[gazby]

I briefly joined some F-Droid Dev rooms in hopes of helping with their speed/capacity issues by chasing some CDN sponsorships or expanding the mirror list, however the possibility that any commercial provider or user-provided mirror might have access logs enabled was enough to end the conversation. I 180'd after that. Never was a community-run project IME.

[lucideer]

> Never was a community-run project IME.

That's the impression given by posts linked here. The initiative to begin trying to transform it into a community-run project seems to have kicked off roughly 12 months or so ago[0] - and by all accounts seems to have been met with significant resistance from the bdfl that preceded it.

[0] https://gitlab.com/fdroid/admin/-/commit/031eeb78c8e35960a9a...

[LjLies]

The thing is that the BDFL was never appointed as such, either. The project's founder is Ciaran Gultnieks:

https://en.wikipedia.org/wiki/Ciaran_Gultnieks

and Ciaran, while largely silent, still "holds the master keys" (figuratively and somewhat literally).

As an F-Droid member myself, albeit a completely tangential and pointless one, the only things I know about why Hans is _de facto_ leader and cannot be overridden even by the bodies created for overseeing the entire project are a couple of factors mentioned right here: that he is the only one with Owner access on GitLab, and that he is Technical Lead, "initially", in the board:

https://f-droid.org/en/2023/03/20/f-droid-board.html

[lucideer]

> Hans is _de facto_ leader

In these kind of situations, "de facto" is usually the same as "actual" for all practical purposes.

[em-bee]

you mean that the f-droid maintainers did not want to rely on mirrors that would log downloads?

sounds a bit extreme on the privacy front, but not entirely unusual. i see no relation to how the project is run though. on the contrary, i expect community run projects even more likely to reject logging because it only takes a few vocal people to demand that. meaning the more people have a voice, the more likely demands for privacy come up. see debian and their popularity counter for example when they could just log all the downloads instead.

[gazby]

I'm talking literally just access logging though. Expecting even an individual, let alone a business, to run a publicly accessible web service without any form of access logging is just absurd IMO.

I'd expect privacy-inclined people to care vastly more about detecting and tracing indicators of compromise or similar over avoiding access logging on the open internet.

Edit: Use actual English.

[em-bee]

i agree with you, but knowledge and understanding of these issues varies a lot. my confusion was your apparent conclusion that in a community run project this would have been better.

[gazby]

I would indeed expect a community-run project to have been better (at evaluating the trade-offs of access logging [which occurs on every other web property F-Droid users utilize]). If only because there would have been more than one voice that mattered, and thus consensus would be required rather than unilateral dictation.

Is the confusion a result of disagreement, or of my explaining my perspective poorly?

[em-bee]

it's disagreement. i fully understand your perspective, however from what i have seen, there is a tendency for the consensus lean towards the lowest common denominator that all can agree on. iaw. the most paranoid wins (ok, not that extreme, but it illustrates my point)

of course the upside of community input is that you also have more moderate voices and technically knowledgeable ones that can explain the risks and help reduce peoples worries.

[gazby]

Yeah that makes sense. One of those things I'd love to see play out both ways and watch what happens lol.