this post was submitted on 16 Mar 2024
107 points (95.0% liked)

F-Droid

8069 readers
32 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 3 years ago
MODERATORS
 

That's it. Would you recommended any other repository?

top 49 comments
sorted by: hot top controversial new old
[–] otter@lemmy.ca 27 points 7 months ago (1 children)

I keep it simple so I can confidently download the apps.

I can't keep track of which repos are safe, and we've seen posts on here from people getting sketchy apps from a repo they added.

I'm sure there are other safe repos, and I'm willing to add one if people recommend an app that requires it, but I'll probably remove it afterwards.

[–] pipes@sh.itjust.works 13 points 7 months ago (1 children)

This is a good approach. I would not even use Izzy's repo shown by OP (at least not on a daily driver device - great for testing newer apps I'm sure) because I don't see it as advantageous to get updates so quickly or access to apps that are not yet (or will never be) fully open source.

Basically I see most of the value of F-Droid in their build server and official repo. So I only add repos with a very short list of apps, like microg and KDE.

I can always install the odd apk manually, or use Aurora store (preferably in the work profile)

[–] billgamesh@lemmy.ml 4 points 7 months ago (1 children)

Yeah. F-droid's defaults for me have always worked well, and if I want a specific app to be up to date, I'll download it right from the devs (Shattered Pixel)

[–] Fisch@discuss.tchncs.de 3 points 7 months ago (1 children)

But the IzzyOnDroid repo is getting the apps right from the devs too, no?

[–] billgamesh@lemmy.ml 2 points 7 months ago

Idk. I'm not against izzy, just don't want to have to check which repo an app is in browsing fdroid

[–] abeorch@lemmy.ml 22 points 7 months ago

Wow thanks for this post. Today I learned about Fdroid Repos. (Feeling sheepishly stupid but slight more informed now.)

[–] pipes@sh.itjust.works 12 points 7 months ago

I like Kde Itinerary for traveling so I add the Kde Android repo

[–] fraksken@infosec.pub 12 points 7 months ago (1 children)

I installed droid-ify, an alternative front-end for F-Droid, it comes with a whole bunch of repo's by default.

[–] BeatTakeshi@lemmy.world 9 points 7 months ago* (last edited 7 months ago)

Droid-ify has a lot more by default (but unticked). You can have a look and see what you could use. I use cromite and mulch as navigators, and you can find them there (cromite repo and divestOS repo)

[–] possiblylinux127@lemmy.zip 8 points 7 months ago (1 children)

I wouldn't personally even use IzzyonDroid. The only other F-droid repo I use is cromite

[–] lemmyrolinga@lemmy.ml 5 points 7 months ago* (last edited 7 months ago) (2 children)

Why not? Not reliable? Not safe? I'm re-learning (stuff got obsolete since last time I was interested)

[–] possiblylinux127@lemmy.zip 5 points 7 months ago (1 children)

Izzyondroid isn't as strict when it comes to the software they package

[–] lemmyrolinga@lemmy.ml 4 points 7 months ago (1 children)

Good to know. Added it because I read it had some extra apps. I'm trying new stuff

[–] possiblylinux127@lemmy.zip 7 points 7 months ago (1 children)

And that is a fair answer. My long term concern is that developers will start taking the easy route more and more instead of adhering to F-Droid's fairly high standard.

[–] Sentient@sh.itjust.works 6 points 7 months ago* (last edited 7 months ago) (1 children)

Yep some of the big guys aldready do that they add available on fdroid and i get excited and click then it brings me to izzy and i get dissapointed.

[–] possiblylinux127@lemmy.zip 1 points 7 months ago (1 children)
[–] Sentient@sh.itjust.works 3 points 7 months ago

Like they advertise their app as being on fdroid but when you click the link its izzy

[–] donio@lemmy.world 3 points 7 months ago

Not OP but my answer to this is that I only add sources that I know I need to make sure I understand where everything comes from and to keep that attack surface lower.

[–] ludrol@bookwormstory.social 7 points 7 months ago (1 children)
[–] moitoi@feddit.de 4 points 7 months ago (1 children)

I prefer Tubular to Newpipe. This version of newpipe has Sponsorblock.

[–] Vega@feddit.it 3 points 7 months ago (3 children)

I'm conflicted about sponsorblock, I usually hate youtuber sponsor (since those are usually scam) but I don't know if there is a more ethical way to earn money from ads, since donations aren't usually enough

[–] ludrol@bookwormstory.social 2 points 7 months ago (1 children)

At least they aren't targered with my personal data.

[–] Vega@feddit.it 1 points 7 months ago
[–] moitoi@feddit.de 1 points 7 months ago

It's a valid argument. I don't have the energy to let cognitive time for this.

[–] lemmyrolinga@lemmy.ml 1 points 7 months ago

Maybe because I'm old enough to remember TV before streaming, I'm not so bothered by a 30 seconds add inside a video. And knowing who sponsors a content creator also gives a bit of context about their possible bias.

[–] Rikj000@discuss.tchncs.de 7 points 7 months ago (1 children)

I like to add as many repos as I can.
The more apps in F-Droid,
the less reason to go to GooglePlay :)

Here is a list with all repo's I've got imported:

I usually keep the Archive variants disabled,
but they're nice to keep around,
for if you ever need an old version of an app.

