Newpipe

NahMarcas@lemmy.ml · 1 day ago

Newpipe

merde alors@sh.itjust.works · edit-2 1 day ago

~~it’s on there. did you sync/refresh after adding the repo?~~

tetris11@lemmy.ml · 1 day ago

Not OP, but can also confirm it’s not there.

My current version is
Version 0.27.4 org.schabi.newpipe

Rotating does nothing

merde alors@sh.itjust.works · edit-2 1 day ago

i’m on droidify, started using obtainium for newpipe after the last “google breaks newpipe” (because it takes repositories some time to add the new updates)

than what i see in there is my obtainium update (?)

tetris11@lemmy.ml · 1 day ago

I stay well clear of obtanium. Github releases are not the source-reproducible binaries they sometimes pretend to be. There’s no QC whatsoever.

I’ll stick with the F-droid vetting. It’s not perfect, but it’s enough

N0x0n@lemmy.ml · 6 hours ago

Care to elaborate? I do not fully understand the meaning of your claim :/. I use Obtainium for everything and haven’t had any issues until now.

Still curious from your perspective the meaning of what you said.

tetris11@lemmy.ml · 6 hours ago

not the best resource, but:

https://security.stackexchange.com/questions/200029/upload-malware-to-f-droid-repo#200043

we don’t audit every single app that makes it into the store. But we do make sure that everything is free software, and do test/investigate to a certain degree.

From what I understand, F-droid regularly audits a few new apps for malicious code, and always makes sure that the source built the binary.

With Github releases, maybe some of these binaries are generated by CI, but I’m betting more that they’re generated locally in dev and then uploaded to Github as direct releases. That is, the source you see on a repo on Github is not neccesarily the same source used to generate their binaries.

To me that’s a wide angle of attack, and that’s why I stick with F-droid, even if it’s minimal checking.

N0x0n@lemmy.ml · 3 hours ago

From what I understand, F-droid regularly audits a few new apps for malicious code

That’s a good point, but how can a malicious code be add to a source code from github? I mean if you only use trusted applications repos (most of them are already on f-droid anyway) there shouldn’t be any concern right?

But reading from the link you posted there’s some chance of a MITM attack and send a malicious payload directly to Obtainium? (Correct me if I’m wrong).

Github is not neccesarily the same source used to generate their binaries.

Didn’t knew that :/

Thanks for sharing your knowledge !

tetris11@lemmy.ml · edit-2 1 hour ago

Welcome!

I mean if you only use trusted applications repos

Trusting an application means trusting every developer who has contributed to its codebase. The XZ attack showed that it just takes one pushy contributor to completely expose an attack surface.

The only thing you can really trust is applications that you build yourself and can personally vet the source for. No one does that of course, so we place some trust in authorized developers (e.g. archlinux-keyring) who have been vetted by their various organisations. With Github, no such vetting occurs, it’s just some guy/girl hosting their code.

MITM attack to Obtainium

I have to admit I don’t know much about the security that Obtainium uses. I’m hoping everything is TLS certified to make MITM difficult, but I don’t know those details. All I do know is that you’re getting binaries hosted by someone on github who might have zero cred in FOSS circles.