Fdroid allows you to run your own repo and up your own builds. MicroG does this, so these are built by them. More devs should do this. Fdroid building everything isn't scalable nor is it a good trust paradigm. I agree with them that they should only build from source, but others should maintain their own. Email is federated, why not app stores?
Because adding a repo via some random online URL is the exact same reason why downloading random Windows executables creates tons of opportunities for malware to infect computers.
The whole point of software stores is giving users the ability to trust the motives of the software they install, because the store and / or its users would never condone hostile software being hosted there.
Once you start having everyone run their own F-Droid repos, you are having independent developers give you their own trust keys, but you have no one else who needed to verify those developers were legitimate.
F-Droid itself is not particularly secure, given anyone can upload anything there, but in the same way the Archlinux AUR, OpenSUSE Build Service, Ubuntu Launchpad, etc work those third party software repositories are at least hosted by a trusted maintainer of the store / repo itself. If anyone ever uploaded malware there, once found out, it would be taken down and the responsible users banned.
With distributed app stores under F-Droid, or the equivalent third party repos for Arch / Suse / Ubuntu, the host has absolutely no control over the behavior of third parties, and thus anyone can host all the hostile malware they want, and if users add those repos they give them absolute trust in doing so.
That isn't a valid security model by any estimation.
You trust Facebook when you log into Facebook.com. Facebook.com/fdroid would be the hypothetical trusted endpoint for Facebook apps. You should not have one gatekeeper that ensures everything is safe. They can sensor content, fail to catch something or prioritize some apps over others. Having a default repo where there are restrictions, rules and vigilance makes sense, but you should be able to opt into another circle of trust AND get notified of updates, changes, version numbers etc. If you can't trust a company enough to run their binary, then don't add their repo.
The alternative is download static apks today and maintain updates yourself(bad) or remove the freedom to install what you want on your device.
For the vast majority of software I imagine most users do not have a relationship with the vendor going in. Independent repos naturally can (and do) work for large software. For example, the Mega client for Linux is provided as its own self-hosted repo by Mega Ltd, where they provide repositories for most distros.
But for, say, an app for a restaurant or a document reader, you would not know or have any reason to trust the vendor, so if they are self-hosting their own repos you are taking a tremendous risk trusting them.
The end result would probably remain the same - users might use third party repos for huge popular apps, but small apps would still need to stay centralized because there is no way to introduce a viable trust model against an organization you never interacted with before.
I think people trust too much generally. That's not going to change with any paradigm put forth. However if you're running binaries from vendors you don't trust, you're playing with fire even in a regulated app store.
Most people don't change their default browser, adding third party repos would be similar. Removing the ability for the owner of a device to install software they want fixes one symptom, not the main issue of trust. Also it makes your device into a glorified feature phone. No thanks.
I'd be happy if they just released it DRMfree on GOG or something. It existed long before tying your game to Steam's API was ever a thing. I'd buy it again, especially if it was the original version (before they killed LAN multiplayer).
I mean, have we really learned nothing from tying our multiplayer to GameSpy?
Open source would be best, but I'm sure they want to re-release it on every DRM cloud platform to pop up for the next 20 years. Also, legal, etc.
Extensions that implement server-side XEPs are really easy to add on as well. Just git pull the community XEP repo and then add a line to the ini and you can add more superpowers. I have it on a cheap VPS. I'm using conversations with it and it has been mostly flawless. Now I just need a good linux application that understands OMEMO. There's a Gajim hack, but it's kind of messy.
This is good to see. I feel like self-hosting is no longer really a priority for a lot of people, even privacy advocates. As things get more cloudy, people end up trusting these third party services more and more. Even businesses and schools are using cloud services like crazy.
I think there should be more talk about federation, exporting and importing data. It also seems like serverless is the new hotness and getting a lot of former self-hosted advocates' eyeballs.
Self-hosting is a lot of work for the everyman, but distributed trust (family, work, neighborhood, school, etc) federation seems better than the status quo. This might not be a popular position since most startups depend on roping people into centralized clouds, but eh.
I wrote some about it and the Decentralized Web Summit here[0].
IANAL, but it looks like when you agree to the Microsoft TOS you waive your right to bring a Class Action suit against Microsoft
>Class action lawsuits, class-wide arbitrations, private attorney-general actions, and any other proceeding where someone acts in a representative capacity aren’t allowed. Nor is combining individual proceedings without the consent of all parties.
I believe that's why companies are taking MS to small claims for $10,000 despite losing way more than that in downtime.
SCOTUS seems to disagree with you[0][1]. I try to read or at least skim what I agree to. Some companies have an opt-out of their binding arbitration (eg. Ting), which I try to make use of, but most don't allow you to opt out of the class action waiver.
If you don't like the terms, email them and tell the company why you won't sign up. I rarely get a response, but someone on their staff knows there's at least some push back.
The "new" Microsoft was a change in business model, not a sudden thawing of the heart.
Windows used to be the product, now Windows users are. This is similar to Google and Facebook's offerings. Very few companies still strictly sell software anymore.
The open sourcing of tools is marketing and a consequence of prioritizing adoption over exclusivity. Like Android, Windows isn't going to be the bare foundation you build on, but the cushy, fully furnished condominium... complete with cameras and microphones.
