Oddbean new post about | logout
 This is your periodic reminder to install Amethyst (and all other Nostr clients) through Obtainium instead of Google's PlayStore. 

You not only receive faster updates (the PlayStore is currently 4 versions behind) but you also start the process of freeing yourself from your invisible digital overlords. 

Just follow this video: https://cdn.satellite.earth/2bd7e308c1797d64fca09b1d61e9bde24c68dd45e501c7383eff1e85392df11f.mp4 
 Watch this video!

This is the "best" "sovereign" UX to install apps we've got

The bar is low

 I’ve been an obtanium maxi for some time. This is the way. 
 Obtainium has some problems. If you're interested I dove deep into this topic: https://stacker.news/items/404908 
 What about F-Droid? 
 What about F-Droid? 
 I've been installing APKs like a caveman! 
 I'm getting this error message

 Did you have a previous version installed? If so, you may need to unistall first.  
 It worked.thanks 
 So GitHub is our new middleman.  
 For now. :) Until GitStr :) 
 Yes! We need this.  
 until zap.store 😉  
 let's go!  
 Gitlab us a thing. You can self-host it if that's what someone wanted 
 obtanium works on a lot of sources in addition to github. But one step closer to direct from developer is still an upgrade imo 
 Been doing this for a few months now. 

And not just for Nostr apps. 

 Like everyone else, been using Obtainium for a while. Highly recommended. 
 Thanks for this! 🫡 
 Is obtanium better than using aurora store?  
 It's better for open source apps. Aurora is better for non-open source apps (proxies to Google Play Store)  
 How does Obtainium handle package/apk verification? 
 It doesn't. They are adding a way to check for hashes against a "trusted database", but afaik not live yet 
 Keep in mind that this is only needed for first installs 
 What do you mean "only for first install"? Shouldn't you verify packets at every release? 
 No, Android checks that for you. It's a bit like SSH (trust on first use) 
 Oh wow didn't know that. Guess I have something new to learn now, thanks. 
 It doesn't but if you are provided a malicious update to an already installed app android handles the verification and will prevent the installation of the update if it was not signed by the developer.

The first installation is only time you usually risk a mitm attack 
 F-droid is pretty mature. What's the goal here? 
 F-droid is as centralized as Google. Just different overlords.  
 A FOSS app on GitLab is as centralized as the Google app store? It seems odd to take that strong of a position and then think Microsoft's GitHub of all things is the answer. I think it's cool. It's just confusing and contradictory. I don't see how centralization is being solved here. That's why I wonder what the goal is. Because if this is the entire goal then I'm either a moron or something doesn't add up. 
 Yes, the app is FOSS, but the app is the least important part of F-droid. The key is the catalog of apps that is extremely controlled by a few individuals that review. To give you an idea, Firefox is not opensource enough for F-Droid's review board. Which is bonkers. 

To me, as an app developer that publishes constantly to both Google and F-Droid, the F-droid review board has been way more controlling of what I can do in the app than what Google does. Which is also bonkers. 

But again, neither Google, nor F-droid is there to decentralize things from themselves. Both are incentivized to keep as much control as possible. And that's my hole point to move away to Obtainium. 

FOSS doesn't mean necessarily mean decentralized. 
 That makes a lot more sense. Thank you. 
 Product pages like yours https://github.com/vitorpamplona/amethyst should really highlight that straight APKs from Obtainium or GitHub or whatever are the preferred download.

Because of different signatures the app source can't be easily changed later, it requires a reinstall with migrating data from the old to the new install, which can be a hassle.

Ran into this the other day wanting to install SimpleX from GitHub after originally getting it from Google Play.
 But we do, the preference to install is in order. Both on GitHub and on https://amethyst.social 
 All good somehow it could be clearer. 
 Do you have a source for this?  Fennec is mobile Firefox and is in f-droid repo.  
 There is no "review board". If the code doesn't compile using only free software, it is rejected. F-droid is about pure open source.

Way too many random apks from the internet are loaded with 3rd party tracking, at the least. 

Anyone can setup their own f-droid repo and serve up their own apks.  Izzydroid, divested, guardian project, calyx, cromite, etc have all done this. 

