[HN Gopher] Wire is now on F-Droid
___________________________________________________________________
Wire is now on F-Droid
Author : lucgommans
Score : 180 points
Date : 2022-01-28 17:08 UTC (5 hours ago)
(HTM) web link (f-droid.org)
(TXT) w3m dump (f-droid.org)
| nimbius wrote:
| no one came here for politics, this is HN.
|
| real questions for the hackers: how/why does this apk contain
| nonfree assets in a GPL codebase?
|
| https://en.wikipedia.org/wiki/Wire_(software)
|
| Wire's source code is accompanied by the GPLv3 but the readme
| file states that a number of additional restrictions specified by
| the Wire Terms of Use take precedence
|
| the legal stipulations here seem to conflict with GPL3.
| commoner wrote:
| Section 7 of GPLv3 nullifies additional restrictions that are
| attached to the client (with a few exceptions):[1]
|
| > All other non-permissive additional terms are considered
| "further restrictions" within the meaning of section 10. If the
| Program as you received it, or any part of it, contains a
| notice stating that it is governed by this License along with a
| term that is a further restriction, you may remove that term.
| If a license document contains a further restriction but
| permits relicensing or conveying under this License, you may
| add to a covered work material governed by the terms of that
| license document, provided that the further restriction does
| not survive such relicensing or conveying.
|
| For example, all of the following are "further restrictions"
| that are voided by Section 7:[2]
|
| > a. You agree not to change the way the Open Source App
| connects and interacts with our servers; b. You agree not to
| weaken any of the security features of the Open Source App; c.
| You agree not to use our servers to store data for purposes
| other than the intended and original functionality of the Open
| Source App
|
| However, these terms are restated in the Wire Terms of Use.[3]
| Any user who uses the Wire app or a modified derivative of the
| Wire app to breach these Terms of Use while interacting with
| the official Wire server instance is still in danger of
| violating other laws like the Computer Fraud and Abuse Act[4]
| in the U.S., with respect to how the app interacts with the
| server.
|
| [1] https://github.com/wireapp/wire-webapp/blob/dev/LICENSE
|
| [2] https://github.com/wireapp/wire-webapp
|
| [3] https://wire.com/en/legal/terms-of-use-personal/
|
| [4] https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
| vorpalhex wrote:
| Looks promising. Happy to see a diversity in secure messaging
| solutions and app stores.
| vhsdev wrote:
| It's always great to see new software titles land on F-Droid. The
| rub with messengers is that for each new messenger we've further
| fragmented our ability to communicate with one another. Rember
| the telephone? You used to be able to call literally anyone and
| you didn't have to ask which operator they were using.
| TuringTest wrote:
| Matrix.org should be able to function as the telephone exchange
| that connects all communication services, as it is well posed
| to work as a universal connector.
|
| If, at some time in the future, it manages to create a usable
| bridge to connect between two popular private services (say
| Whatsapp and Telegram, or Teams and Slack) it could start
| accumulating network effects, and become a desirable target for
| all other networks so that it is appealing for them to build
| their own bridges to the Matrix services.
| kitkat_new wrote:
| > If, at some time in the future, it manages to create a
| usable bridge to connect between two popular private services
| (say Whatsapp and Telegram, or Teams and Slack) it could
| start accumulating network effects
|
| Well, I think usable bridges for such apps are a thing
| already. See e.g. https://element.io/element-matrix-store and
| https://beeper.com
|
| Problems are:
|
| - it's a subscription based service
|
| - End to end encryption is not active for these services as
| long as you don't run the bridge yourself (which in principle
| is possible as well, see e.g. the description at the website
| of Beeper) which stretches usable a bit...
|
| Both problems would likely be solved if these services would
| provide an API for other messengers and would cooperate on a
| common standard for E2EE like MLS, however the likelihood for
| that ... seems pretty small. 1.
| posterboy wrote:
| Where I'm from, there used to be exactly one opperator.
| sigg3 wrote:
| This is essentially what signal achieves IMO: it's replacements
| for sms, mms, audio with added security (plus video and group
| chat).
|
| Using your telephone number as username the experience is
| transparent and unlike all other messaging apps. I can write
| texts to whomever and if they do have signal, it defaults to
| encrypted coms. It's inclusive by design.
|
| Other services require usernames and email and whatnot, which
| effectively ensures it will not be the default. (I understand
| Apple users cannot change the default messaging app to only use
| Signal, which is a choice in tune with the walled garden and
| exclusive by design.)
| npteljes wrote:
| Signal doesn't achieve this at all. In this regard, they are
| just another messaging service that's not compatible with
| anything and also they are discouraging (to say the least)
| unofficial clients from connecting official servers. They are
| yet another fragment in the already fragmented ecosystem.
|
| What's a step forward in this regard is projects like
| libpurple or Matrix bridges. Whose goal is to make already
| existing networks interconnected.
| stratosmacker wrote:
| I think Element (https://element.io/) is worth looking at for
| anyone who wants something decentralized. Unfortunately I have
| exactly 1 contact who uses it, but that was true of Signal as
| well 8 years ago
| ncmncm wrote:
| Some current problems with Element, and with the Matrix
| protocol in general (there are a bunch of other clients, e.g
| Nheko, Fluffychat) include that you need a "homeserver" to
| store all your messages, and (1) there is no way to migrate to
| another homeserver (I gave up on Matrix after the third one
| went bust), (2) the homeserver has (!) plaintext access to all
| traffic on it, besides all the delicious metadata the spooks
| love and that (e.g.) Signal hands over to them with effusive
| eagerness, (3) there is no concept of identity independent of a
| homeserver, and (4) no effort at all to obscure metadata, who
| you communicate with and when. I don't know of any clients that
| let you manage separate identities at the same time, as many
| mail clients do. (I was running Element and Fluffy to manage
| two accounts, which is stupid. Maybe some do handle multiple
| accounts, now?)
