43
Statuses updated and a keyboard | F-Droid | TWIF (f-droid.org)
submitted 3 days ago* (last edited 3 days ago) by juli@lemmy.world to c/fdroid@lemmy.ml
12 comments fedilink hide all child comments

F-Droid Build Status was updated to 5.6.4 and no one will get this update. Why? Well, the app is now built reproducibly so if you have it installed you need to uninstall it and then reinstall it. (Yes, we wish this switch to be easier to perform, but the UI is not there yet)

top 12 comments
sorted by: hot top controversial new old
[-] monnier@lemmy.ca 11 points 3 days ago

I don't understand why "the app is now built reproducibly" implies "you need to uninstall it and then reinstall". What am I missing?

[-] WhyJiffie@sh.itjust.works 3 points 3 days ago

android uses digital signatures as kind of a security measure. a digital signature is basically supposed to confirm that the apk was actually built by the developer, and most of the files in it were not tampered with.
besides being able to make permissions depend on it, you cannot install an app update that was signed with a different key to what you have already installed, because that basically means you are replacing it with a version that was built by someone else.

all apps are digitally signed. when an app becomes reproducibly built, from that point the app will be built by f-droid with their own digital signature.

also note that since google play has forced all developers to hand over their signing keys, when making app bundle based publishing mandatory, the security of this signature has been.. less useful

[-] kosmoz@lemm.ee 3 points 3 days ago

[…], from that point the app will be built by f-droid with their own digital signature.

This part of your comment is not quite true. One of the advantages of reproducible builds is that the app can be signed by the developer but fdroid can still verify that it has been built from the correct source code. You can check out the documentation here: https://f-droid.org/docs/Reproducible_Builds/

[-] WhyJiffie@sh.itjust.works 1 points 2 days ago

you're right, thanks for letting me know

This means that F-Droid can verify that an app is 100% free software while still using the original developer’s APK signatures.

then I don't understand it either why it can't be updated directly

[-] mp3@lemmy.ca 1 points 1 day ago

Because there will be a signature mismatch. Apps built by F-Droid will use the F-Droid signature, reproducible apps will use the dev signature.

[-] kosmoz@lemm.ee 1 points 2 days ago

If an app doesn't support reproducible builds, the version you can download from F-Droid was built and signed by F-Droid, not by the dev

[-] sabreW4K3@lazysoci.al 2 points 3 days ago

Has there been any previous apps we need to install and uninstall?

[-] WhyJiffie@sh.itjust.works 2 points 3 days ago

I think the fdroid app will let you know if you need to do so when you try to update the app manually

[-] user@lemmy.one 0 points 3 days ago

Why should I care to install another app? Fdroid updates apps if needed.

[-] zippythezigzag@lemm.ee 7 points 3 days ago* (last edited 3 days ago)

The update is for f-droid itself. It wont auto update itself to the new version.

Edit: ignore this. I was confused

[-] duckweed@lemmy.world 8 points 3 days ago

If i read it correctly the uninstall/install part is for the F-Droid Build Status App and not for F-droid itself.

[-] zippythezigzag@lemm.ee 3 points 3 days ago

Ahh. I misunderstood.

this post was submitted on 27 Sep 2024
43 points (100.0% liked)

F-Droid

7418 readers
13 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 3 years ago
MODERATORS
fossdd@lemmy.ml
testman@lemmy.ml