Accrescent in GrapheneOS App Store (infosec.exchange)

submitted 3 months ago* (last edited 3 months ago) by JustMarkov@lemmy.ml to c/opensource@lemmy.ml

4 comments fedilink hide all child comments

(cross-posted from: https://lemmy.ml/post/18603801)

Today I opened the App Store on my GrapheneOS to see, that Accrescent is now mirrored in it.

I know, that GrapheneOS devs have addressed F-droid very negatively it the past (and they still do that), but imo, including Accrescent as a part of official GOS App Store is very harmful for FLOSS movement, as Accrescent does not support any third-party repos, claiming that they are "breaking the Android security model", and also allows submitting closed-source apps to the repo.

This unlikely to be the reason for me to change OS, as GrapheneOS is still amazing, but devs rhetoric and actions become more and more concerning for me.

top 4 comments

sorted by: hot top controversial new old

[-] deadcade@lemmy.deadca.de 30 points 3 months ago

Despite the downsides of F-Droid, there's one thing they provide that other stores like Accrescent simply can't. F-Droid provides APK builds with the exact source used for the build available. There's a lot of trust involved, but this trust is in a single entity, rather than random developers. F-Droid has existed for a long time without adding malicious code to builds, so when they say "this source code produces this APK", they have years of history doing exactly that to back their claim.

A random app developer has no such trust built up. Stores like Accrescent, even if you download only FOSS apps, trust the app developer with building apps. It's less prone to one massive takeover, but APKs built by random devs are much harder to verify and check for malicious code than the source code. If F-Droid is taken over, it should be noticed relatively quickly, but affects everyone using F-Droid. If an app on Accrescent bundles malware, only users of that app are affected, but it may go unnoticed for a much longer time.