|
| Matrix defines a sort of end-to-end encryption, but the ends
| are homeservers and clients. [Some people are saying not: that
| homeservers don't see plaintext of E2EE traffic.]
|
| There is talk about self-hosting in the client, but I don't
| know if it works yet, or ever will. Lack of encryption-at-rest,
| wherever it is that messages live, seems like a stupendous
| implementation design flaw, and makes me question all the
| project's other choices.
|
| If, in fact, messages are, or can now be, stored securely, I
| would welcome correction. Likewise, if client-side hosting
| works now, or message-store migration, or a stable address
| despite such a migration, or any effort at securing metadata. I
| have not kept up since abandoning Matrix, but still want a
| viable alternative to Signal.
|
| The Matrix protocol is extremely complex and getting more
| complex with great speed as they try to get to feature parity
| with Facebook and Twitter, making it hard to believe one will
| ever be able to trust it, E2EE or no.
|
| Will we need to start all over again? A rigidly layered system,
| with a provably secure basis, probably in a single, sandboxed
| server talked to by all clients and gateways, with services
| built on top, seems needed if we want both security and
| features.
|
| As it is, it seems like clients -- i.e. application services --
| run in the same address space with what should be secure
| message transport, necessarily compromising all security with
| each bug added.
| mintplant wrote:
| > the homeserver has (!) plaintext access to all traffic on
| it, besides all the delicious metadata the spooks love and
| that (e.g.) Signal hands over to them with effusive eagerness
|
| What do you mean? Signal is known for providing minimal
| information when requested by authorities, e.g., [0].
|
| [0] https://signal.org/bigbrother/central-california-grand-
| jury/
| ncmncm wrote:
| Last I checked, it tied every single communication to a
| pair of phone numbers.
| kitkat_new wrote:
| > (1) there is no way to migrate to another homeserver (I
| gave up on Matrix after the third one went bust)
|
| partially true - while there isn't a protocol defined way,
| you can invite your new account to your rooms, import your
| encryption keys and leave the rooms with the old accounts
|
| > (2) the homeserver has (!) plaintext access to all traffic
| on it
|
| hmm, isn't that unavoidable?
|
| > (4) no effort at all to obscure metadata, who you
| communicate with and when.
|
| There is effort on it, e.g. by going P2P and eliminating
| dedicated homeservers
|
| > I don't know of any clients that let you manage separate
| identities at the same time
|
| FluffyChat, Syphon, and others I don't know the names by
| heart
|
| > Matrix defines a sort of end-to-end encryption, but the
| ends are homeservers and clients.
|
| The ends are the sessions in a room. The homserver is not an
| end. How did you get that impression?
|
| > Lack of encryption-at-rest, wherever it is that messages
| live, seems like a stupendous implementation design flaw, and
| makes me question all the project's other choices.
|
| Isn't encryption at rest usually done by the operating
| system?
| mananaysiempre wrote:
| >> (2) the homeserver has (!) plaintext access to all
| traffic on it
|
| > hmm, isn't that unavoidable?
|
| Not only is it avoidable, it's not actually true AFAIU.
| It's unfortunate (if historically justifiable) that Matrix
| has a non-E2EE mode, but the thing it brands as E2EE is
| actually deserving of the name, with messages accessible to
| clients only and the associated hurdles (you literally
| can't get access to message history in encrypted chats from
| a new client on the same account unless you get one of your
| old clients to cross-sign, even if the homeserver will help
| mediate the prompt).
|
| Matrix is not free of problems, but it _does_ have
| federated, multi-party, multi-device, end-to-end encrypted
| chats with persistent history and forward secrecy. The
| underlying crypto goes by Megolm[1]. It's slightly
| weaker[2] (in particular regarding backward secrecy) than
| the strictly two-party thing Signal does (however they
| brand it these days), but nowhere near the point of
| allowing the homeserver to eavesdrop.
|
| [1] https://blog.jabberhead.tk/2019/03/10/a-look-at-matrix-
| orgs-...
|
| [2] https://gitlab.matrix.org/matrix-
| org/olm/blob/master/docs/me...
| kitkat_new wrote:
| I understood it as the traffic that is received by
| clients and other homeservers wether it contains
| encrypted data or not.
| heinrich5991 wrote:
| > Not only is it avoidable, it's not actually true AFAIU.
|
| Note that new features apparently come unencrypted, even
| in otherwise encrypted rooms. For example reacting to
| messages with emoji sends the reaction non-E2E-encrypted
| for both all home servers to see:
| https://news.ycombinator.com/item?id=29656282.
| kitkat_new wrote:
| > Note that new features apparently come unencrypted,
| even in otherwise encrypted rooms.
|
| I checked that. While reactions are not encrypted indeed,
| a very recent feature - polls which are available in labs
| on Element Android - is encrypted.
| upofadown wrote:
| >Matrix defines a sort of end-to-end encryption, but the ends
| are homeservers and clients.
