alt Hacker NewsA faster heart for F-Droid
Comments
Context: "F-Droid build servers can't build modern Android apps due to outdated CPUs" (https://news.ycombinator.com/item?id=44884709)
> this server is physically held by a long time contributor with a proven track record of securely hosting services. We can control it remotely, we know exactly where it is, and we know who has access.
I can’t be the only one who read this and had flashbacks to projects that fell apart because one person had the physical server in their basement or a rack at their workplace and it became a sticking point when an argument arose.
I know self-hosting is held as a point of pride by many, but in my experience you’re still better off putting lower cost hardware in a cheap colo with the contract going to the business entity which has defined ownership and procedures. Sending it over to a single member to put somewhere puts a lot of control into that one person’s domain.
I hope for the best for this team and I’m leaning toward believing that this person really is trusted and capable, but I would strongly recommend against these arrangements in any form in general.
EDIT: F-Droid received a $400,000 grant from a single source this year ( https://f-droid.org/2025/02/05/f-droid-awarded-otf-grant.htm... ) so now I’m even more confused about how they decided to hand this server to a single team member to host in unspoken conditions instead of paying basic colocation expenses.
Ugh. This 100% shows how janky and unmaintained their setup is.
All the hand waving and excuses around global supply chains, quotes, etc...it took pretty long for them to acquire commodity hardware and shove it in a special someone's basement and they're trying to make it seem like a good thing?
F-Droid is often discussed in the GrapheneOS community, the concerns around centralization and signing are valid.
I understand this is a volunteer effort, but it's not a good look.
Let's focus on how they have done so much with such simple hardware, rather then comparing them to companies that do so little with so much more.
I publish an app to the App Store, Google Play, and F-Droid. For years, F-Droid took absolute ages to reflect a new release.
People used to criticize the walled gardens for having capricious reviewers and slow review times, but I found F-Droid much more frustrating to get approval from and much slower to get a release out.
So this development is much appreciated. In fact I had an inkling that build times had improved recently when an update made it out to F-Droid in only a day or two.
I don't understand why governments haven't started to fund F-Droid, almost all govt. apps are open-source.
Countries which fear they could be cut off from the duopoly mobile ecosystem should be forcing android manufacturers to bundle in F-Droid; For the amount of nonsense regulations they force phone manufacturers to adhere to, bundling F-Droid wouldn't be that hard.
Google won't be happy, but anti-trust regulations would take care of it.
Hmm:
“F-Droid is not hosted in just any data center where commodity hardware is managed by some unknown staff. We worked out a special arrangement so that this server is physically held by a long time contributor with a proven track record of securely hosting services. We can control it remotely, we know exactly where it is, and we know who has access.”
Is there anything that can be done about F-Droid downloading very big files (over 50MB) every time it needs to update the repository? I'd expect at the very least regular checkpoint files, then difference files that get you from one checkpoint to the next.
Does anyone know what the server is? I don't see it on their site.
I'm curious why supply chain issues got in the way and why they couldn't just configure a Dell Poweredge and get delivery in a couple weeks.
I'm assuming they have some special requirements that weren't met by an off-the-shelf server, so I'm just curious what those requirements are.
Modern machines go up to really mental levels of performance when you think about it and for a lot of small scale things like F droid I doubt it takes a lot of hardware to actually host it. A lot of its going to be static files so a basic web server could put through 100s of thousands of requests and even on a modest machine saturate 10 gbps which I suspect is enough for what they do.
This just reads to me like they have racked a box in a colo with a known person running the shared rack rather than someone’s basement but who really knows they aren't exactly handing out details.
> not hosted in just any data center [...] a long time contributor with a proven track record of securely hosting services
This is ambiguous, it could mean either a contributor's rack in a colocation centre or their home lab in their basement. I'd like to think they meant the former, but I can't deny I understood the latter in my first read.
Also, no details on the hardware?
While I get their setup is amateurish, it's also a good reminder of how simple setups can be.
Saying this on HN, of course.
I think all the criticism of what F-Droid is doing here (or perceived as doing) reflects more on the ones criticising than the ones being criticised.
How many things went upside down and all the "right" things were done (corporate governance, cloud native deployment, automation, etc.). The truth is none of these processes are actually going to make things more secure, and many projects went belly up despite following these kinds of recommendations.
That being said, I am grateful to F-Droid fighting the good fight. They are providing an invaluable service and I, for one, am even more grateful that they are doing it as uncompromisingly as possible (well into discomfort) according to their principles.
Good. But I wish PostmarketOS supported more devices. On battery, tons of kernel patches could be set per device plus a config package in order to achieve the best settings. On software and security...you will find more malware in Play Store than the repos from PmOS/Alpine. I know it's not a 100% libre (FSF) system, but that's a much greater step towards freedom than Android, where you don't even own your device.
I wonder if anyone knows about Droid-ify. Whether it it a safe option, or better to stay away of it?
It showed up one day while I searched about why F-Droid was always so extremely slow to update and download... then trying Droid-ify, that was never a problem any more, it clearly had much better connectivity (or simply less users?)
It's frankly embarrassing how many of the comments on this thread are some version of looking at the XKCD "dependency" meme and deciding the best course of action is to throw spitballs at the maintainers of the critical project holding everything else up.
Is it possible to add some kind of hardware detection to the build process of a project submitted and inspect the details?
Absolutely zero details on the old or new server.
Christ, comment sections like this make me never want to do anything that might gain widespread adoption, ever.
Brought to you by the helpful folks who managed to bully WinAmp into retreating from open source. Very productive.
I wish they could give more clarity on whether its hosted in a professional server or someone's bedroom, because just saying that "it's held by a long time contributor with a proven track record of securely hosting services" is not very reassuring.
so uhhh what are the specs of said server?
[dead]
[flagged]
i'm glad we have a wing that's against gab app store. Can we have one that's for them for balance?
> Another important part of this story is where the server lives and how it is managed. F-Droid is not hosted in just any data center where commodity hardware is managed by some unknown staff.
> The previous server was 12 year old hardware and had been running for about five years. In infrastructure terms, that is a lifetime. It served F-Droid well, but it was reaching the point where speed and maintenance overhead were becoming a daily burden.
lol. if they're gonna use gitlab just use a proper setup - bigco is already in the critical path...
I think there are quite some misconceptions about F-Droid in the comments :
- you can be your own F-Droid server
In fact it's a basic static HTTP(S) server that is generated with the list of .apk and meta-data so it rely doesn't require much.
I think what is concerning to people is that the most popular INSTANCE of F-Droid, the one that is by default when one downloads the F-Droid CLIENT, is "centralized" but again that's a misconception. It's only popular, it's not really central to F-Droid itself. Adding another repository in the F-Droid parlance is just a simple option of changing or adding a URL to more instances.
That being said if anybody here would like to volunteer to be provider a fallback to the build system to that popular instance, I imagine the F-Droid team would welcome that with open arms.