• AmbiguousProps@lemmy.todayEnglish
    13·
    14 hours ago

    The new repo has two releases in it now. These releases are not signed with the original key as far as I can tell. Further, GitHub is silently redirecting to the new repo, even in Obtainium, meaning it’s possible that if you had this previously installed via Obtainium and updated now, you may have unsigned apks installed that may or may not contain the changes in the repo.

    This is a mess. I deleted the repo from Obtainium (luckily I don’t auto install updates) and will wait to see what happens over the next few months. Might just save my notes in a network share instead of using syncthing from my phone. Idk, notes are all that I was using it for.

    • pulsewidth@lemmy.worldEnglish
      7·
      2 hours ago

      Sounds like a really good reason not to use Obtainium, if any repo you have tracked for updates can just redirect you to a completely different repo If they have the keys - and throw no complaints when updating to an entirely different apk.

      With F-Droid they at least have to have the same signing keys, and the code is built by F-droid from source - meaning the code for the supplied APK always matches the code on the repository for the build. Whereas Obtainium will just offer you any APK the dev releases on their GitHub/Gitlab/etc, this places much higher trust on the dev.

      Edit:
      my bad, I wrote earlier that all F-droid builds are reproducable. But that’s not accurate F-droid does not enforce that all builds must be reproducible. They have been helping devs with the tools and assistance to do so since 2015, and all the apps that I use I’d checked in the past and are all using reproducable builds, so I wrongly presumed it was mandatory now. Eg, Syncthing-Fork from Catfriend has had all builds reproducible since v2: https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/