|
| Just clients I think. Otherwise it couldn't be E2EE. AFAIK,
| if you actually can manage to verify your correspondents with
| whatever the identity numbers are called in Matrix, you get
| effective E2EE.
| ncmncm wrote:
| If the homeserver sees plaintext, then it is by definition
| an End.
| nybble41 wrote:
| By that definition _all_ encryption would be end-to-end
| encryption, making the term useless.
|
| The person sending the message and their intended
| recipient(s) are the "ends" in end-to-end encryption. The
| server is not an "end".
|
| Incidentally, the client software is also not the "end":
| If the system includes a component designed to forward
| any data about the otherwise-encrypted content of the
| messages to someone who is not the sender or their
| intended recipient (unless at the direction of someone
| who is an intended party to the conversation) then the
| system does not implement end-to-end encryption. For
| example, Apple's iMessage app does this with their
| mandatory client-side scanning misfeature.
| nyuszika7h wrote:
| > For example, Apple's iMessage app does this with their
| mandatory client-side scanning misfeature.
|
| There's a lot of incorrect information here. First of
| all, it is not mandatory, it's opt-in - parents have the
| ability to turn it on for children under 18 whose devices
| have parental controls enabled. (Technically you could
| argue that it is then mandatory for those children, but
| that's no different from other parental control
| features.) Also, it uses on-device machine learning to
| detect and blur NSFW photos. They even removed the
| feature that notifies the parents if the child chooses to
| view a photo that was detected as NSFW anyway, so the
| contents of messages are not sent to Apple or anyone
| else.
|
| I think you're conflating it with the iCloud Photos CSAM
| detection, which would have been mandatory and sent
| results of on-device scans to Apple if you have iCloud
| Photos enabled, but they seem to have scrapped that (for
| now at least) as they quietly removed all mentions of it
| from their website.
| kitkat_new wrote:
| it doesn't see the plain text of E2EE messages though...
| NetOpWibby wrote:
| I used to use Wire and then I got my friends to use Element.
| It's been working great so far. I just wish it had support for
| emoji skintones in responses.
| lightspot21 wrote:
| Not my intent to offend anyone and plus I'm not American so I
| might not know your culture well enough, but please don't.
| Why should we insert race in technology when 1) it's not
| useful and 2) it's not relevant at all. I mean, who even
| cares whether the smiley face is white or black or whatever
| else? It's just a smiley face. IMHO there are more
| significant areas to care for.
| [deleted]
| quadrangle wrote:
| For clarity, Element is merely a client (the main one) for
| Matrix.org. What matters is whether people are on Matrix rather
| than whether they use the Element client. But most Matrix users
| surely do use Element.
| btdmaster wrote:
| matrix.org is just one instance, it is very important that
| people choose different instances so that interoperability is
| kept.
| tgsovlerkhgsel wrote:
| Element on Android still doesn't support searching in encrypted
| rooms. The UX is years behind Signal and I'm not sure if
| they're catching up.
| jokowueu wrote:
| The usability and UI after all these years are just terrible
|
| Spaces was implemented but again the UI is just terrible
|
| Other clients are better as an im like fluffy chat tho
| feanaro wrote:
| "Just terrible" isn't very constructive criticism. I think it
| has improved and continues to improve significantly.
| kaladin-jasnah wrote:
| It has improved tremendously, but it's still nowhere on par
| with solutions such as Telegram or Discord. As much as I
| like Matrix, the clients (which I think is where the UX
| lies for me, as I think it's expected that it takes effort
| to set up a homeserver), are horrible.
| crossroadsguy wrote:
| I think it was the original private and polished messaging app in
| the recent times but Telegram went past it.
|
| While Signal is fighting tooth and nails to not be on F-Droid.
| wjd2030 wrote:
| I downloaded an app from F-Droid once, it was Spotify. Later that
| week I started getting strange spanish songs on my recently
| played. Checked my logged in sessions and there were several from
| latam. I deleted the app.
| marcodiego wrote:
| I don't think Spotify has ever been on f-droid. Can you post a
| link?
| usr1106 wrote:
| Spotify on F-Droid? F-Droid has only open source apps. Is
| Spotify open source? I have serious doubts about this story.
|
| (Not a Spotify user, low-volume F-Droid user)
| mdp2021 wrote:
| Have you cross checked the signatures?
| wjd2030 wrote:
| Nope, and it was totally my fault, though at the time I tried
| to find a way to report the app and I didnt see it (though I
| could've missed it)
| xanaxagoras wrote:
| I have never heard of wire, I will check it out. Looks
| interesting on first glance. One thing from the marketing page
| stood out to me:
|
| > Organizations can set up customized alerts, bypassing silent
| mode on all devices, and trigger responses for crisis teams.
|
| Not a knock against Wire, I guess this is just where we are as a
| society, but I am not a fan of this whatsoever. I would refuse my
| company access to do this on my personal device. Mail me a pager,
| I'll turn it on when I'm up.
| gowld wrote:
| > Mail me a pager, I'll turn it on when I'm up.
|
| What's the point of hiring someone to be on call, if they
| refuse to be on call?
| tasha0663 wrote:
| > What's the point of hiring someone to be on call, if they
| refuse to be on call?
|
| Indeed. I've walked out of interviews over this. The list of
| things that are actually _that_ critical is incredibly small.
| fire wrote:
| IMO things change quite a bit if you're actually being paid
| to be on call
| 2pEXgD0fZ5cF wrote:
| This sounds like a feature that spawned from good intentions,
| but it's obvious in what ways this would get abused once you
| scale up the amount of Wire users.