Obtanium is basically a fancy curl interface. It doesn't verify anything and so long as the binary blob downloads, you can install it. Its no different than a user browsing and downloading binaries off the internet. 

F-droid needs lots of work, and it's a constant work in progress, but I feel it's vastly better than the alternatives right now.  
 Accrescent.app will be a much better alternative, protecting users from unsafe apps without making life hell for developers. 
 One can only hope.  
 I'm not really supposed to ask yet as it's invite only, but have you seen accrescent.app? It's a much more developer and user friendly app store. I'm sure they'd love to have Amethyst on there if you asked. 
 Maybe I am a moron. I didn't realize it's letting the user input the location of the repo. It looked like it was only using GitHub at first. That's pretty cool if it's handling updates from wherever the repo is. 
 How to escape the #android e-gulag 
 I love using Obtainium. A lot simpler, no centralization and faster updates. 
 Use Obtainium instead of Google Play Store or F-Droid.A lot simpler, no centralization, no account needed and faster updates.

 Newest version! Thanks! 
 Done here! My app downloaded through the Play Store was three versions behind! It didn't allow updating the existing app, so I had to uninstall and do a fresh installation through Obtainium. 
 Did you need to reenter your nesc? 
 If you uninstall a version, yes. But it's better to use Amber. 
 Thank you 
 Is there an Amber app? All I could find the github repository  
 Same doubt 🤔 
 Yes https://github.com/greenart7c3/amber  into Obtainium.
Do you know if I can download #primal through Obtainium? I tried here, and it gave an error. 
 @CAPiVARA nao abriu o video aqui... por onde baixou o amethyst atualizado sem ser pelo google play? 
 Por aqui, baixa esse Obtainium e dentro dele da para puxar o Amethyst direto do repositório, mas era bom ver o vídeo pq tem uns passo a passo 

 consegui.. vlw! 
 Ah was just going to say that. 
 You convinced me and I have a number of my main apps going in it. I am noticing that I have to uninstall some apps to get the version thru Obtanium to install without errors, but small price to pay to cut the cord with google on as many apps as I can. 
 Thank you! this is so clear and simple. 
 I dont have a single friend that isnt completely enveloped in the apple cell. So far from talking about obtainium 😅😮‍💨 
 Is there translation in the freedom version yet?  
 Thanks for sharing, I was unaware of obtainium, it's pretty cool.  
 Dumb question: what is a "universal" APK when getting the choice? I know v8a vs v7a, but what's the use case for universal? 
 Universal is good if you're not sure which to use yet (newby people like me when I made the tutorial) because it covers all the bases. 
 Go for it! It's easier than it sounds...

 I don't know what I'm doing wrong. I've installed obtainium but when I search amethyst nostr it displays unauthorized 
 Are you behind a firewall/VPN or using Tor?  
 Mullvad. I'll try without.  
 Turned it off. Same problem. 😕 
 Did you copy/paste the Amethyst github repo? If not obtanium is a tool to get updates for apps from locations but not a traditional market so you can't search for things.

Try pasting this in if you didn't already try it:
 How's this compared to Aurora Store? 
 No idea. The main question is who decides what shows up in Aurora's app catalog? 
 Aurora Store is just a frontend for the Google Play Store, to be used on devices that can't access it 
 Aurora store is access to the play store without a Google account. Good for degoogling but still the same version and relying on Google's hosting 
 Wow didn't even know this existed! Thank you

 Still using F-Droid / Droid-ify for now... maybe I'll try Obtainium after I flash Lineage 20 
 I run Graphene and I don't even have f-droid installed thanks to Obtanium.

 Fdroid (and even Google Play) verify apk signatures and hashsums.

The lack of integrity and authenticity verifications in Obtanium (which just fetches apks over https) certainly put it at a severe disadvantage when it comes to security.

Obtanium is as much censorship resistance as possible but we should be clear about the trade-offs. Unless there is a standard way for devs to publish hashsums and sigs on Github Releases that Obtanium could use for verification, things are not likely to improve.
 You should push for signature verification to be implemented into Obtanium.

 +1 Also available on F-droid.

