privacy is pretty cool. It uses static analysis to find known trackers/malware in Android APKs, and is developed by a french non-profit. If you don't use only F-Droid apps, you should definitely use Exodus Privacy to know what kind of crapware you're setting up. (Spoiler alert: >90% of Google Play Store is malware).

[1] The argument in the ticket is about the notification system. Because some Android (and iOS!) phones have energy policies preventing most background connections (unless privileged like for Apple/Google notification servers). That is not a problem on a device you own (eg. Replicant/Lineage) but is definitely a problem on CrapDroids (like Samsung and Huawei i believe) and on all iPhones, and this produces a situation where users will miss notifications until phone goes out of sleep and will blame the app for that, while their OS is responsible for the loss. One of the many shameful consequences of letting evil corporations control our computing devices, that leads to further centralization of all network activities.


f-droid delay is only like a day.


Is it now? It used to be more like 1-2 weeks. Has there been major changes in infrastructure or policy to explain the change?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: