Comment by weikju
15 days ago
This is addressed in the article as well, and while there's no technical reason they couldn't do this, it would break the licensing of the apps as well as the dangers of centralizations mentioned by a sibling reply.
> The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
Oh... this makes things much clearer to me actually. The issue is that you don't want apps that impersonate other apps showing up. For example, if someone put an app in another market that could sideload to impersonate Facebook's intents and do evil-maid type things. In the new system it would become very difficult to install a fake Facebook that is able to convince other apps that it is in fact Facebook's own app. Google's announcement can be seen as them operating essentially like DNS for app ids and intents and making things safer for a multi-app-store universe.
For example, there is an annoyance that happens sometimes with apps that are distributed in both F-Droid and Play Store related to updates. F-Droid and Play Store will think they both can update the app (they have the same tld.what.ever identifier) but the signing keys only match the store they were installed from. I think F-Droid is now a bit more careful about this and only tries ones it has specifically installed. This is different... but somewhat related.
F-Droid in general is a model good actor as far third-party app stores go, but from the perspective that malicious app stores might exist you would want to try and isolate apps from each other (and prevent unauthorized re-distribution of tampered versions etc). I think what Google is doing forces apps in each store to be cleanly namespaced from each other and prevent collisions (accidental or otherwise). This lets each app store tend and be responsible for its own walled garden.
F-droid only distributes apps it builds (unless you add an additional repository). The official F-droid repository only contains code they build from source. You can't upload binaries/bytecode to the official F-droid repo.
I am well aware of that? What does that change?
That makes a lot of sense. Unfortunate indeed that Google would be the sole arbiter of that “DNS”, but that explanation was pretty good
f-droid could distribute their apps with a different identifier.
That might be the least-worst option here.