| lucgommans wrote:
| > I have never heard of wire, I will check it out. Looks
| interesting on first glance.
|
| It's basically Signal but without the popularity, despite
| predating it. Why Signal took off and Wire stagnated, I am not
| sure. The network effect is one part of it, probably caused by
| Moxie being popular in the community, but another part is that
| Wire does not seem to care as much about doing cool stuff like
| private contact discovery that Signal put some real R&D into
| (and no other service (Threema/Wire/etc.) even bothered to even
| copy, let alone build upon).
|
| Main differences:
|
| - Signal is better with metadata
|
| - Wire needs no phone number
|
| - Wire treats devices equivalently. If you want two phones,
| that's fine (Signal supports only 1 mobile device and N slave
| desktop devices; can't have desktop without mobile or more than
| one mobile) and is mostly feature-complete on each platform
| (Signal misses e.g. gifs on desktop)
|
| - Signal's apps are a bit more polished than Wire's, slightly
| better UX
|
| - Now that Signal has been gaining popularity and Wire, um, not
| as far as I can tell, Wire seems to be focusing more on
| corporate use. But it's still possible to register free
| accounts: https://app.wire.com/auth/?hl=en#createaccount
|
| - I think Wire has a bots system that Signal does not (and is
| generally more open to integrations), but I could be wrong here
| tptacek wrote:
| It's also Signal without the security model. Wire maintains a
| serverside, plaintext directory of who's talking to who. It's
| part of the whole premise of Signal not to do this.
|
| That doesn't make Wire bad, it just makes it suitable for a
| different set of applications.
| autoexec wrote:
| > It's also Signal without the security model. Wire
| maintains a serverside, plaintext directory of who's
| talking to who. It's part of the whole premise of Signal
| not to do this.
|
| Signal also permanently keeps user's information in the
| cloud including a list of the people they talk to. It's not
| stored in plain text, but it's there. I don't find signal
| to be trustworthy at this point so for people looking for
| secure communication I recommend Jami, but it lacks polish.
| tptacek wrote:
| You can just look at how Signal has responded to court
| orders for information, and the FBI's documentation for
| what it can obtain from different providers. Through
| legal process (or, because Wire is hosted overseas,
| without it, using CNE), the FBI can obtain the entire
| Wire social graph.
| autoexec wrote:
| > You can just look at how Signal has responded to court
| orders for information,
|
| Signal is very proud that once a long time ago the state
| came to them asking for user data and signal could only
| tell them they had no data to provide. That has changed.
| Signal now collects and stores exactly the data they were
| being asked to hand over. It's not clear at all that your
| data with signal is protected. Security concerns were
| brought up repeatedly and were ignored (see for example
| https://community.signalusers.org/t/proper-secure-value-
| secu...)
|
| Signal still brags about "that one time we had nothing to
| hand over" though. They still have a page on their
| website talking about it. They've never updated their
| privacy policy to reflect that are collecting and storing
| sensitive user data either. Not a good look for a company
| you're supposed to trust with secure communications.
| MajesticHobo2 wrote:
| > Signal is very proud that once a long time ago the
| state came to them asking for user data and signal could
| only tell them they had no data to provide.
|
| Have you looked at https://signal.org/bigbrother/
| recently? There are five instances of this, one as recent
| as November 2021.
| autoexec wrote:
| Signal has the data being requested but they'd have to
| brute force a user's pin or use an exploit to get to it.
| Routine requests aren't going to compel them to take
| those actions and national security letters aren't going
| to be published on their website.
| ckozlowski wrote:
| I've been using it for a number of years now. I have a few
| groups of family and friends with persistent group chats we
| have perpetually running on Wire.
|
| The fact that you can make a Wire account with no phone
| number needed is a great benefit in my opinion.
|
| I find Wire's handling of media (Embedded YouTube, spotify,
| gifs) to be better than Signal's, which was a key point to
| win over my family members. I think some secure messengers
| over look this. Us "privacy people" want strong encryption
| and all, but good luck getting spouses and grandparents using
| it if it's no fun.
|
| Wire was pretty flakey in the early days I feel, and I'd have
| to "jiggle" the client a lot to sometimes get messages to
| send. Fortunately that seems to have been ironed out, and I
| haven't had any issues in quite a long time.
|
| It is odd to me that it hasn't taken off more, especially as
| it was started by one of Skype's founders. But alas.
|
| I do like (and use) Signal as well, but I'm always glad to
| see mention of Wire on here.
| wolverine876 wrote:
| The above discusses the marketed features, but essential to
| security is the implementation. Based on what I understand
| from people with actual IT security expertise (I have IT
| expertise, but not specifically in security), Signal is on a
| different level than the others, and really the only option
| if you want real security (depending, of course, on your
| needs).
| unknown2374 wrote:
| That convenience has to be let go when working on operations-
| critical services. This feature is an absolute necessity in a
| lot of cases, and of course employees can complain, but not
| resolving certain issues urgently can mean that an entire
| hospital's system stays inaccessible overnight, or worse.
| brewdad wrote:
| Missed the point. If that operation is so critical, give me a
| workplace owned device to deal with it. My employer is not
| getting superuser access to my personal devices.
| Spivak wrote:
| They need superuser on Android? On iOS I just give
| permission for an app to send critical alerts. It's a hard
| requirement for apps like PagerDuty.
