Reply
Thread Tools
Posts: 176 | Thanked: 122 times | Joined on Apr 2010
#1
Hi everybody, I've been using Jolla for almost a week now, and have not installed anything outside of harbour.
There're a few apps I'd like to try, on OpenRepos, but still did not get what are the benefit of this repository over Jolla.
  1. Some apps are on both repository, am I wrong?
  2. OpenRepos is like F-Droid is for Android, is it right (source code available)?
  3. Can OpenRepos compromise Jolla in some way? I mean, updates, security, and so on.
Thanks.
 
sbock's Avatar
Posts: 103 | Thanked: 162 times | Joined on Jan 2010 @ Germany
#2
1. Yes. AFAIK it is faster to release a new version of a program on open repos. So you can better test unstable beta versions. In the Jolla store every program has to be aproved...
 

The Following 2 Users Say Thank You to sbock For This Useful Post:
Posts: 728 | Thanked: 1,217 times | Joined on Oct 2011
#3
Originally Posted by magullo View Post
Some apps are on both repository, am I wrong?
Possibly.
Originally Posted by magullo View Post
OpenRepos is like F-Droid is for Android, is it right (source code available)?
Not necessarily - binaries can also be uploaded.
Originally Posted by magullo View Post
Can OpenRepos compromise Jolla in some way? I mean, updates, security, and so on.
OpenRepos doesn't have any QA, restrictions or anything - if an API is being used that is going to be removed in a future update, then that application will stop working/hang your device/etc..
 

The Following 2 Users Say Thank You to ggabriel For This Useful Post:
Custodian's Avatar
Posts: 747 | Thanked: 2,370 times | Joined on May 2012 @ Moscow, Russia
#4
Originally Posted by magullo View Post
1)]Some apps are on both repository, am I wrong?
Yes, apps can be in both 'stores'.

Originally Posted by magullo View Post
2)OpenRepos is like F-Droid is for Android, is it right (source code available)?
No, Open like 'free beer', everybody can publish appications here. Some apps have source code available, others - don't.

Originally Posted by magullo View Post
3)Can OpenRepos compromise Jolla in some way? I mean, updates, security, and so on.
As @ggabriel mentioned, currently OpenRepos doesn't have any QA, restrictions or anything like that.
Refer to publisher reputation, application rating, and comments as measurement tool

In general words: if someone with bad intensions uploads malware, it can damage/compromise your jolla/information. This also can happen with official store, since there is only binary package upload.
__________________
twitter: @basil_s home: http://thecust.net
OpenRepos.net - community driven repository project. Warehouse - native client for OpenRepos.net
Buy me a beer

Last edited by Custodian; 2014-03-13 at 14:10.
 

The Following 10 Users Say Thank You to Custodian For This Useful Post:
Posts: 2 | Thanked: 0 times | Joined on Mar 2014 @ Prague
#5
Originally Posted by magullo View Post
  • Can OpenRepos compromise Jolla in some way? I mean, updates, security, and so on.
Rest was sufficiently explained, will just add a little bit more scary stuff regarding OpenRepos. Thanks to no policies and no QA, you can upload there rpm that does pretty much anything. You completely trust packager and openrepos as during installation, package has a root privileges on your phone - can brick it if it decides too.

Also AFAIK rpms from OpenRepos are not signed so if some attacker gets access to the server, he can infect popular rpms without developers knowing.

So, good intentions and given Jolla store policies and such really useful, but potentially big security hole.
 
Posts: 2,076 | Thanked: 3,268 times | Joined on Feb 2011
#6
Originally Posted by -miska- View Post
Also AFAIK rpms from OpenRepos are not signed so if some attacker gets access to the server, he can infect popular rpms without developers knowing.

So, good intentions and given Jolla store policies and such really useful, but potentially big security hole.
Not sure if I get that part, you mean someone hacks openrepos? What if someone hacks harbour? You get the assumed signatures from harbour, so if that fails you will be getting malware from there as well. Or is there some american company that signs those, would be even more scared

Best way to look at it is: treat openrepos as extras-devel (hopefully source submissions will become required and only built on OR things get there, like the -devel from fremantle, so you can always download the source and build it yourself after review if you have doubts), if you recognize the author and trust him, no problem, if not, there are risks involved

Last edited by szopin; 2014-03-20 at 00:24.
 
Posts: 144 | Thanked: 242 times | Joined on Nov 2007 @ Finland
#7
Harbour QA does not quarantee application is not malicious. It can't unless they start to require source and review it. That would be too costly even in theory and it would kill the whole Jolla (store).

I hope openrepos will never start requiring source code submission or build on as that would only cause yet another "open repository" to popup. I know there are risks and I know typical consumer does not recognize those risks.
 

The Following User Says Thank You to Penguin For This Useful Post:
coderus's Avatar
Posts: 6,436 | Thanked: 12,701 times | Joined on Nov 2011 @ Ängelholm, Sweden
#8
Openrepos will have types of repositories: public, paid and obs. first two are uploaded as rpm, sources can/not be provided, last one is packages synced with author obs repo. and in all repositories packages with negative marks will be unpublished automatically.

you need to understand, there are many ideas about openrepos, but cant be implemented too fast
__________________
Telegram | Openrepos | GitHub | Revolut donations
 

The Following 2 Users Say Thank You to coderus For This Useful Post:
Reply


 
Forum Jump


All times are GMT. The time now is 19:34.