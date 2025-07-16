-
I understand that you can't utilize F-Droid, but have you considered Accrescent as an alternative to the Play Store for distribution of the install package? It's an available source repository for those using GrapheneOS as an ASOP alternative.
@Serotonus
I install Accrescent and... It seems Accrescent is still in alpha stage of development and its repository is literally 20 programs? I mean, it's almost empty.
I don't think it's right to support a project at such an early stage.
Browser Brave created its own three-channel F-droid-compatible repository in May 2025 (for stable, beta, nightly). Imho, creating F-droid-compatible repositories on its own resource, on its own servers is a healthier idea. At least the technology is well established and there are plenty of F-droid clients for all tastes.
@far4 said in Alternative package source via Accrescent:
@Serotonus
Only problem with F-Droid is that it has severe security issues (Though it should be noted not all security issues would apply to a third party repo. Mainly only the client side security issues would be relevant here.) and heavily breaks the Android security model with things like Third party repos. I would like to clarify I am not saying I am against a official F-Droid Third party repo as a alternative but it really shouldn't be the main alternative.
However having said that I do agree I think while Accrescent is doing fine it is still not matured enough to be considered as a viable option either. It has the potential to become a good option but I really wouldn't say it's there yet.
My suggestion would be to create a lightweight and efficient updater for Vivaldi (as a companion app. Not patched into the browser as that would be unnecessary complexity and also would be unnecessary attack surface as well.) that does take appropriate security measures and does not break the security model. This suggestion could be considered a bit extreme but would also likely offer the highest security and privacy (and possibly stability?) guarantees out of any option since the Vivaldi devs could have very good control over how it works on both the client side and server side since they could develop both ends.
The main application that comes to my mind when thinking about this is FFUpdater
Though I am not saying I inherently trust or distrust this application. It seems to take some decent security measures (though on a unrelated note I gotta say I do disagree with the developers opinionated approach on categorizing browsers and intentionally leaving out the security issues with Gecko based browsers right now.)
Anyways. We will see what they do. The only really viable way to download Vivaldi without the presence of the Play Store currently is to just use RSS feeds. Which is not ideal as that is significantly more user input for no real security benefit UNLESS you are willing to manually verify the application yourself which I would assume most are not.
@Roxypock said in Alternative package source via Accrescent:
Only problem with F-Droid is that it has severe security issues
Please, the details.
I am curious about
Generally speaking, what difference does it make where to download the file from, as long as the integrity and originality of the apk file is verified by the signature. (...and the firmware has not been modified to disable signature verification.) If the apk-file is broken or a mod - it will simply not install as an update.
In addition, any user should learn how to check the apk signature manually, and remember the sha256 of the original signature - not necessarily completely, by heart, its unreal, but at least to the extent to suspect that something is wrong.
@far4 said in Alternative package source via Accrescent:
Please, the details.
I am curious about
Well ignoring how terribly maintained their server infrastructure is since it isn't relevant to this since Vivaldi would not be hosted on their infrastructure. (If you want to learn about that feel free to research it.)
- The app often times falls terribly behind with complying with actual android security improvements (They should really make Basic the new default for this reason since this has been known to confuse users.)
- They still don't have important functioning security features such as certificate pinning (though they are trying to implement this one but are having technical difficulties)
Furthermore this is relatively impossible to implement in a reasonably secure manner due to the ability to add third party repositories.
They also don't pin App signing keys which would mitigate most Trust issues. This is once again impossible to implement in a reasonably secure manner due to the ability to add Third party repositories.
There is likely more but these are the main things that would affect Vivaldi's repository due to them being a unsolvable fault of. Well. Not really anybody it's kind of just the unfortunate reality that the user being able to have the freedom to add Third Party Repositories creates a lot of security holes.
@far4 said in Alternative package source via Accrescent:
Generally speaking, what difference does it make where to download the file from, as long as the integrity and originality of the apk file is verified by the signature. (...and the firmware has not been modified to disable signature verification.) If the apk-file is broken or a mod - it will simply not install as an update.
This is correct. If the signature is intact there is nothing to worry about. However that is the point of the security features I have mentioned above to help make sure that signature is intact and legitimate. Though these features are admittedly more effective if the store in question is pre installed on a device or can be installed by a pre installed store with the same features as it strengthens the chain of trust and verification. But regardless of how the store is installed these features are still important to have.
@far4 said in Alternative package source via Accrescent:
In addition, any user should learn how to check the apk signature manually, and remember the sha256 of the original signature - not necessarily completely, by heart, its unreal, but at least to the extent to suspect that something is wrong.
I don't disagree here it is naturally good practice. That would mostly eliminate the need for these security features since it eliminates the TOFU issue. However the reality is most users aren't people who want to learn about this stuff and just want a device that works. Which is why the features I mentioned are very important as they help do this for the user. Furthermore if you wanted to go this route it would make more sense to manually install and update from Vivaldi's website everytime rather than use F-Droid.
It is true that digital security is a systematic disaster and failure and the only companies that have been improving it significantly have been Apple and Google.
So while I do agree that users should learn at the same time I think it is reasonable of them to expect to be reasonably secure without such knowledge. Some people just simply want to enjoy time with friends and get stuff done. Not worry about how to stay safe online.
I would like to clarify again I am not against them making a Third Party F-Droid Repo. I just really don't like how F-Droid security issues are commonly ignored like it's some holy grail just cause it respects privacy and is open source. If someone wants to host their app on F-Droid or a Third Party F-Droid Repo. Sure! It's always good to have more ways to access your app. But that doesn't mean it's flaws should be ignored. No they should be properly acknowledged and listed.
I mean F-Droid isn't even the worst option. Matter of fact if you choose the Basic version, manually verify it and remove it's repository and only manually update F-Droid and only use Third party repos (with actual good security standards) it is actually above most app sources in regards to security since it does still at least have some form of verification with it's repository signing. Though this also suffers from the trust on first use issue as well. Though should be easier to verify at the same time.
However be that as it may it just falls back to the point of most simply will not do that.