For a while I have been using GrapheneOS with App RSS feed as described in this video from Side of Burritos: You should use this instead of F-Droid | How to use app RSS feed - Invidious
Since I use very few apps, this has been a very good experience so far. However, there is one small problem with the tutorial: it seems to assume that there will be an apk file available in Github, whereas that is often not the case. For example, right now, I would like to install Etar-Calendar, but only the source code is made available. Release 1.0.34 · Etar-Group/Etar-Calendar · GitHub
Could anyone help me in adapting the video tutorial to cover cases such as this one?
Thanks in advance.
The only workaround I find is to use Obtainium, an app that let’s you update/install apps directly from the source. It works with GitHub, Codeberg, GitLab, F-Droid and many other sources, I searched for Etar and it worked.
Side of Burritos has made a video about that awesome app :
Thanks! I didn’t know about Obtainium.
I just don’t think it is installing from the source though, rather it looks like it is looking in f-droid for their apk for the source code and trusting that. (That is what I normally do in this situation, only manually.) It sounds like right now Obtainium is a very nice replacement for ReadYou, in that it automates the otherwise manual process described in the first video. Hopefully in the future it will produce its own apk from the source.
What Obtainiium does is basically automating what you were already doing with the RSS feed and download the APK for you so you don’t have to do it manually. It’s pretty convenient but remember that it’s still in Alpha and you may encounter quite a few problems if you rely too much on it.
Personally I think the pros of using F-Droid outweigh the cons so I mostly stick to that. For me the major benefit of installing something from the F-Droid repo is that I know it was compiled by F-Droid from source. Which means that the source code used by F-Droid is the exact same source code that generated the APK I’m installing.
It is technically possible for a developer to publish an APK on GitHub which was built using different source code than the one publicly available.
I’m not going to go further into this as I think there is a good chance I may start a flame war. All I’m gonna say is that the issues with F-Droid have been blown out of proportion by the privacy community. Yes, F-Droid is not perfect, but it neither is the gaping security hole many portray it to be.
2 Likes
Which also means FDroid has the signing keys, which is insecurely stored on a outdated end of life Debian Chromebook(from FDroid Website, see Gitlab issues) That loosely translates to if FDroid were to get compromised, All apps on FDroid would be having whatever the malicious actor wants.
AFAIK the F-Droid keys are stored on an air gaped machine so the chance of the keys being compromised is fairly low.
Wrong. Just because something is air gapped doesn’t mean it can’t be compromised. There are multiple possible attack vectors for an air gapped machine. Also see my earlier reply.
Thanks for the feedback, I don’t think f-droid is a bad option and I am glad and thankful that they exist.
Maybe my question should be put like this:
At some point somebody does the presumably automatable procedure of turning source code into apk, e.g. the f-droid developers or the app developers. So I wonder why is there not an app that could do that at the touch of a button. At that point you just have to trust your machine and the source code like those devs do. Am I missing some big technical difficulty or another reason why such a solution doesn’t seem to be available?
You mean install an Android app from source in an automatic way like for example how you do in Gentoo? No, I don’t think something like that exists for Android. If you really wanted to do that you’d have to compile everything yourself and then transfer the APK to your phone and install it.
Also, I’m no mobile developer but I don’t think compiling an Android app is something that can be done directly on an Android device. Please correct me if I’m wrong.
When you use something like Obtainium it simply downloads the APK compiled and published by the developer on Github. You are not compiling from for source.
You can compile your app with Android Studio on your computer and install the compiled apk via your usb to your device if you want to do that for some reason. That’s quite meaningless to do unless you want to remove some code, unused libraries seeking unnecessary permissions(you might as well submit a PR) etc.