It wants me to uninstall and reinstall since the signature of different, which makes sense as it from a different source, but it doesn’t mention anything in the changelog.

  • bbbhltz@beehaw.org
    link
    fedilink
    arrow-up
    12
    ·
    2 years ago

    Jerboa is provided by both repositories. Izzy’s pushed the update before F-Droid’s is all. You can switch to Izzy’s or wait or DL the apk from GitHub but signatures are different for all three.

    • chris2112@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      Do you know why the signatures would be different? At my company we release our app on Google play, galaxy and Amazon store and I’m pretty sure we use the same signing key for each

      • Ɀeus@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        2 years ago

        because fdroid build all of their apps themselves, so every app on the fdroid repo uses the fdroid signing key

        • chris2112@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          2 years ago

          Interesting, I was not aware of that. sounds like a security risk, as you don’t know who actually published it, but I guess since its open source that doesn’t really matter as much

          • Vittelius@feddit.de
            link
            fedilink
            arrow-up
            4
            ·
            2 years ago

            You know who published it. It’s the fdroid devs. Fdroid follows very much the old Linux repository philophosy where the owner of the repo acts as a middleman, providing the central layer of trust. You don’t have to trust the developers because the distributor has done their due diligence and checked it. That’s why fdroid takes a couple of days to push updates. They are doing some basic quality control first.

            This model made a lot of sense in the world of traditional Linux packaging, where every obscure distribution has their own package format and developers couldn’t possibly be expected to support all of these. It makes less sense on Android (or in a word where flatpak exists for that matter).

            • heeplr@feddit.de
              link
              fedilink
              arrow-up
              0
              arrow-down
              1
              ·
              edit-2
              2 years ago

              It makes less sense on Android

              Quite the opposite. From the user perspective, it’s much easier to trust the repository than trusting every single developer not losing their password. In case of OSS it also ensures reproducible builds.

          • Moonrise2473@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            2 years ago

            It’s actually the opposite, an evil developer could upload in GitHub an apk with malware not included in the source, while fdroid guarantees that it matches with the source published

  • jwt55@sh.itjust.works
    link
    fedilink
    arrow-up
    5
    ·
    2 years ago

    It didn’t change the repo. F-droid has always slower updates, because they’re compiling every app themselves. Izzy is release directly from app developer, so it’s newer. I’d stick to F-droid, so app dev can’t push anything malicious in the official app build.

  • XioR112@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    2 years ago

    They didn’t change the repo, it’s just on both and f-droid repo updates slower.

  • Triple Underscore@lemmynsfw.com
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    F-Droid often takes a while to update as they run their own builds & manually sign new releases, whereas Izzy’s repo will pull the APK files directly off GitHub. For something as “active” as Jerboa I’d recommend sticking to Izzy’s repo, at least until development settles down.