CoMaps is now on IzzyOnDroid!
IzzyOnDroid is an Android store for Free & Open Source Software. The apps are free (as in „free beer“ and as in „free speech“) and Open Source.
Builds for IzzyOnDroid are directly from developers and signed by developers. This enables very fast publishing (whereas F-Droid re-builds apps from source).
There are several ways to install and update CoMaps via IzzyOnDroid:
apt.izzysoft.de/fdroid/index/a…
#IzzyOnDroid #FOSS #OpenSource #FreeSoftware #FOSSCommunity #LibreApps
„CoMaps - Hike, Bike, Drive Offline with Privacy“ – IzzyOnDroid F-Droid Repository
Easy map navigation - Discover more of your journey - Powered by the communityIzzyOnDroid Repo Browser
This entry was edited (10 hours ago)
reshared this
Kerplunk
in reply to CoMaps • • •Builds for IzzyOnDroid are directly from developers and signed by developers. This enables very fast publishing (whereas F-Droid re-builds apps from source).
So any developer can distribute self signed malicious apps fast.
Without checks. Wonderful Idea.
Fdroid builds from reviewed source code.
I will stick with FDroid and recommend others to do the same.
IzzyOnDroid ✅
in reply to Kerplunk • • •@Kerplunk we'd suggest you read the security section at apt.izzysoft.de/fdroid/index/i… 😉 TL;DR: multiple scans are performed on apps published via #IzzyOnDroid, to make it as safe & secure as can be. In the 10 years of our existence, there hasn't been a single incident of a malicious app. So please, don't spread uninformed misinformation ("without checks" even). Thanks! @CoMaps
PS: IzzyOnDroid also has #reproducibleBuilds to ensure apps were built from the indicated source. Planned for CoMaps as well
Information on IzzyOnDroid's F-Droid compatible repo
IzzyOnDroid App RepoHu
in reply to IzzyOnDroid ✅ • • •Kerplunk
in reply to Hu • • •@ib @IzzyOnDroid
Have your system ever detected anything malicious before?
I was hit by a malicious verified by playstore app, so yes, the experience was painful.
The most malicious thing on any android device is inclusion of GAPPS, the google tracking and spyware suite.
I have absolutely nothing against izzysoft way but now have a non google phone and after binning a phone that became malicious, extremely cautious with regard to applications and stores.
IzzyOnDroid ✅
in reply to Kerplunk • • •@Kerplunk @ib I cannot really tell about "malicious" – but "suspicious", yes. Usually before (or rather instead) of inclusion. We then do not include such app unless clarified and found "OK". And yes, we avoid proprietary components like GMS. We make few exceptions where it's unavoidable, but then clearly mark the app with the NonFreeComp anti-feature
And yes, being cautious is essential, so thanks for taking care! We try to assist you there as good as we can, eg. with full transparency
NeatNit
in reply to IzzyOnDroid ✅ • • •@IzzyOnDroid @Kerplunk I've wondered for a while, better late than never: if I add the #IzzyOnDroid repo to the F-Droid app, how does the app choose which repo to pull updates from for each app? And in particular for CoMaps?
And are there other F-Droid client apps that handle this better that you'd recommend?
Thanks
IzzyOnDroid ✅
in reply to NeatNit • • •NeatNit
in reply to IzzyOnDroid ✅ • • •@IzzyOnDroid @Kerplunk Thanks! Perhaps worthy of an article to link to, similar to the security one you linked before. For me this is one of the things I overthink that makes me wary.
For example I have added the repository for Bitwarden, and I'm worried that they can (for example, in theory) add a malicious version of whatever app I'm searching for in the real F-Droid repo with a fake version number that's newer than the real one.
IzzyOnDroid ✅
in reply to NeatNit • • •Reproducible builds, signing keys, and binary repos | F-Droid - Free and Open Source Android App Repository
f-droid.orgNeatNit
in reply to IzzyOnDroid ✅ • • •IzzyOnDroid ✅
in reply to NeatNit • • •@neatnit Yupp. App signing is kind of TOFU (Trust On First Use). So check carefully before the first install, then the "signing stuff" protects you against malicious actors providing "updates". It's just one piece of protection, though – there's e.g. always the "supply chain" (e.g. a dependency the app uses could "sneak things in"), which is why we established several additional scans, @CoMaps @Kerplunk
(1/2)
IzzyOnDroid ✅
in reply to IzzyOnDroid ✅ • • •(2/2) For example, our "APK library scanner" finding "unexpected (proprietary) libs" is no rarity. For apps in our repo, in 90% this was unintended and got fixed by the corresponding dev quickly. In the other 10% we were either able to convince the dev to use a FOSS alternative (while updates were stalled here), or (in rare cases) had to remove the app entirely.
@neatnit @Kerplunk