@ far4 said in Alternative package source via Accrescent:

Please, the details.

I am curious about

Well ignoring how terribly maintained their server infrastructure is since it isn't relevant to this since Vivaldi would not be hosted on their infrastructure. (If you want to learn about that feel free to research it.)

The app often times falls terribly behind with complying with actual android security improvements (They should really make Basic the new default for this reason since this has been known to confuse users.)

They still don't have important functioning security features such as certificate pinning (though they are trying to implement this one but are having technical difficulties)

Furthermore this is relatively impossible to implement in a reasonably secure manner due to the ability to add third party repositories.

They also don't pin App signing keys which would mitigate most Trust issues. This is once again impossible to implement in a reasonably secure manner due to the ability to add Third party repositories.

There is likely more but these are the main things that would affect Vivaldi's repository due to them being a unsolvable fault of. Well. Not really anybody it's kind of just the unfortunate reality that the user being able to have the freedom to add Third Party Repositories creates a lot of security holes.

@ far4 said in Alternative package source via Accrescent:

Generally speaking, what difference does it make where to download the file from, as long as the integrity and originality of the apk file is verified by the signature. (...and the firmware has not been modified to disable signature verification.) If the apk-file is broken or a mod - it will simply not install as an update.

This is correct. If the signature is intact there is nothing to worry about. However that is the point of the security features I have mentioned above to help make sure that signature is intact and legitimate. Though these features are admittedly more effective if the store in question is pre installed on a device or can be installed by a pre installed store with the same features as it strengthens the chain of trust and verification. But regardless of how the store is installed these features are still important to have.

@ far4 said in Alternative package source via Accrescent:

In addition, any user should learn how to check the apk signature manually, and remember the sha256 of the original signature - not necessarily completely, by heart, its unreal, but at least to the extent to suspect that something is wrong.

I don't disagree here it is naturally good practice. That would mostly eliminate the need for these security features since it eliminates the TOFU issue. However the reality is most users aren't people who want to learn about this stuff and just want a device that works. Which is why the features I mentioned are very important as they help do this for the user. Furthermore if you wanted to go this route it would make more sense to manually install and update from Vivaldi's website everytime rather than use F-Droid.

It is true that digital security is a systematic disaster and failure and the only companies that have been improving it significantly have been Apple and Google.

So while I do agree that users should learn at the same time I think it is reasonable of them to expect to be reasonably secure without such knowledge. Some people just simply want to enjoy time with friends and get stuff done. Not worry about how to stay safe online.

I would like to clarify again I am not against them making a Third Party F-Droid Repo. I just really don't like how F-Droid security issues are commonly ignored like it's some holy grail just cause it respects privacy and is open source. If someone wants to host their app on F-Droid or a Third Party F-Droid Repo. Sure! It's always good to have more ways to access your app. But that doesn't mean it's flaws should be ignored. No they should be properly acknowledged and listed.

I mean F-Droid isn't even the worst option. Matter of fact if you choose the Basic version, manually verify it and remove it's repository and only manually update F-Droid and only use Third party repos (with actual good security standards) it is actually above most app sources in regards to security since it does still at least have some form of verification with it's repository signing. Though this also suffers from the trust on first use issue as well. Though should be easier to verify at the same time.

However be that as it may it just falls back to the point of most simply will not do that.