Heads up to all users: with the recent attack on @matrix' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has always signed all its apps on an inaccessible, offline machine. For more information, see riot.im/reinstall

To avoid maintenance overhead, however, it's likely to happen that F-Droid users must also change the app in near future. Still, there's no need to act now.

@fdroidorg How do you decide what to sign? Do you manually vet all APKs you sign? If not, wouldn't your offline signature just act as transport security for your store - but be rather useless in preventing a malicious APK being supplied with correct credentials?

@robin @fdroidorg only signs what it has built itself from the source code. And yes, signing is a manual step here. But that doesn't prevent your going to fishysite.com and load some malicious APK of some (other) app, no 😉

@IzzyOnDroid @fdroidorg ah, i didn't know fdroid builds the packages themself - that's good to know
Follow

@robin that's one of the core features! We only allow apps that are fully open source (i.e. no proprietary components), so we can build them from the source and you (the users) know "what's inside". This also means everone can review the code and deduce from that to the APK. And a potential security audit would also tell how secure the app you install is. No trackers in the code = no trackers in the app, etc.pp.

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either! We adhere to an adapted version of the TootCat Code of Conduct and follow the Toot Café list of blocked instances. Ash is the admin and is supported by Fuzzface, Brian!, and Daniel Glus as moderators. Hosting costs are largely covered by our generous supporters on Patreon – thanks for all the help!