| 0xedd wrote:
| vorpalhex wrote:
| They do not need superuser, they can just request the
| permission to bypass DND. I believe apps can't tell if
| you gave them the permission or not, so there is no way
| to "force" users into this.
| unknown2374 wrote:
| they do not need super-user permissions. That would imply
| that the phone has to be rooted. over-coming certain
| settings that apply to regular apps? sure. but that's a
| very android/iOS specific feature-set that is exposed to
| all app developers.
| aero-glide2 wrote:
| Recommend using SkyDroid to download Fdroid apps, much better
| search and UI.
| daptaq wrote:
| Foxy Droid (https://github.com/kitsunyan/foxy-droid) is also a
| nice re-implementation of the old UI.
| piaste wrote:
| I use Aurora Droid, mostly because the same org also provides
| an anonymous Play Store frontend with similar UX.
| TuringTest wrote:
| And there's also Droid-ify, which uses a Material design
| style (I haven't used it, I've just found it looking for
| Foxy-droid)
| simlevesque wrote:
| Thank you for this. I love F-droid but I hate the app.
| lkxijlewlf wrote:
| https://www.skydroid.net/ ???
|
| Oh!!!
|
| https://skydroid.app/
| smallerfish wrote:
| Does it auto update? That's my main peeve with fdroid.
| jasonjayr wrote:
| I don't think anything other than Google Play can auto update
| unless you've rooted your phone.
|
| F-droid has a package you can install to the system partition
| to allow auto-updating.
| boring_twenties wrote:
| You don't need root AFAIK, you do need an unlocked
| bootloader so you can flash the system partition though.
| lucgommans wrote:
| Exactly, this is only tangentially related to rooting.
| Google doesn't need root on your device for their closed
| Play Services to install software, but the component that
| you want to have this installation capability does need
| some system-level permission. Many people grant it that
| by rooting the device, but installing something like
| /e/OS (=Android with microG and a few other improvements)
| is also a way to do this.
| BizarroLand wrote:
| On my Moto FDroid does a decent job of keeping my apps
| updated. I still have to intervene about half of the time
| though.
| rhamzeh wrote:
| Android 12 has a mechanism to allow an app that installed
| an application to update it in the background, but the
| client needs to be updated to support it.
|
| F-Droid hasn't yet, see issue here [1] - some of the other
| F-Droid clients, like Droid-ify have [2].
|
| [1] https://gitlab.com/fdroid/fdroidclient/-/issues/1836
|
| [2] https://github.com/Iamlooker/Droid-ify/pull/159
| redsolver wrote:
| SkyDroid can update apps without user interaction (even on
| non-rooted devices) using a workaround which requires a one-
| time ADB setup. You however still need to open SkyDroid and
| click a button to start the mass-update process, but this is
| an intentional design decision - it makes sense to check
| which app updates are available before blindly updating
| everything.
| politelemon wrote:
| This is a great news and an excellent addition to F-Droid. I hope
| this is a little nudge to Signal to reconsider inclusion. I
| believe they're mostly there, they already have an APK built as a
| reproducible build (https://signal.org/blog/reproducible-
| android/) with FOSS components (https://signal.org/android/apk/)
| DarylZero wrote:
| > https://signal.org/android/apk/
|
| Direct link for those without javascript:
|
| https://updates.signal.org/android/Signal-Android-website-pr...
| rhamzeh wrote:
| Unfortunately Signal devs seem dead-set against F-Droid
| (whether on F-Droid, or hosting their own F-Droid repository)
| for some reason.
|
| https://github.com/signalapp/Signal-Android/issues/9044#issu...
|
| https://community.signalusers.org/t/signal-f-droid-repositor...
|
| [EDIT] Last response of theirs on this issue I could find:
| https://community.signalusers.org/t/wiki-signal-android-app-...
| asddubs wrote:
| >For the vast majority of people, installing apps from third-
| party app stores like F-Droid requires them to enable
| "unknown sources". Signal's developers feel that normalizing
| this kind of behavior would be "a reversion back to the
| desktop security model" and that endorsing it through
| participation would be harmful. The only reason they
| distribute an APK outside of the Play Store is to reduce the
| harm of non-technical people installing fake apps instead.
|
| I guess it somewhat makes sense that they're against the
| desktop model of app distribution, but IMO the phone model is
| not worth the added security. Signal may not have any
| problems as a messaging app, but both google and apple have
| some ridiculous rules that categories of apps have to comply
| with. In particular if you're an app for any sort of art
| community, prepare to tell your users to censor even mildly
| suggestive artwork, violent content, content dealing with
| drug use (even if not glorified), etc. That's not to speak of
| countless other limitations.
|
| The desktop mode of distribution ain't so bad. at least
| you're still in charge of your own device
| tenuousemphasis wrote:
| What's the benefit to having Signal on F-Droid vs. downloading
| the APK?
| 0xedd wrote:
| Manage your version. Trust your APK source.
| chasil wrote:
| Presence in the main F-Droid repository requires the app to
| be open-source. A downloaded APK might include closed-source
| components.
|
| "The main repository, hosted by the project, contains only
| free and open source apps... The website also offers the
| source code of applications it hosts... F-Droid builds apps
| from publicly available and freely licensed source code. New
| apps, which must be free of proprietary software are
| contributed by user submissions or the developers
| themselves."
|
| https://en.wikipedia.org/wiki/F-Droid
| lucgommans wrote:
| The same advantage as having 30 updaters run in the
| background versus running apt update
|
| Imagine every app you install, from your calculator to your
| chat applications, has to have its own updater. That's why I
| like F-Droid rather than downloading the Signal APK directly.
