How safe are apps from OpenRepos

meolic · 5 August 2020 11:16

In many advices regarding SFOS apps, the users recommend apps from OpenRepos.

How safe is to install them? I am using SFOS on my every-day phone and I do not want to have problems. It is not only about the viruses and data privacy, I am even more sceptic about apps that can mess the phone because of low quality. In fact, I can imagine that every app installs its own libraries which cannot be easily removed and they maybe even replace the system ones.

EDITED:
Why does not exist an app for OpenRepos in Jolla store? What is the preffered workflow to install an app from OpenRepos?

Allstar12345 · 5 August 2020 11:46

About as safe as installing third party software on any OS, you have to use common sense.

I can imagine that every app installs its own libraries which cannot be easily removed and they maybe even replace the system ones.

Not really, in reality there are few Apps which need to install their own custom or modified libraries, mainly the odd browser for things like Gecko upgrades.

The thing with Sailfish users is we are all enthusiasts or linux users/fans of some sort, naturally you should be cautious but I think at the moment there is a level of trust between users and developers which no-one would dare break at risk of damaging the platforms image.

If you want to be maximum security I would recommend building any Apps which are open source yourself or if any closed source like my own talk to the developer, I for one am 100% honest with any answers and think other developers would be.

blizzz · 5 August 2020 16:43

On the other hand: what else do we have? The Jolla store is nice, but all the useful and necessary apps (imo) are on OpenRepos. Personally, I install only open source, however i don’t skim through every code base. There is a certain risk to it.

4carlos · 6 August 2020 04:56

I find this discussion a bit strange. Anyone who downloads any apps from the Internet is affected. In some operating systems (everyone can imagine which one is meant) there is even a risk by design. Still, everyone wants to use it.

Some of us start with the danger in the first few minutes. SFOS cannot be installed because a driver does not work? No problem, a friend of mine knows at least 5 dubious sources to get the driver and some users follow the friend’s suggestion. Sometimes even the registry of the system has to be manipulated and there are no concerns about damaging the operating system. There are millions of websites that offer programs and their origin is doubtful. These programs are used. So, the greed eats the brain. That’s is life!

There is a long discussion about good or bad quality of the apps in OpenRepos or the Jolla Store. Both are everywhere. The advantage of OpenRepos is the availability of the source code. Anyone who is interested has the option of checking the code and also making changes to the program themselves. Apps from the store are mostly closed source. Why should I trust them when I have no control? Jolla is testing for me, but what? Nobody controls every single line of code. This is an automated process for which Jolla sets the rules. Can I trust Jolla? The question must also be asked if you are concerned about OpenRepos. However, open source has the idea “trust is good, control is better”. This is also the philosophy of Linux and SFOS is a Linux derivative. Without this trust, there would be no SFOS. Consequently, there is an external repository for software (called OpenRepos) to fulfill the desire for control.

Besides, without additional apps from OpenRepos, SFOS would never have been my everyday phone. Popular and high quality examples are e.g. Image processors, navigation, Aliendalvik Control, patches and some tools that allow me to control the processes. Without this support from the community, I would have deleted SFOS a long time ago.

meolic · 6 August 2020 06:30

Thank you very much for your comment. I didn’t know that submitting the complete source code is required for publishing in OpenRepos.

Allstar12345 · 6 August 2020 08:05

It’s not required, it’s completely the developers discretion.

unmaintained · 6 August 2020 08:33

Apps from the Jolla Store and OpenRepos both use the same package management system so there’s no real danger of libraries being overwritten or not being deleted after the app gets removed.

Yes, malicious actors could potentially circumvent these safeguards or hide something sinister inside their apps but I doubt the checks required to publish to the Jolla Store would stop a determined attacker either.

unmaintained · 6 August 2020 08:36

This is so true.
I don’t know a single SFOS user who would not consider OpenRepos as their primary source for apps.

meolic · 6 August 2020 08:59

Hm, now I have an additional question. Why does not exist an app for OpenRepos in Jolla store? What is the preffered workflow to install an app from OpenRepos?

unmaintained · 6 August 2020 09:13

Because of strange restrictions that often don’t make any sense.

unmaintained · 6 August 2020 09:17

My preferred workflow would be probably something like that:

Settings > Untrusted software > allow untrusted software

Download and install Storeman RPM:
https://openrepos.net/content/osetr/storeman

peterleinchen · 7 August 2020 07:55

And afterwards
Settings > Untrusted software > DISallow untrusted software

You will only need that if you want to install as user by clicking on the +(install) after selecting this from the settings-transfer.

If you use cli (devel-su) no need for changing this setting.