Publish APK on Github releases

[dmp1ce]

Is there a standalone APK to download? I would prefer to not have to use Play or F-Droid app stores.

[jspricke]

What's wrong with using F-Droid?

[dmp1ce]

I would rather install an APK signed by the Etar devs rather than F-Droid. If someone had access to the signing key for F-Droid then they could create malicious versions of many app and sign them so they get installed.

Video explanation here: https://youtu.be/lAbgeJau3eE

[jspricke]

We believe in open source software not in some signing key, so anyone can rebuild Etar from the source to verify a binary build (reproducible builds). The easiest way to do so is using F-Droid.

Full disclosure: I'm part of the F-Droid development team.

[eighthave]

@dmp1ce that video is based on https://wonderfall.dev/fdroid-issues/, which has been retracted by its author (its 404). You can confirm that it where it used to be here: https://web.archive.org/web/*/https://wonderfall.dev/fdroid-issues/

[dmp1ce]

Why was the article retracted?

[eighthave]

I don't know, the author never spoke to me, or asked me anything about it.

[eighthave]

My guess is because the argument was based on factual inaccuracies.

[dmp1ce]

Do you know what the factual inaccuracies were?

[eighthave]

There is a pretty epic discussion related to this, I would recommend that: https://forum.f-droid.org/t/privacy-on-phone/17607

[dmp1ce]

@eighthave Apparently the article is back on another domain. https://privsec.dev/posts/android/f-droid-security-issues/

[cyberparty]

Why was the article retracted?

The article was retracted from their site and placed on privsec.dev due to the author expressing concerns with it being wrongfully interpreted as an attack on the project it was criticising. Edit: The author of the article also gave privsec.dev explicit permission to rehost it.

[thestinger]

Please read this thread from PrivSec, which I am not part of and which is not GrapheneOS as claimed by the F-Droid developers but rather an offshoot of Privacy Guides:

https://twitter.com/PrivSec_Dev/status/1609199831112630272

The initial article was not posted by GrapheneOS and was not retracted by the author. The F-Droid development team coordinated harassment of the author of the article and posted many false claims about them, and also about GrapheneOS despite them not being a GrapheneOS developer but rather a GrapheneOS user. The author took down the post due to the harassment and false claims about them. They may end up replacing it with a redirect if they feel comfortable doing that.

[thestinger]

Wonderfall's article is not from GrapheneOS and the PrivSec version of it after he handed it off to them are not from GrapheneOS and don't reflect the views of GrapheneOS. It's not true that this came from GrapheneOS, and we had posted an article from GrapheneOS it would have an emphasis on much different things and a lot of content not included there. We would not have included everything he included in his article either. His article was good and was based on facts. It is was not based on fabricated or inaccurate claims as @eighthave and other F-Droid developers have claimed in response. It was based on facts about their approach and Wonderfall's perspective on their design choices and implementation. It's strange that they try to portray all the technical criticism they receive as all originating from GrapheneOS and myself. It's not true. There are many GrapheneOS users and a lot of them use F-Droid, so it's a regular topic of discussion in our community. Our community has a major focus on serious privacy and security based on technical excellence rather than simply accepting the incorrect belief that something being open source means that it must be private and secure. We emphasize focusing on the facts/evidence and being skeptical about previously held beliefs. Users in our community have their own opinions. It's not the fault of GrapheneOS or a plot by GrapheneOS for them to post about their opinions. If GrapheneOS posts an article about F-Droid, it will be on the GrapheneOS site. It would be quite a lot different from Wonderfall's article that's now a collaborative article at PrivSec.

In the thread linked my @eighthave, many false claims are made about the article posted by Wonderfall and their article, about GrapheneOS, about myself (Daniel Micay) and others. When we're previously replied to these attacks on their issue tracker and elsewhere. Their response has been targeting myself and other with harassment and libel. They also removed my posts there and then misrepresented what has been posted. Here's proof of this:

https://twitter.com/DanielMicay/status/1547286521597894657

I can prove that both @eighthave and Sylvia at F-Droid have repeatedly engaged in vicious harassment, bullying and character assassination based on falsehoods directed towards me as an individual because of my views based on factual information that I've presented based on factual information. They falsely claim that GrapheneOS is targeting them with underhanded, dishonest and toxic attacks but it's completely the other way around and I can prove it. I've posted proof on my Twitter account on several occasions. I can post more of that there, here and elsewhere if needed.

You can see examples of the toxic behavior in the thread linked by @eighthave from himself and others. Here's an example where he pushes blatantly fabricated claims about me in that thread:

GrapheneOS do good hardening work, but don’t seem to understand other key parts of building secure ecosystem. For example, Danial Micay deliberately burned the signing keys for CopperheadOS when we was lead dev, thereby locking all users out of ever getting updates again. That is especially bad if the private key was compromised. That means only the person who stole the private key can provide updates. He now controls the official signing keys of GrapheneOS, so keep that in mind. It could be worthwhile to find another source of signed builds. I think GrapheneOS is technically interesting for very specific use cases where there is no app store, e.g. a device that includes Signal and DeltaChat, with no additional apps or method for installing other apps.

I have nothing against their project or work, but they have not treated F-Droid contributors respectfully. I’ve heard from a number of other Android ROM developers that they also have been treated badly by GrapheneOS contributors.

It should be noted that @eighthave is paid by Calyx and has been paid by Copperhead before them. CalyxOS was founded as an offshoot of the failed takeover attempt on GrapheneOS. @eighthave is presenting his own views from his own group of overlapping Calyx / F-Droid project members who are engaging in spreading misinformation about GrapheneOS as if they come from different groups. The people orchestrating this are a small group of around 8 people. The fact that they contribute to ~4 closely related projects doesn't mean they can portray it as if the whole world is against GrapheneOS when it's almost entirely their small overlapping group. We can prove that they're spreading blatant libel about us and engaging in clear cut harassment and bullying. I've provided a link showing that. I can provide much more.

We've never harassed F-Droid developers, spreading misinformation about F-Droid or otherwise engaged in the kind of toxic behavior they've directed towards us. They falsely attribute general criticism directed towards them as all originating from GrapheneOS. Posting accurate information about F-Droid to explain why we don't include it in GrapheneOS, why we don't recommend it and why we're working on building alternatives to it and recommending alternatives from others is not an underhanded attack on F-Droid in any way. It's completely legitimate for us to discuss the facts and express our views. They're attributing posts not coming from GrapheneOS as being from GrapheneOS though.

We have a couple dozen moderators across platforms. Those moderators overlap with other projects, some of which we're on good terms with and others like Privacy Guides where there are issues between us. Their views are not the views of GrapheneOS as a project or the views of myself and other GrapheneOS developers. They aren't acting on behalf of GrapheneOS outside of their moderation duties. We avoid having moderators or project members who engage in any kind of toxic behavior, and they aren't doing that towards F-Droid but rather F-Droid is targeting them with toxic attacks for expressing their views based on accurate information/facts they're presenting. In fact, we ban people from our community for toxic behavior. A GrapheneOS community member who engaged in the kind of toxic behavior towards F-Droid that @eighthave and Sylvia have done towards us would have been banned as soon as we knew it had happened.

[Gitsaibot]

I honestly have no idea what this is all about but I don't think this is the right place for such a discussion.