Also,
most of these I've found through Droid-Ify,
it's my favorite app to manage my F-Droid apps: https://f-droid.org/packages/com.looker.droidify/

[–] michael_palmer@lemmy.sdf.org 3 points 7 months ago* (last edited 7 months ago)

Bromite is unmaintained. Use Mulch instead. You can find it in DivestOS repos. Also there is another browser called Mull (firefox-based).

DivestOS Official: https://divestos.org/apks/official/fdroid/repo

DivestOS Official Archive: https://divestos.org/apks/official/fdroid/archive

[–] digger@lemmy.ca 5 points 7 months ago (1 children)

There are general purpose repos and specific app repos. Those for specific apps might allow you to download apps not found elsewhere or they might just get you the update a little faster.

I have the repos for Collabora and Newpipe enabled on mine for those reasons.

You might also look at Obtanium if you're looking to keep specific apps updated.

[–] lemmyrolinga@lemmy.ml 1 points 7 months ago* (last edited 7 months ago) (1 children)

Is there a real delay on updates? I mean, I'm in an almost 4 year phone with android 10, can't say I run behind the latest stuff

[–] digger@lemmy.ca 2 points 7 months ago

It depends on the app publisher. The official F-Droid repo has Newpipe version 25.2, which was added August 10, 2023. The Newpipe upstream repo has version 26.1, added December 27, 2023.

[–] loki@lemmy.ml 5 points 7 months ago* (last edited 7 months ago) (1 children)

Futo repo for Futo Voice Input App. Totally free open-source offline speech to text engine. Works better than I expected (for English).

[–] shortwavesurfer@monero.town 1 points 7 months ago

I use this all the time

[–] donio@lemmy.world 3 points 7 months ago* (last edited 7 months ago)

I only add some app-specific repos to get more frequent updates on those. Newpipe and Fedilab in particular.
I know that I could use other tools to install directly from their release images but sticking with F-Droid for now for simplicity.

[–] Vega@feddit.it 1 points 7 months ago (1 children)

Those are what I use 😁. You can check here for some trusted repo https://t.me/fdroid_repos

[–] lemmyrolinga@lemmy.ml 1 points 7 months ago

I know there are a lot, and it's overwhelming.

[–] Moonrise2473@feddit.it 1 points 7 months ago

Newpipe and bitwarden?

[–] pH3ra@lemmy.ml 1 points 7 months ago (1 children)

I have active the DivestOS repo, since I use Mull as my main browser. It has also some other nice privacy focused apps.

https://divestos.org/apks/official/fdroid/repo?fingerprint=e4be8d6abfa4d9d4feef03cdda7ff62a73fd64b75566f6dd4e5e577550be8467

[–] lemmyrolinga@lemmy.ml 1 points 7 months ago (1 children)

I use mull too, so I'll consider it Does fdroid delay the updates too much?

[–] pH3ra@lemmy.ml 2 points 7 months ago (1 children)

I don't know how much the delay for Mull is specifically, but in general it falls in the range between one and two weeks.
And since Mull is already behind Firefox in terms of security updates, I think it's better not to fall too much behind

[–] lemmyrolinga@lemmy.ml 1 points 7 months ago* (last edited 7 months ago)

Good point Added then

I don't think I understand the other apps... It's social media, right? Not really into that

[–] shortwavesurfer@monero.town 0 points 7 months ago* (last edited 7 months ago) (2 children)
[–] Moonrise2473@feddit.it 2 points 7 months ago (1 children)

For a crypto wallet it seems extremely dangerous to use a custom repo. What if one day it pushes an hacked version with the same signature and it takes all the money?

For this use case I'd consider only from fdroid, the only way it can be sure it matches the published source code

[–] shortwavesurfer@monero.town 1 points 7 months ago (1 children)

Those repos are maintained by the developers of the Monero wallet. So, if they were going to do that, they would also be able to push the malware version to the fdroid repo as well, because the signatures would match the developers.

[–] Moonrise2473@feddit.it 2 points 7 months ago (1 children)

The fdroid repository has only apps built by fdroid itself using the published source code, while a private repo could have a binary that doesn't match the source.

It might be a financial incentive for someone to hack the dev, steal their signing keys, silently add a timebomb that at a specific time would send the whole content of the wallet to a specific monero address, replace the apk after a new release is added. Nobody would notice until too late

Difficult hack but not impossible

[–] shortwavesurfer@monero.town 1 points 7 months ago* (last edited 7 months ago)

That is a fair point. The protection of the main fdroid repo is that they build it from source and then compare the binaries to make sure they match if i understand reproduceable builds correctly.

Edit: But if a hacker hacked the developer, wouldn't they just change the source code as well so that they still match? Like if I wanted to hack Monerujo id want to get the git repo if possible along with the repo keys so i could push malicious code to the git repo, build a binary from that malicious code, publish it on the devs fdroid repo and then when fdroid compares the binary to source they match even though they are malicious.

[–] lemmyrolinga@lemmy.ml 1 points 7 months ago

Thanks, I still haven't got into crypo so Monero is not for me but I will study a few of those.

I am redesigning a big part of my digital life these days