| Already have to do this for Threema unfortunately, as they're
| neither on F-Droid nor freely available on the Play store.
| ancientsofmumu wrote:
| To help clarify to GP (was going to help reply then saw
| yours) F-Droid is both the name of the core website hosting
| the APK repos and build infra, and the name of the Android
| client which can connect to any F-Droid compatible repo -
| there are a bunch of projects who host their APKs in their
| own F-Droid repo, all you have to do is go to their website
| and scan the QR code to add it or enter manually.
|
| Signal could run their own F-Droid repo and people just add
| to their F-Droid client without using or touching the
| F-Droid website or build infrastructure at all, which would
| allow folks to do as lucgommans explains - one phone client
| connected to many repos, no manual downloading.
|
| Example: https://www.bromite.org/fdroid
| wolverine876 wrote:
| I think Signal's direct-download APK version (i.e., from
| signal.org, not from an app store) automatically prompts
| for updates (can someone verify?).
| c0mbined wrote:
| Correct. I use it on LineageOS
| daptaq wrote:
| I think that Molly (https://molly.im/) is a good option if you
| want to manage "Signal" via F-Droid.
| gowld wrote:
| Signal has a reputation that Molly lacks. If Signal team
| doesn't want to post to F-Droid, it would help if they at
| least made a statement of support or opposition to Molly.
| dopu wrote:
| I doubt they would ever endorse the use of a third party
| interface to Signal.
| DarylZero wrote:
| In fact they have publicly whined about it already
| alephxyz wrote:
| Their webpage claims both:
|
| > Molly, like Signal, uses Google's proprietary code to
| support some features And
|
| >Fully FOSS >Contains no proprietary blobs, unlike Signal.
|
| It's also not clear if it can be used as a drop-in
| replacement to contact people using Signal
| riedel wrote:
| Molly does not seem to be included in the official fdroid
| repo. You can also simply add the calyxos fdroid repo to get
| signal via fdroid
|
| https://calyxos.gitlab.io/calyx-fdroid-
| repo/fdroid/repo?fing...
| pferde wrote:
| Does it still send your password to the central server, as
| mentioned in Wire's Wikipedia article? I do not see a mention
| that they changed it.
| lucgommans wrote:
| I'd rather it keeps a username/password on their central
| service, than authenticate with my phone number.
|
| End to end encryption is achieved through key verification,
| same as on Signal, Threema, tg secret chats, PGP, etc. Your
| password is just one barrier to accessing your account and the
| security of the chats/calls does not depend on this.
| deadalus wrote:
| Fdroid is not neutral anymore. Gab has been banned from Fdroid
| due to political pressure[1].
|
| [1] https://reclaimthenet.org/f-droid-bans-gab-app/
| kmeisthax wrote:
| >The censorship Gab has faced from those in the Fediverse
| directly conflicts with the Four Essential Freedoms of Free
| Software which people in this community supposedly uphold. Most
| notably, censoring Gab goes against the first of these freedoms
| - "the freedom to run the program as you wish, for any
| purpose."
|
| No, this is not a Freedom Zero violation. Refusing to
| distribute software is not equivalent to banning you from
| running that software as you wish - unless there's some
| vrmsPhone out there that only runs signed F-Droid packages.
| Refusing to peer with a particular Mastodon node is also not
| violating Freedom Zero - I mean, "do not connect to Gab" is a
| valid way to use the software and plenty of people do not want
| to talk with people who use Gab. Are we seriously saying that
| having a blocklist in an app is a Freedom Zero violation now?
|
| Furthermore, not wanting to talk with someone is not, in and of
| itself, censorship. If this were Google or Facebook, then maybe
| you could argue that they have monopoly power, or that we
| should have some kind of common carrier regulation on them. But
| those are, at best, special cases justified by the outsize
| market power of FAANG companies. The argument being put forth
| by Reclaim The Net is that freedom of speech isn't about being
| able to speak to willing ears, but about forcing people to
| listen to you.
| commoner wrote:
| Yes, the argument is wrong. Freedom 0 allows User A to run
| their own instance of the F-Droid server as they wish. It
| does not allow User A to compel User B to run User B's
| instance of the F-Droid server the way User A would like it
| to be run. If the argument were true, any user would be able
| to control another user's instance of a free software network
| application, which would be a serious violation of property
| rights.
|
| If User C's instance of the F-Droid server hosts a repository
| with Gab in it, and User D connects that repository to their
| F-Droid client, the client would be able to download and
| install Gab. This shows Freedom 0 in action.
| hartator wrote:
| Fun that the first opportunity they had to make a difference
| they choose censorship over openness.
| npteljes wrote:
| They are making the difference by providing their excellent
| service.
| vecplane wrote:
| Why exactly did they ban Gab?
| deadalus wrote:
| F-Droid banned Gab for being a "free speech zone" that will
| "tolerate all opinions".[0] Now Gab has been banned from
| Google Play Store, Apple App Store as well as from F-droid
| due to negative media pressure.
|
| [0]https://f-droid.org/en/2019/07/16/statement.html
| dleslie wrote:
| Here's their statement[0], and this is the meat of it:
|
| > F-Droid as a project soon celebrates its 9th birthday. In
| these 9 years, F-Droid's mission was and is to create a place
| where people could download software they can trust - meaning
| only free, libre and open source software is available on its
| flagship repository. As a project, it tried to stay neutral
| all the time. But sometimes, staying neutral isn't an option
| but instead will lead to the uprise of previously mentioned
| oppression and harassment against marginalized groups. We
| don't want and won't support that. F-Droid is taking a
| political stance here.
