| I think that issue highlights the problem with unofficial repositories. Users remained vulnerable because their upstream provider didn't update quickly enough. It culminated in a user spamming the official issue tracker with an outdated and annoying bug report. This isn't just unique to Android: there are multiple ongoing efforts at the moment in the Linux world to lessen frustrations with distribution repositories. Snappy, Flatpak, and AppImage intend to unify application deployment and allow users to install applications from anywhere. In most cases, this could mean pulling directly from the application developer themselves. GNOME and KDE will likely encourage this. I know some Firefox developers who have grouched at the delay between official releases and when distributions finally deploy them, so this problem isn't exclusive to desktop environment developers. Back to Android: Moxie had a point when he claimed that Android is more privileged to have a system that provides package verification back to the original developer. It doesn't matter where you get an APK from: the developer's website, Google Play, APKMirror, or Bittorrent. If you have the developer's public signing key, you can verify the authenticity of the APK. F-Droid represented a serious step backwards in Android security, back when they used to self-sign APKs. It wasn't possible any longer to cut out the distributor from the chain of trust. Fortunately, they reacted to Moxie's criticisms, and F-Droid now retains the original package signature when the build can be reproduced. From a developer perspective however, encouraging or even tolerating unofficial installation channels for secure communication software is bad. If vulnerable users are in-contact with non-vulnerable users, they unknowingly put both parties at risk. If the ecosystem evolves to the point where this is common, the whole system is insecure. What Android desperately needs is a high-quality, non-profit, privacy-friendly, charity- and grant-driven app store. It must entice open-source app developers. It cannot do self-builds, except for reproducibility. It needs crash-reporting, analytics, usage metrics, device-specific builds, localization options, and more. It requires dead-simple tools for command-line deploying. Until then, in my opinion, F-Droid will never be accepted by app developers. F-Droid is for users only. Not for the same purposes, either: for the cautious user, F-Droid mainly shines as a locally-setup repo for self-deployed apps. P.S.: Perrin & Moxie recently began documenting Signal Protocol: https://whispersystems.org/docs/ |
What is your threat model?