What's wrong with F-Droid? Why not put the apps on there?
📣 Introducing zap.store 0.1.0
For months I have been dreaming of a better app store, frustrated by big tech's permissioned bs, GPG's complexities, and Obtainium's reliance on centralized services and poor UX.
Here's the first (very alpha) iteration of zap.store, a permissionless app store leveraging the nostr social graph.
✔ Android only (for now! Desktop coming soon)
✔ Obtainium drop-in replacement (smaller catalog but growing)
✔ App releases are signed/curated by this account, as developers start self-signing
✔ Web of trust check before installing an app
Get it at https://zap.store or https://github.com/zapstore/zapstore
(SHA-256 hash of the APK version 0.1.0 is 8540bd492064c17d83bcdc6d2a463c2aea46f13c2b0d13b8a96023df95bd0c9d)
Feedback more than welcome, it's also possible to send directly from the ⚙️ screen in the app
s/o to nostr legends nostr:npub149p5act9a5qm9p47elp8w8h3wpwn2d7s2xecw2ygnrxqp4wgsklq9g722q and nostr:npub1zafcms4xya5ap9zr7xxr0jlrtrattwlesytn2s42030lzu0dwlzqpd26k5 for their invaluable help
Discussion
Because open source devs insist on fragmentation
Zap.store is built on nostr identity layer, which other appstores lack. This means that on my follows list, I can check if e.g. nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 uses, recommends, or verifies sha256 of a particular app.
This may sound like a trivial change, yet it changes appstores to function more in line with recommendations from friends and family in real life 🌶️
Many things are wrong with fdroid, few are right:
Because fdroid sucks:
- Only allows FOSS apps
- No reputation layer
- No social layer
- Delay for listing new apps
- Delay for publishing updates
- Looks like shit, normies will not use it
fdroid sucks, but not for those reasons. How about it uses fdroids signing key, unlike obtainium, which uses the developer's signing key.
Fdroid is also extremely insecure:
I mainly use Obtainium and Github release urls. Some apps are unforunately only available via Fdroid.
You can install fdroid apps with Obtainium. It even works for 3rd party repos.
also if you hack a bit with regex you can turn every http page in a repo. I update whatsapp and electrum from obtanioum and versioning is handled like a charm
most important apps are signed by fdroid, not by the app devs (for the most part at least; fdroid offers a method to build the app in a way that permit devs to sign themself, but pratically noone uses it cause require much work).
So if someone compromise fdroid, he can put arbitrary malware in the update of all your fdroid apps.