Hi everybody, I've been using Jolla for almost a week now, and have not installed anything outside of harbour.
There're a few apps I'd like to try, on OpenRepos, but still did not get what are the benefit of this repository over Jolla.
Some apps are on both repository, am I wrong?
OpenRepos is like F-Droid is for Android, is it right (source code available)?
Can OpenRepos compromise Jolla in some way? I mean, updates, security, and so on.
1. Yes. AFAIK it is faster to release a new version of a program on open repos. So you can better test unstable beta versions. In the Jolla store every program has to be aproved...
Can OpenRepos compromise Jolla in some way? I mean, updates, security, and so on.
OpenRepos doesn't have any QA, restrictions or anything - if an API is being used that is going to be removed in a future update, then that application will stop working/hang your device/etc..
3)Can OpenRepos compromise Jolla in some way? I mean, updates, security, and so on.
As @ggabriel mentioned, currently OpenRepos doesn't have any QA, restrictions or anything like that.
Refer to publisher reputation, application rating, and comments as measurement tool
In general words: if someone with bad intensions uploads malware, it can damage/compromise your jolla/information. This also can happen with official store, since there is only binary package upload.
Can OpenRepos compromise Jolla in some way? I mean, updates, security, and so on.
Rest was sufficiently explained, will just add a little bit more scary stuff regarding OpenRepos. Thanks to no policies and no QA, you can upload there rpm that does pretty much anything. You completely trust packager and openrepos as during installation, package has a root privileges on your phone - can brick it if it decides too.
Also AFAIK rpms from OpenRepos are not signed so if some attacker gets access to the server, he can infect popular rpms without developers knowing.
So, good intentions and given Jolla store policies and such really useful, but potentially big security hole.
Also AFAIK rpms from OpenRepos are not signed so if some attacker gets access to the server, he can infect popular rpms without developers knowing.
So, good intentions and given Jolla store policies and such really useful, but potentially big security hole.
Not sure if I get that part, you mean someone hacks openrepos? What if someone hacks harbour? You get the assumed signatures from harbour, so if that fails you will be getting malware from there as well. Or is there some american company that signs those, would be even more scared
Best way to look at it is: treat openrepos as extras-devel (hopefully source submissions will become required and only built on OR things get there, like the -devel from fremantle, so you can always download the source and build it yourself after review if you have doubts), if you recognize the author and trust him, no problem, if not, there are risks involved
Harbour QA does not quarantee application is not malicious. It can't unless they start to require source and review it. That would be too costly even in theory and it would kill the whole Jolla (store).
I hope openrepos will never start requiring source code submission or build on as that would only cause yet another "open repository" to popup. I know there are risks and I know typical consumer does not recognize those risks.
Openrepos will have types of repositories: public, paid and obs. first two are uploaded as rpm, sources can/not be provided, last one is packages synced with author obs repo. and in all repositories packages with negative marks will be unpublished automatically.
you need to understand, there are many ideas about openrepos, but cant be implemented too fast
