Thread

Zero-JS Hypermedia Browser

Relays: 5
Replies: 9
Generated: 14:10:30
avatar
Jacob | Five Eye Tea npub14zwv...mw42
I've officially migrated all of my most important apps over to Obtainium and marked them as ignored in F-Droid. Previously I had used F-Droid for the majority of my apps (Aurora Store for everything else), but following some recent controversies regarding them misclassifying the sacred text of my Christisn faith as "not safe for work" and "pornographic", I decided that it was time to start moving away from them and just start grabbing apps from source directly. This was also inspired in part by nostr:nprofile1qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcpz9mhxue69uhkummnw3ezuamfdejj7qgswaehxw309ahx7um5wghx6mmd9u2mk7fe. In a conversation, he mentioned that something like F-Droid centralizes all authority to one group of people, whereas Obtainium allows you to be fully in charge of what apps you use and when you download them. F-Droid compiles apps themselves, based on the original source code. Meanwhile, Obtainium allows you to grab the apps direct from their repositories, without any middle men. There's still a place for F-Droid. Because of the fact that they do compile things themselves, that means you're less likely to download a malicious app if it's something you never used before. But if you know the app and it's important to you, you should just download through Obtanium directly. #decentralization #obtaining #opensource
2025-10-31 00:04:09 from 1 relay(s) 6 replies ↓
Login to reply

Replies (9)

avatar
Tim npub1nqg9...dddj
Obtanium is great, after using it I'm wondering why middleware apps even exists. Nothing better than direct from the source!
2025-10-31 13:37:26 from 1 relay(s) ↑ Parent Reply
npub14jdf...7nsd
Android is Trust On First Use (TOFU). Obtanium allows you to share to AppVerifier on first install to verify it. From then on you dont have to worry as it'll only update if the signature is the same. Word of warning, AppVerifier only contains a small amount of signatures stored in itsinternally db [1]. Often a dev will include their signature on github and then you can paste that in to AppVerifier to double check. [1] https://github.com/soupslurpr/AppVerifier/blob/main/app/src/main/kotlin/dev/soupslurpr/appverifier/InternalVerificationInfoDatabase.kt
2025-10-31 13:45:53 from 1 relay(s) ↑ Parent Reply
avatar
Tim npub1nqg9...dddj
Thing is f-droid uses the same github source. So a compromised project will simply affect everyone. On the otherhand f-droid could maliciously point to a different cloned compromised repo and end user wouldn't even know. So still best to take out the middle man and know your updating to the official repo and not a different unofficial clone.
2025-10-31 13:46:25 from 1 relay(s) ↑ Parent Reply
avatar
unSATiated npub12kj9...g5ew
That's true, but it's also possible for an attacker to compromise a GH account and publish a new "release", without even changing any source code. Only you have all the accounts to secure, and only one F-Droid. I use Obtainium too, but it's unclear to me how to weigh up these risks.
2025-11-01 00:29:34 from 1 relay(s) ↑ Parent 1 replies ↓ Reply