this post was submitted on 29 Feb 2024
191 points (98.0% liked)

Open Source

31367 readers
63 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Amaterasu@lemmy.world 16 points 8 months ago* (last edited 8 months ago) (5 children)

Do we see this very often with APK repos? I mean, for those using Obtainium to download apps from Github can one get malware via malicious apks?

[–] Creat@discuss.tchncs.de 5 points 8 months ago

Of course you can. The actual question is: do you trust the author(s) of the repositories you're pulling the APKs from? Including that they are keeping the repo secure from malicious influences? If the answer is "no", then you shouldn't add the repo, obviously. Every repository acts as an individual trust anchor. Unlike F-Droid or the play store, where the store itself acts as the trust anchor (or should, at least)

To be clear, I'm using obtainium for quite a few apps, but I'm rather rather careful which I add there and what apps I'm getting elsewhere.

[–] erAck@discuss.tchncs.de 2 points 8 months ago

If you installed the original legit package it can't be updated with such fake one (without uninstalling and installing the bad one) as the signatures won't match. If you initially install the bad package then yes of course.

[–] Quereller@lemmy.one 1 points 8 months ago

If possible I get the Git repo from the F-Droid entry for this app. And I usually look at the activities and commits. I hope that helps.

[–] Zerush@lemmy.ml 1 points 8 months ago

You can get malware with the download of any soft, independent of it is FOSS or not. The clue is that it is for crackers easier to infect OpenSource if the soft has a deficient maintenance or it is abandoned, as is seen a lot on GitHub with apps that have not been updated for several years, like sadly this one, which was a very good app.

There is a lot of misunderstanding regarding OpenSource, the meaning of this type of software is to allow collaborative development, not limited to a small group of a company's developers, as in the case of proprietary software, but as many believe, OpenSource is not a guarantee of security or privacy at all, this depends solely on the intentions of the author (not all of these are good guys) of this and that, as I said, that the software has maintenance and if possible an active community. Nothing worse than an abandoned and outdated OpenSorce, worse than an outdated proprietary soft.

It is essential in GitHub or another Git, to look at when it was last updated and, as in the case of any software, to review it with an AV before using or installing it and ALWAYS read the PP and TOS.

[–] delirious_owl@discuss.online -2 points 8 months ago

No, apt has signatures and a team of maintainers whose job it is to verify the packages match what the Dev produced