|
| > F-Droid won't tolerate oppression or harassment against
| marginalized groups. Because of this, it won't package nor
| distribute apps that promote any of these things. This
| includes that it won't distribute an app that promotes the
| usage of previously mentioned website, by either its
| branding, its pre-filled instance domain or any other direct
| promotion. This also means F-Droid won't allow oppression or
| harassment to happen at its communication channels, including
| its forum. In the past week, we failed to fulfill this goal
| on the forum, and we want to apologize for that.
|
| 0: https://f-droid.org/en/2019/07/16/statement.html
| scarby2 wrote:
| Basically - it became a go to for the Alt-Right, these guys
| ruin everything.
|
| Sad thing about free speech on the internet is that while
| i'm largely in favour of it mostly it does create breeding
| grounds for openly hostile and harmful opinions/people.
|
| Given the lack of education in most of the world this is
| sadly utterly terrifying and i have no idea what to do
| about it.
| dleslie wrote:
| > this is sadly utterly terrifying and i have no idea
| what to do about it.
|
| IMHO, accounts need to have non-trivial value, to all
| users. Social pressure will do much of the rest.
|
| The problem with Gab, Twitter, Facebook, Reddit, even HN
| and such is that accounts are free and do not
| meaningfully increase in value with time and activity.
| This allows bad actors to thwart social pressure by
| simply switching accounts at their leisure.
|
| It also doesn't help that there _usually_ exists few
| barriers to access to online communities; people tend to
| have a romantic view of being open and welcoming, and
| social networks have an incentive to keep access
| generally open as it increases user retention.
| chc wrote:
| Their stated rationale is that Gab serves disproportionately
| as a place to organize activities that reduce people's
| freedom, such as harassment campaigns against minority groups
| and anti-democratic activity like voter intimidation, and so
| they felt that hosting it was less in the spirit of freedom
| than banning it.
|
| Ultimately, it's a problem that all pro-freedom platforms
| have to deal with: How much freedom should you give people to
| take away other people's freedom? When one group of people
| wants another to be less free, any action you take will
| result in a loss of freedom for someone.
| hellcow wrote:
| > How much freedom should you give people to take away
| other people's freedom?
|
| This is the very purpose of law according to John Locke who
| heavily influenced America's founders. To John Locke, the
| way to maximize freedom for everyone was by establishing
| laws which restrict people's ability to remove others'
| freedoms.
|
| Having platforms like F-Droid self-govern and establish
| rules to try and maximize freedoms in the world is a pretty
| interesting experiment and a great showcase of small
| government, and thus should be widely supported by
| conservatives :)
| scarby2 wrote:
| > Having platforms like F-Droid self-govern and establish
| rules to try and maximize freedoms in the world is a
| pretty interesting experiment and a great showcase of
| small government, and thus should be widely supported by
| conservatives :)
|
| Most modern day "conservatives" are not in fact
| conservatives. They dont seek a return to or a
| preservation of any traditional value at this point and
| instead seek radical change into a new and uncertain
| future. They have largely abandoned conservatism and
| replaced it with something entirely more terrifying.
| devwastaken wrote:
| So what? Political neutrality doesn't exist. We all make
| political decisions every day. Gabs owners and staff
| intentionally make money off of lies, slander, and in general
| being dishonest slimeballs. We as individuals actually do have
| a responsibility to the truth and to prevent political scammers
| like gab from profiteering off of lies.
| svnpenn wrote:
| Of course this comment, and all the children, leave out any
| context of the other side, so allow me to:
|
| > Widely described as a haven for extremists including neo-
| Nazis, white supremacists, white nationalists, the alt-right,
| and QAnon conspiracy theorists
|
| https://wikipedia.org/wiki/Gab_(social_network)
| mdp2021 wrote:
| How can you create an unmoderated forum and not have it
| populated by all sorts - especially those refused by
| moderated forums.
|
| "Haven for all sorts" is the "destiny" of any unmoderated
| communication platform.
| hartator wrote:
| This is unfair characterization. Because Gab sticks to a very
| liberal (in the traditional sense) interpretation of the 1st
| amendment, it's probably the home of marginalized voices.
| However doesn't mean Gab supports their points of view.
| monocasa wrote:
| The CEO's public statements disagree with the assertion
| that they don't agree with and support extreme far right
| views.
|
| For one example of many, here he is decrying the evils
| 'Judeo-Bolshivism', a literal Goebbels era Nazi propaganda
| concept from the 1930s that somehow the Jews invented
| communism as a part of their master plan to control the
| world.
|
| https://www.dailydot.com/debug/andrew-torba-deactivates-
| gab-...
|
| So it doesn't seem like that unfair of a characterization
| to me.
| ospzfmbbzr wrote:
| cyborgx7 wrote:
| The idea that people who dedicate a significant portion of
| their lives to developing and maintaining free software
| projects would be politically neutral is so funny to me. And
| yet it keeps being an assumption that is made on here.
| gruez wrote:
| Why is that strange? Up until a decades ago, the ACLU fought
| for both communists[1] and nazis[2]. If you're fighting for
| software freedom (ie. the narrative of freeing people from
| the oppression of google/apple app stores), it makes sense
| for your position to be "software freedom for everyone", not
| "software freedom for everyone, except nazis because fuck
| them".
