1193
Google's shocking developer decree struggles to justify the urgent threat to F-Droid (www.neowin.net)
submitted 5 days ago by ardi60@reddthat.com to c/technology@lemmy.world
223 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] keegomatic@lemmy.world 5 points 3 days ago* (last edited 3 days ago)

Both things can be true. It definitely is better for security. It’s pretty much indisputably better for security.

But you know what would be even better for security? Not allowing any third-party code at all (i.e., no apps).

Obviously that’s too shitty and everyone would move off of that platform. There’s a balance that must be struck between user freedom and the general security of a worldwide network of sensitive devices.

Users should be allowed to do insecure things with their devices as long as they are (1) informed of the risks, (2) prevented from doing those things by accident if they are not informed, and (3) as long as their actions do not threaten the rest of the network.

Side-loading is perfectly reasonable under those conditions.

[-] TeddE@lemmy.world 6 points 3 days ago

It’s pretty much indisputably better for security.

I dispute this. While adding extra layers of security looks good on paper, flawed security can be worse than no security at all.

Android packages already have to be signed to be valid and those keys already are very effective in practice. In effect these new measures are reinventing the wheel as to what a layperson would think this new system does.

Adding this extra layer in fact has no actual security benefit beyond posturing/"deterrence". Catching a perpetrator is not the same thing as preventing a crime. Worse - catching a thief in meatspace has the potential to recover stolen goods, but not so in digital spaces - either the crime is damage or destruction of data for which no punishment undoes the damage or the crime is sharing private data which in practice would almost certainly have been immediately fenced to multiple data brokers.

And were only getting started with this security theater:

  • Nothing prevents an organization from hiring a developer for long enough to register before being flushed (or the same effect with a burner account on fiver)
  • Nothing in this program does anything to get code libraries vetted - many of these developers may accidentally be publishing code from poisoned wells that they have no practical knowledge of.
  • None of these measures make scams less profitable.
  • None of this addresses greyware - software that could technically qualify as legal (because the user agreed to terms of service for a service of dubious value)
  • All of this costs time and resources that will likely inevitably be shouldered on low paid engineers that could have put that effort to better uses.
  • Metrics and statistics may likely be P-hacked to reflect that the new system as a success (because there's internal pressure to make it look good) this turning-security-into-press-releases would have collateral of making accountability overall worse.

But you know what would be even better for security?

While we're at it we could add the tropes of removing network connectivity, or switch to using clay tablets kept in a wooden box guarded by a vengeful god. Both of those would be more secure, too.

Users should be allowed to do insecure things with their devices

100% agree with you here - it's fundamentally the principle of "Your liberty to swing your fist ends just where my nose begins". Users should be given the tools and freedom to do as they want with their property - up until it affects another person or their property in an unwanted way.

[-] keegomatic@lemmy.world 2 points 1 day ago

I think we mostly agree. And I do agree that “flawed security can be worse than no security at all.” I think, though, that this doesn’t make security worse, just that it doesn’t make it that much better.

But even simple filters can make a significant difference: maybe you remember the early-ish Lemmy debacle of turning off captchas for signups by default, ostensibly because captchas are now completely defeated… which led to thousands and thousands of bot accounts being created pretty much immediately across a bunch of instances, and the feature being turned back on by default.

[-] TeddE@lemmy.world 2 points 1 day ago

I'll agree to that.

And I also think that there's no way I trust Alphabet (holding company of Google) to be the sole arbiters of who gets to run code - neither in a philosophical sense nor as a gatekeeper to one top five compute platforms used by a substantial chunk of the world population.

It absolutely does not justify creating a policy that would wholesale obliterate F-Droid, arguably one of their larger competitors.

[-] keegomatic@lemmy.world 2 points 1 day ago

100% agree

this post was submitted on 29 Sep 2025
1193 points (100.0% liked)

Technology

75734 readers
3708 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws