@fdroidorg For context: https://github.com/mastodo...

@fdroidorg For context: https://github.com/mastodon/mastodon-android/issues/539

tl;dr: Mastodon added an in-app updater that would move users from the F-Droid version to the GitHub version and was unwilling to provide an .apk file for a version with the updater either disabled or with a note added explaining users that if they used it they would start getting their updates from them directly instead of from F-Droid. And without an .apk file from the developers to compare to, reproducible builds are simply not possible.

Like 8 May 2023 at 17:48 | Wall-to-wall | Open on chaos.social

12 comments

CEO of Anti-Clock Society

@SylvieLorxu @fdroidorg wtf

8 May 2023 at 18:05 | Open on floss.social

luna

@SylvieLorxu @fdroidorg FUCK IT, time to continue working on that old fork of mine

8 May 2023 at 18:07 | Open on tech.lgbt

Samantaz Fox

@SylvieLorxu @fdroidorg how on earth Android apps can come with auto-updaters in the first place?!
I don't think Google would allow that either...

8 May 2023 at 18:08 | Open on infosec.exchange

Sylvia

@SamantazFox @fdroidorg in F-Droid reproducible builds the developers provide an .apk file and F-Droid builds an .apk file from the source code and they get compared.

If they match, the .apk file from the developer is used.

One side effect is that in-app updaters because possible. F-Droid has decided that in-app updaters are okay as long as they're opt-in and clearly explain to the user they're changing their primary source of trust.

For more details, see https://f-droid.org/en/2023/01/15/towards-a-reproducible-fdroid.html

@SamantazFox @fdroidorg in F-Droid reproducible builds the developers provide an .apk file and F-Droid builds an .apk file from the source code and they get compared.

If they match, the .apk file from the developer is used.

Expand text...

8 May 2023 at 18:10 | Open on chaos.social

Sylvia

@SamantazFox @fdroidorg But you're right that Google doesn't allow this.

The official Mastodon app actually has a special flavour for Google without in-app updater, but the Mastodon team was unwilling to provide .apk files for it (stating that it was too much work to supply that on top of the .aab they build for Google).

And thus, F-Droid was left without an .apk file that was compliant with F-Droid policy. And after a lot of difficulty it was decided to drop reproducible builds, sadly.

8 May 2023 at 18:12 | Open on chaos.social

Samantaz Fox

@SylvieLorxu @fdroidorg
That sucks :/
Thanks for the detailed answer, though ^^

8 May 2023 at 18:23 | Open on infosec.exchange

always tired (moved to chaos)

@SylvieLorxu @SamantazFox @fdroidorg I don't like that. In app updates in more and more apps means yet more redundant code bloat. Let dedicated package managers / app stores do what they're there for

8 May 2023 at 22:55 | Open on wandering.shop

Adam Honse

@project1enigma @SylvieLorxu @SamantazFox @fdroidorg Seriously, in-app updaters are stupid. Let the package manager do its job. Built-in updaters is the shitty outdated Windows way of doing things. If I download a version from your website I want it to stay that way, otherwise I would've downloaded it from a repository with a package manager.