 I use Obtainium for every app I can. Highly recommended
 Meu Sansung não está permitindo a instalação de apps de fontes estranhas e não consigo alterar essa configuração.  
 Tem de ir às definições da applicação. Neste caso imagino que esteja a descarregar através do navegador, portanto tem que fornecer permissões ao navegador para instalar apps. 
 It's a good thing to have alternatives. I personally am not going to do this until there is a real problem with Google. Until that my lazy ass will go the easy way 😂  
 I wonder if @jb55 will sideload Damus in EU from March and reintroduce proper ⚡️ 
 This is the way. 
 Does anyone know if an app downloaded via APK or through Obtainium can be updated automatically by the Play Store? I ask because the apps I installed in this way continue to show up in the Play Store as 'installed.' I believed that I would lose this link if I installed them outside the official Android store 🤔 
 Lbry and odysee  
 Yes, google play checks for the crypto signature of each apk. And if it matches the googme play version, it will consider it installed ^^ 
 No, they are different things with the same name. That's why it shows as installed. But the PlayStore update will never work because the signature is different. Once you switch to Obtainium, you have to keep using it or uninstall and try another method. 
 Got it! I was concerned about installing apps outside the Playstore, and if there was an update through the Playstore, my phone might force the update through the native store. Thank you! 
 Well it's not obvious. I only started noticing this once I developed my first apps. And somehow google play could update my manually downloaded test APKs as soon as my app got released.

The magic is in the signing key :) 
 Oh I see! Didn't realize they used different signing keys. 
 interesting. Does Obtainium use the release added in github repos? 
 I get conflicting package errors all the time with Obtanium 
 Strange. I have used Obtainium for over a year and never gotten an issue. Are those with Amehyst? Do you also use other forms of installation? 
 I used to use Aurora store, seems to be pretty much defunct now, I'll delete it and try again, thanks. 
 @Vitor Pamplona and the version on F-Droid? I just don't want 9 different app stores - already have 3 without Obtainium installed. 
 No need for F-droid (which is also very centralized) if you have Obtainium 
 but FDroid is more safe (they compile software themselves), github dev can add malicious code to the build. 
 If the dev is malicious, F-droid will compile the malicious code as well (F-droid doesn't review any changes to the actual code). There is no extra safety being added by F-Droid. They only check if the code is open source, that's it. 
 if the application has a sizeable user base, there will be users (most likely contributors) who will discover the change, they have about 1 day, but many FDroid users rarely update repositories, so more than 1 day.  Malicious functionality in builds can go unnoticed for years. 
 Could be interesting to have an organization that would specialize in reviewing code with results integrated into a directory with nostr. Badges and additional marketing exposure could be a benefit. Members could be both producers and users and could pay for the service. 
 There is no need such "organization". Just trust your favorite developer. E.g. if you use Amethyst, that means you trust Victor Pamplona. And so on... 
 Google play doesn't let me install amethyst.
F-Droid does. 
 It's on fdroid too which is nice.  
 Do F-Droid or Obtainium migrate all apps to new device automatically?  
 I've never used obtainum, but I believe fdroid isjust to install appa.  Android has a backup mechanism which would likely work for data migrations. I've never tried a migratiln tho. The idea of starting fresh is nice. It declutters and renews. The downside is reconfiguration,... But that's also useful for learning. 
 F droid version lacks auto translate function.
And I have been using that quite extensively, but other than that it's really nice to have the option. 
 I need this 

 #privacytechpro tip: use #obtainum to get your #android and #grapheneos apks.

as a long time obtanium user it's nice to see @Vitor Pamplona promoting it as the official method for getting #Amethyst


here are all the sources you can pull apks from:


#cybersecgirl #obtanium #amethyst 
 Running Obtainium now. 🫡 

 I did but i have amethyst installed you recommend that i delete and do with obtanium? 
 Sideloading is a double edged sword careful now. 
 That's is what play store people love to tell you :)  
 does parallel downloads work? 
 my King 
 Thanks did it 😀 
 Unfortunately yes it has a different cryptographic signature that's signed by Google. Good to prevent fake apps from grabbing your real app data. Bad that it locks you into Google unless you uninstall.