Good news, the @protonmail android app is now available on F-Droid. (EDIT: through the IzzyOnDroid repository)
Is it official? I do not install something like that without official confirmation. (EDIT: It is not endorsed by Proton, it is not official)
@ploum @protonmail I only see the ProtonVPN app on F-Droid. What's the URL for the ProtonMail one?
@aaribaud @ploum @protonmail
Same, I dont see it atm.
@ploum @LenticularCloud @aaribaud @protonmail
The @IzzyOnDroid repo is the Must-Have Repo
It's a bit short especially for an app for protonmail. Why is it a must have?
Through Izzy, apps get to F-Droid faster, plus there's a daily repo update.
@mondstern OK. If it gets faster to FDroid, then no need to hurry, I can wait till the FDroid people add it :) @aaribaud
@sll I'm afraid you might have misunderstood (or I did).
There's F-Droid the repo and F-Droid the app.
@mondstern says that apps get from the Izzy *repository* to the F-Droid *app* on your mobile faster than they do from the F-Droid *repository*.
But because an app is available on the izzy repo does not mean it will ever be on the F-Droid repo.
@aaribaud Well, their APK is close to 0 MB. My repo runs on my personal space and thus has a size limit: 30 MB per app. Which means, their mail app simply does not fit in, or it would be there
@IzzyOnDroid Thanks for chiming in! With such (understandable) size constraints, I imagine you do not rebuild the APKs from source?
@aaribaud No. As the "Readme's" say, my repo serves the APKs built by the developers. Just follow the "details" link at the top of the list Or go directly to the question you raised via this link:
@IzzyOnDroid Thanks a lot for your answer!
@aaribaud If you miss an app that meets the criteria, just let me know. Ideally by opening an issue at https://gitlab.com/IzzyOnDroid/repo/-/issues/ – but I also accept mails (if you got no GitLab account and don't want to make one) or toots. Remember to include the URL to the app's repo – without that, I cannot do a thing
@ploum @LenticularCloud @aaribaud @protonmail IzzyOnDroid is not F-Droid. When you add a third party repository to F-Droid, you get apps directly from that repository without *any* checks from F-Droid.
Izzy is pretty trustworthy, his repo grabs apps straight from GitHub/GitLab/etc. of the developers, but there are no checks if the .apk file matches the source code in question and apps may contain proprietary code.
But yeah, Proton Mail is not in F-Droid. It is in IzzyOnDroid. Not the same.
@SylvieLorxu @LenticularCloud @aaribaud @protonmail : for something as sensible as Protonmail, it would be interesting to know exactly who have pushed this and how we can trust that person.
@ploum @LenticularCloud @aaribaud @protonmail I mean, if you use the IzzyOnDroid repository you trust @IzzyOnDroid to pull it in from the official source and not do anything weird :)
I personally do trust him a lot and I think he has a well-deserved reputation of trustworthiness after years of running IzzyOnDroid.
For context, his website on https://apt.izzysoft.de/fdroid/index/apk/ch.protonmail.android states the .apk file comes from https://github.com/ProtonMail/proton-mail-android
@SylvieLorxu @ploum @LenticularCloud @protonmail @IzzyOnDroid
For the record: in the risk scenario(s) that I imagined with the "fetch APKs" model, IzzyOnDroid never was the bad actor -- after all, they could not tamper with the APKs they fetch without ruining the cryptographic signatures.
The actual risk scenario would be that a github repo owner build an APK from sources other than those on the repo and upload it to the repo, then have IzzyOnDroid fetch it.
[1/2]
@SylvieLorxu @ploum @LenticularCloud @protonmail @IzzyOnDroid
[2/2] And I am fine with a risk as long as I am aware of it -- then I can decide to either take that risk or take precautions which I think the risk makes necessary.
Apologies if I appeared to distrust IzzyOnDroid.
@aaribaud @SylvieLorxu @ploum @LenticularCloud No offense taken And I'm always open for improvements – if they are feasible for me to implement. Like that Signature-pinning I added several months ago, see https://f-droid.org/2023/09/03/reproducible-builds-signing-keys-and-binary-repos.html – and a few days ago including the check for debug keys before including new apps. It's all a continuous process…
@aaribaud @SylvieLorxu @ploum @LenticularCloud
"The actual risk scenario would be that a github repo owner build an APK from sources other than those on the repo and upload it to the repo"
That indeed is a real risk as I have no means to check that. There are other checks in place (library scanner, VT etc) which should reduce the risk of "bad stuff" – but a little risk always exists. So you need to trust the developer, too…
@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : wait a minute… You mean that IzzyOnDroid repository is a one-person-project ?