The business model hasn't changed. Windows is an always has been a paid product (with some minor variations) and Microsoft is not a significant player in the advertising business. (AOL does sell Bing ads, I think.)
Of course, if you have any factual evidence that Windows users are a product, then I'd be interested to hear it.
I've been watching like a hawk for the past couple of weeks and not found anything that does it, so I assumed it was just made up. However, the only app I use is Microsoft Health.
I dual boot on my PC, Ubuntu and Windows. I'm writing this from my Arch laptop. I only drop into Windows if I want to play a Windows-only game, but thankfully that's happening less and less. I've stopped buying games for Windows entirely so I won't have this problem in the future.
When I installed Windows10, I did the hour long dance of trying to find all the places where I could turn off tracking, even temporarily. Then I ran this[0] which does a pretty good job in a magic black box kind of way. It's a patch job, I don't recommend using Windows10 as a daily driver or putting too much faith into any gui setting or external patch.
Also updates are important. Software developers know maintaining multiple old versions and backporting fixes is more art than science and even with the best intentions is prone to incompleteness. Update your software. If you find you can't because upstream is consistently invasive/lacking/gross, chose a different project or you know... fork.
I agree, they're really late to the game. It seems like a slam dunk business-wise as they can get the android and IOS market on the same app and cultivate a household name.
They would have been better doing so before the E2E craze went mainstream-ish, again from a business perspective. Now they can still leverage meta data, but it's not a juicy and lucrative as say, reading everyone's emails.
I'm still putting my money on vector.im and matrix.org. Closed source communication apps are not appealing to me, even if they come with an E2E promise.
From a business perspective this makes sense for Google. A big problem with Skype was always the lack of ubiquity. Lot of people had it, but it required another install and explicit configuration. Now that Skype is nearly bundled with W10 and WebRTC has made skype.com trivial, the gap for Google to move in is closing. If this rolls out with Google branded Android, people will use it irrespective of its merits (a la bundled Internet Explorer). Interop on iOS makes it stand out from Facetime. There's always room to change terms later when it becomes a household name.
Also, with all these services adding an E2E sticker on their communications, Google's hand was forced, they're not trend setters here and they shouldn't be applauded for being extremely late to the privacy game.
I'm following matrix.org and vector.im development, hoping they'll get good and take off. Main thing stopping me from jumping on board is that running a matrix home server is said to be very resource intensive and my home server is already overloaded. Maybe later.
I've actually been running my own matrix.org home server quite fine for over a couple of months now on a $5/month vps via digital ocean. ADMITTEDLY, the scale of users on this instance is low in numbers, so your mileage may vary with more users, more activity, etc. I'm using this low-spec vps simply to test things out, and learn about matrix.org. You should give it a try. Whether you use digital ocean or any other competitor vps provider, if after installing the matrix.org home server you find its not to your liking, you just kill off the vps; cheap and easy experiment! ;-)
Yeah good points, not everyone needs to host their own matrix.org home server; users can simply hop on existing ones. The one on matrix.org or vector.im are pretty robust and actually allows public registration (and you can have private rooms for privacy, etc.). Check out: http://matrix.org/docs/projects/try-matrix-now.html or directly to https://vector.im
Also, I should have stated, I hosted my home server on a vps, but one can also totally just do it on your own server at home (so you could avoid paying any vps provider)...again, for those who have an interest in hosting their own.
Personally, my goal was to host the server for my family...but the really big advantage of decentralized platforms like matrix.org (and others like gnu social, etc.!) is that my host can connect with others...hey email has worked successfully connecting billions of decentralized people for so long now, so there is precedent for this type of concept.
I suggest heading over to vector.im - its the easiest on-ramp - and give it a try! i hope that helps!
That sounds ideal, thank you.
I'm generally increasingly convinced that while decentralised services are great for many powerusers, they too often shift too much of the burden onto users, vastly diminishing the market penetration of what are nominally good ideas.
Another example of this is the current IndieWeb movement, which while great, doesn't fix very much because 1) low penetration means you have to republish all your content back into proprietary silos, regranting them license to use that we're supposed to be escaping and 2) by forcing people to set up and develop their own platforms means that the majority of indieweb blogs are subtly incompatible through bugs and mostly suck up time that could be used blogging with time spent to fix the blog.
You hit the nail on the head with the challenges that you stated! While I'm a really, really big fan of decentralized platforms AND indieweb, i acknowledge that many (though not all) of the apps to allow users to on-ramp are not yet as simple as those that the proprietary silos/platforms might offer. Or the apps might be ok but requires more time/committment for users to set up things before extracting benefits. This of course sort of prevents otherwise willing new users from joining the fray...but I'm comforted by the fact that this is almost exactly how it was many years ago when the web first became available to the public, and many people thought things were "too tough" to get people onto the web; and yet here we are with so many people on the web. I'll admit that perhaps I'm an optimist. ;-) But i feel we just need to get a few Goldilocks-type killer apps to drastically ramp up user engagement. Cheers!
I actually liked the original matrix mobile client on android, but vector.im still rocks! (And of course vector.im will keep getting updates while the original matrix client i believe will not.) Regardless of the client used, I agree 100% with your comments on using open protocols such as matrix.org; that's going to be the future! Kudos!
