[AlexAffe]

Isn't it time to just ditch "Stores" all together? We were way past that concept on the PC for decades, how on earth does it help to introduce it to desktop? Let ppl download there apks from the dev sources directly, and... oh wait... I'm just describing 'installing a program' as it has been for ages. Maybe this will at least help normal users to wake up and wanting to escape their jails. (oh sorry, I forgot, it's for their own good! o7)

[johannes1234321]

installing applications from "wild" sources leads to possible virus injectiins etc. I sleep better knowing my parents won't br able to simply install things.

I like Android, where the default is the play store, but i can sideload or use f-droid as well.

[AussieWog93]

Malware exists on the Play store too. My grandmother managed to download some aggressive adware bundled in a sudoku app.

Interestingly, she's avoided viruses on Windows for decades. I think thats because she wouldn't trust random apps from dodgy websites in the way she'd trust Google Play.

[takluyver]

Malware certainly exists on the Play store, but when Google spot it, they can unilaterally remove it. IIRC, they also have the ability to remove it from devices where it was already installed. The app store model probably also delivers security updates to legitimate apps more effectively than every developer managing their own distribution.

My parents are also very cautious with what they install on Windows, and I think that's a pretty good approach. But it's pretty clear that plenty of people aren't so paranoid, and it's not always easy to tell a dodgy site from a legitimate one.

[mcny]

I still think developers should not be able to upload binary blobs to the store. The store should prescribe an official set of tools and build options. Developers should be required to upload their source code and build instructions.

The store will then build the application binaries based on provided instructions, run tests to make sure the application meets store criteria, and publish it if everything looks good. Perhaps there will need to be some manual intervention when necessary but we should be able to automate things more as we see more use cases.

That and the client "store" should be decoupled from the server store and users should be able to add/remove server stores as they see fit.

[takluyver]

I would generally agree, but this puts a lot of trust in whoever is running the store: if Google/Amazon/Microsoft/Apple build and sign every application, they can quietly modify the code. It wouldn't necessarily be easy for even the developer to know that this was happening.

[johannes1234321]

why should they make it so complicated? Apple or Google can manipulate the operating system. No need to manipulate individual apps.

[AussieWog93]

>when Google spot it, they can unilaterally remove it.

Microsoft can achieve the same goal already through Windows Defender. My app was recently flagged as a trojan (false positive) and it would be wiped from users' computers before they could even run it.

>they also have the ability to remove it from devices where it was already installed.

That Microsoft can't do, but I'm not really sure that it's a good thing...

>The app store model probably also delivers security updates to legitimate apps more effectively than every developer managing their own distribution.

Citation needed there.

[colejohnson66]

That last one (the “citation needed”) is solved by stores that have auto-updaters. When a store isn’t used, it’s up to the app developer to provide a notification of an update being available, and many don’t do that.

Linux’s package manages show that quite well. I can update (almost) all my packages with a simple command. On Windows, if Inkscape has a security vulnerability that an update fixes, I'm not informed of this unless I follow the development or use an RSS feed of sorts.

[takluyver]

Agreed. Of course it's possible in theory for every developer to have their own secure, reliable auto-update mechanism. But it's not easy - the docs of The Update Framework describe some of the challenges.

If every app handles its own updates, that also means that either you've got N background auto-updaters running, or the check has to wait until you run the software - and potentially get exploited by a hole patched in the update it's just downloading.

[selfhoster11]

Adware is not the same as a virus that goes wild on your data.

[AussieWog93]

I agree, but that's more of a function of Android apps not having full filesystem access by default. It has nothing to do with whether or not they can be sideloaded.

[numlock86]

This false trust regarding stores is a real issue.

[Bancakes]

Somehow hundreds of package manager repos and all their mirrors work flawlessly on Linux.

[colejohnson66]

If you use the official repos, those packages are (generally) vetted by the maintainers. Unofficial repos (sideloading stores) aren’t.

[f6v]

Having downloaded a ton of Windows crapware back in the day... I spent most of my life programming and still wish I didn't ever have to say "Yes, I trust this unidentified developer".

[skohan]

I think the future for 90% of applications is really just to have progressive web apps. We're not quite there yet, but with WASM and WebGPU we're getting closer.

[astlouis44]

Second this, especially for games. Avoiding the 30% and bypassing Steam and the App Stores is going to be huge for game devs building in Unity and Unreal.

[Aperocky]

It's only worrisome if the Stores don't allow you to do that, AFAIK most people can still sideload apps on Android, not sure how the new Windows 11 Android apps work in this case.