← Back to context

Comment by skiing_crawling

1 day ago

I never questioned or thought twice about F-Droid's trustworthiness until I read that. It makes it sound like a very amateurish operation.

I had passively assumed something like this would be a Cloud VM + DB + buckets. The "hardware upgrade" they are talking about would have been a couple clicks to change the VM type, a total nothingburger. Now I can only imagine a janky setup in some random (to me) guy's closet.

In any case, I'm more curious to know exactly what kind hardware is required for F-Droid, they didn't mention any specifics about CPU, Memory, Storage etc.

10 comments

skiing_crawling

Reply
AndrewDucker  1 day ago

For a single server why would you use cloud services rather than go the self-owned route?

  • skiing_crawling  1 day ago

    A "single server" covers a pretty large range of scale, its more about how F-droid is used and perceived. Package repos are infrastructure, and reliability is important. A server behind someone's TV is much more susceptible to power outages, network issues, accidents, and tampering. Again, I don't know that's the case since they didn't really say anything specific.

    > not hosted in just any data center where commodity hardware is managed by some unknown staff

    I took this to mean it's not in a colo facility either, assumed it mean't someone's home, AKA residential power and internet.

    • secabeen  18 hours ago

      The F-Droid repos are provided by redundant mirrors: https://f-droid.org/en/docs/Running_a_Mirror/

      If this is the hidden master server that only the mirrors talk to, then it's redundancy is largely irrelevant. Yes, if it's down, new packages can't be uploaded, but that doesn't affect downloads at all. We also know nothing about the backup setup they have.

      A lot depends on the threat model they're operating under. If state-level actors and supply chain attacks are the primary threats, they may be better off having their system under the control of a few trusted contributors versus a large corporation that they have little to no influence over.

      1 reply →

    • AndrewDucker  1 day ago

      Ah. I took "not just any data center" to mean "in a specific co-location facility where they trust the person responsible for it".

      I agree that "behind someone's TV" would be a terrible idea.

lrvick  1 day ago

> It makes it sound like a very amateurish operation.

Wait until you find out how every major Linux distributions and software that powers the internet is maintained. It is all a wildly under-funded shit show, and yet we do it anyway because letting the corpos run it all is even worse.