|
| [1] https://en.wikipedia.org/wiki/American_Civil_Liberties_Un
| ion...
|
| [2] https://en.wikipedia.org/wiki/American_Civil_Liberties_Un
| ion...
| joomooru wrote:
| Funny thing is with these "free speech" advocates, allowing
| hate speech (antisemitism, racism, sexism, etc.) on your
| platform is anything but politically neutral. It's obviously
| capitulating to hateful groups like white
| supremacists/neonazis.
| vorpalhex wrote:
| You can always not read/watch/support people you dislike.
|
| Censors are biased like everyone else. There are always
| extra casualties.
| joomooru wrote:
| Tell that to the victims of the Pittsburgh synagogue
| shooting victims: https://en.wikipedia.org/wiki/Gab_(soci
| al_network)#2018_Pitt...
| vorpalhex wrote:
| Well good thing no bad person has ever posted on
| Facebook.. or Twitter.. or Instagram.. or written a
| manifesto and sent it via USPS.
|
| Facebook has literally been used to livestream rape and
| murder!
|
| And your own source says Gab turned everything over to
| the FBI. What, exactly, is the fault here? Them not
| having a time machine?
| francis-io wrote:
| Of course it's politically neutral. Inaction is neutral.
| joomooru wrote:
| Sorry, political neutrality doesn't exist.
|
| Inaction in the face of injustice, means you are
| advocating for the status quo. E.g. the white moderate
| from Letter from Birmingham Jail.
| young_unixer wrote:
| Then radical left speech shouldn't be allowed either, but
| many Mastodon instances allow communists (like, they
| literally call themselves communist) without any issue.
| monocasa wrote:
| Once again, the goal isn't to be politically neutral.
| hartator wrote:
| Well for some alternative app store named f-droid, you expect
| them to be the home of all the rejections of the Play Store.
| What the point of jailbreaking your phone if you end up with
| the same limitations.
| commoner wrote:
| F-Droid specializes in free and open source software. It
| does not specialize in software rejected from other app
| stores. F-Droid is also available on all Android phones,
| rooted or not. Android allows apps to be sideloaded if no
| app store meets the user's needs.
| rvz wrote:
| Telegram is a brilliant alternative and a free libre and open
| source software (FLOSS) which is used by tons of users.
|
| However, like Gab, it has all the same "oppression and
| harassment", or everything that F-Droid has quoted:
|
| _' Things like racism, sexism, verbal abuse, violent
| nationalist propaganda, discrimination against gender and
| sexual minorities, antisemitism and a lot more things become
| popular on such instances.'_
|
| Those same people that are on Gab are also on Telegram. So why
| have they not taken a 'political stance' against it or 'banned
| it' like they have banned Gab?
| lucgommans wrote:
| I did not mean to make this a political discussion when I
| submitted this news.
|
| If there are other open source app stores that Wire is on, feel
| free to add those in a comment and/or a submission. Coming here
| just to hate on f-droid for a past decision does not seem
| productive to me.
| npteljes wrote:
| Are they claiming that they're neutral, or have they violated
| any such promise, code of conduct, ethical statement or
| anything? If not, then I'd consider this a moot point.
| eole666 wrote:
| I bet if fdroid was censoring an app mainly used by antifa and
| persons from the radical left you'd be quite happy. But they
| rather sensor a social network used almost uniquely by alt-
| right / fake news writers / neonazi / hateful people, and now
| you're here complaining about it not being neutral.. Go create
| your own free right wing app store if you want Gab in it.
| [deleted]
| young_unixer wrote:
| I'm not parent comment, but I wouldn't be happy either if
| they started censoring antifa or any kind of speech.
| px43 wrote:
| Opposition to Gab has nothing to do with politics. It is very
| specifically a platform for spreading hate speech and fostering
| collaboration for hate groups. Believing that black people,
| Jewish people, Muslims, women, LGBT, etc are inferior subhumans
| who don't deserve rights is not a legitimate "political
| viewpoint".
|
| While it is absolutely true that hate groups have been doing
| their darndest to infect Republicans and conservative Americans
| with their hatred, that does not legitimize their hatred, and
| it should never, ever be tolerated in a civilized society.
| gruez wrote:
| >Opposition to Gab has nothing to do with politics
|
| >[...] is not a legitimate "political viewpoint".
|
| Can you apply this on the other side as well? eg. "believing
| that people don't deserve property rights (ie. communism) is
| not a legitimate 'political viewpoint'".
| wanderingmind wrote:
| https://wire.com/legal/licenses/
|
| gives Error 404, so we have no idea what license they are under
| and we are supposed to trust and use them.
| zksmk wrote:
| Why would you follow that link in particular? You can find all
| the license information here: https://wire.com/en/legal/terms-
| of-use-personal/ , scroll down and click on license
| information, there's like a 100 different licenses for the 100
| different things they used in the software.
| wanderingmind wrote:
| Because that is the link given in their main github repo. I'm
| not ready to trust someone with my privacy who can't even
| properly manage their weblinks.
| wanderingmind wrote:
| License link provided here: https://github.com/wireapp/wire
| karussell wrote:
| Server is AGPL: https://github.com/wireapp/wire-
| server/blob/develop/LICENSE and clients are GPL it seems.
___________________________________________________________________
(page generated 2022-01-28 23:00 UTC)