If that’s the case, good job! Thanks for that, it is really useful.
@ploum it indeed mostly is. The entire framework and all (see https://gitlab.com/IzzyOnDroid/repo/). There were some contributions, and I got some help on questions – but for the most part (95%?) it's just me… Same with the companion site at https://android.izzysoft.de/ and my eBook server at https://ebooks.qumran.org/ (see my profile here). Glad to read you find it helpful! @aaribaud @SylvieLorxu @LenticularCloud
@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : I’m a bit confused about the F-droid process. Who decide what goes on the F-droid official repository and how do you ensure you don’t duplicate too much with them ?
@ploum @IzzyOnDroid @SylvieLorxu @LenticularCloud
From the respective site, it seems like the submission processes are separate and independent for F-Droid and IzzyOnDroid, and duplication (or its avoidance) is not considered.
@aaribaud It is considered, and kept to a minimum. Currently the overlap is at about 100 apps (out of the 1.1k in my repo, and 4k+ at F-Droid, a small number). Yes, I keep an eye on that
@ploum @aaribaud @SylvieLorxu @LenticularCloud F-Droid has its own inclusion process via its own GitLab repos. I'm one of the maintainers there, too, so I get an idea what ends up there. And my framework also includes a "duplicate checker": once an app from my repo appears at F-Droid, I usually remove it from mine (unless the author explicitly asks me to keep it). In the other direction, I usually do not include apps already at F-Droid, with very few exceptions (e.g. updates stuck there).
@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : so your repository is akind of an "experimental" one? With the ultimate goal of having everything on F-Droid?
How could an update be stuck on F-Droid if you can update it on your repo and are also a maintainer of F-Droid?
(might be silly questions, sorry for that, trying to learn)
@ploum @aaribaud @SylvieLorxu @LenticularCloud experimental: not really. My inclusion criteria are a little less strict, so I can cover apps F-Droid can't. And give devs a chance to "step up". So far almost 500 apps started in my repo have moved on to F-Droid exclusively.
And updates can get stuck if builds fail, e.g. because of technical problems with the code/build. Most of those fails are fixed quickly, but not all can. Eg a minor non-free component is not allowed at F-Droid but maybe here.
Hey @IzzyOnDroid
Great job, as I learn IzzyOnDroid is a one-man band !!!
I knew about this repo but never tried it.
After seeing this thread, very masto-like (open-minded, respectful and constructive), I'll add it to FDroid and give it a try !
Cheers!
@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : if you ever open a French library, ping me! I will send you my own books.
@ploum Sorry, I'm afraid I cannot cover that. I've already enough at my hands – and unfortunately need to work for a living, too. No such thing as an "unconditional basic income" yet that would allow me to spend even more time at such volunteer/hobby projects…
@IzzyOnDroid : of course! Thanks a lot for you work and your time explaining it.
(BTW, your @Liberapay account is not configured to accept donations)
@ploum Yeah, @Liberapay currently does not offer a "payout" option I could use. When I set up my account there, it was still possible to withdraw via SEPA transfer – but their payment provider for that stupidly kicked them out (for reasons that would also apply to Flattr, which they to my knowledge still support). I still hope one day SEPA will be possible again. Until then, please see https://android.izzysoft.de/help?topic=support_us for alternative options. Thanks a lot for considering!
@ploum @aaribaud @SylvieLorxu @LenticularCloud Going to see if I can add some apps. Hey, Filty, what did you catch today from Github, GitLab, Codeberg?
@IzzyOnDroid @aaribaud @SylvieLorxu @LenticularCloud : I’m myself waiting for Proton calendar, Signal, a MessagEase-like keyboard and a good belgian railway timetable app.
But I still need to keep Aurora store anyway for those banking apps and for my bike GPS (Wahoo + Komoot) and my sport watch (Garmin).
@SylvieLorxu @LenticularCloud @aaribaud @protonmail : Thanks. Proton confirmed on Reddit that this is unofficial.