Open source specific repo

Search This thread

Scary Guy

Senior Member
So I look through the built in repo and I install a lot of things on my old phone to play with. However on the primary I only use FOSS. If a module doesn't have a git page then I don't install it.

I was thinking it would be neat if someone maintained a separate F-Droid repo specifically for xposed modules which are open source. Since xposed itself is open source you could have that on there as well.

It'd be nicer if there was a filter option in the program itself but I'm sure the devs are busy and the above would just be easier.
 
  • Like
Reactions: bungadudu

pyler

Senior Member
Jan 13, 2013
1,279
2,372
Maybe it is possible to add "Open source modules" in Sort mode (in Xposed Installer -> Download). It will simply check if Source link for module is not empty.

Who can take this idea and contribute this feature to Xposed? :)
 

E--Man

Senior Member
May 1, 2012
526
74
Waking up this thread. I would also really like to have a structured list of modules which are open source for security reasons. Is this available anywhere yet?
 
  • Like
Reactions: Scary Guy

E--Man

Senior Member
May 1, 2012
526
74
Maybe we can get "repo db" and look for source code field. But "in app implementation" is prefered. @rovo89

Where could we obtain the DB with those fields? I would never install any closed-source modules on my devices. Doing so is absolutely ludicrous in my opinion.

Also, is there a list of verified and trusted (by @rovo89 or someone alike) Xposed modules anywhere?

This is a very important topic...

Thanks,

E.
 

rovo89

Senior Recognized Developer
Jan 4, 2012
2,585
81,433
See https://github.com/rovo89/XposedInstaller/issues/249
The information about the source code URL is available in the repository XML file already and could easily be read be the installer. The issue is up for grabbing. I would appreciate a quick outline if the intended implementation though, so I can intervent regarding architectural decisions before someone writes a lot of code. :)

I can't give any "trust" recommendations for any but my own modules. It would mean that I would have to analyse the complete source code, verify that the APK actually matches that source code and repeat these steps for every new versions.
 
  • Like
Reactions: Scary Guy

pyler

Senior Member
Jan 13, 2013
1,279
2,372
Well, if module is open source, anybody can check code so I think there is almost zero chance for malwares or so...
Closed sourced and obfuscated modules are the worst ones. Avoid them. They can do basically everything in background and user knows nothing.

So any skilled dev who is able to create new filter in Xposed Installer for open source modules here? It could be good addition.
 
G

GuestK00280

Guest
Well, if module is open source, anybody can check code so I think there is almost zero chance for malwares or so...
Closed sourced and obfuscated modules are the worst ones. Avoid them. They can do basically everything in background and user knows nothing.

So any skilled dev who is able to create new filter in Xposed Installer for open source modules here? It could be good addition.

Really?..
Anybody can check sources, but who will?..
And can you trust their results?..

FOSS can be riddled with exploits like Heartbleed for years, and no one will notice anything. There are even competitions on hiding malicious code inside innocent one...
Only a small number of experienced and skilled developers will be able to find such malware, and believe me - 99% of them don't waste their time on reading, understanding and checking for exploits the sources of all software they use...
 
Last edited:

E--Man

Senior Member
May 1, 2012
526
74
@rovo89, thanks for responding to this thread.

I am just wondering if anyone has any updates on the development of an Open Source repository.

Also, I feel that it would also be helpful if we had some sort of a "Developer Trust Rating" as well as a "Code Reviewer" status to ensure that the code of a particular module (or even revision if someone volunteers to take it that far) is both safe and/or that the code has been inspected.

Without this, installing modules on devices means we could be installing software that can be as malicious as it can get.

Lastly, where can I download the XML file that lists XPosed modules along with the "source code URL", and how can I validate that the source code in the URL matches that of the XPosed module itself?

Thanks.
 
  • Like
Reactions: bungadudu

rovo89

Senior Recognized Developer
Jan 4, 2012
2,585
81,433
Also, I feel that it would also be helpful if we had some sort of a "Developer Trust Rating" as well as a "Code Reviewer" status to ensure that the code of a particular module (or even revision if someone volunteers to take it that far) is both safe and/or that the code has been inspected.
That's a nice vision, but I doubt that you will find enough people to actually do this who you trust and who would be willing to take the responsibility.

Lastly, where can I download the XML file that lists XPosed modules along with the "source code URL", and how can I validate that the source code in the URL matches that of the XPosed module itself.
Check the source code of the installer for the URL, I don't remember it. But there is no way you can check an APK and find out whether it's built from a certain source. That would only be possible if the developer gave the source code to a trusted party, who would compile it and sign it with their keys. If you trust that third party AND inspect the source code, then you can be sure that it's not malicous. That's F-Droid's model, as far as I know.
 
  • Like
Reactions: Scary Guy

E--Man

Senior Member
May 1, 2012
526
74
Really?..
Anybody can check sources, but who will?..
And can you trust their results?..

FOSS can be riddled with exploits like Heartbleed for years, and no one will notice anything. There are even competitions on hiding malicious code inside innocent one...
Only a small number of experienced and skilled developers will be able to find such malware, and believe me - 99% of them don't waste their time on reading, understanding and checking for exploits the sources of all software they use...

Hello there my Russian friend. I will respectfully disagree with you on this point and I will explain why. Right here on XDA, we have many highly-skilled developers who are the authors of countless lines of code translating into ROMs, modules, enhancements, etc. Much (if not all) of these projects are free to distribute and created as a contribution to the community. In other words, to ask "who will check sources" is the same thing as asking "who will create custom ROMs for people?" or "who will create invaluable/indispensable modules such as XPosed?" or even the general question of "why would someone do this for free?".

It is evident that all of these exist already and that people do indeed contribute, so coupled with the fact that the XDA community is over 5 million members in size, I think there will be developers who may be interested.

The only reason I can see someone not supporting this is if they have an interest not to do so, such as being the author of a closed-source (or open-source) malicious module.
 
  • Like
Reactions: bungadudu

Scary Guy

Senior Member
"FOSS can be riddled with exploits like Heartbleed for years, and no one will notice anything"

Yeah but if it was closed source there is a chance it would have never been found.

Also saying that "no one would bother to check the code" is a horrible argument. At least give people the option to inspect it if they want to.
 

E--Man

Senior Member
May 1, 2012
526
74
Bump, has anyone taken this to the next step? I am still interested!

Please use the QUOTE feature when replying to me to get my attention. Thanks!
 

E--Man

Senior Member
May 1, 2012
526
74
Bump, has anyone taken this to the next step? I am still interested! <br />
<br />
Please use the QUOTE feature when replying to me to get my attention. Thanks!<br/>

Please use the QUOTE feature when replying to me to get my attention. Thanks!
 

Scary Guy

Senior Member
I think more filters in general would be a good thing. There are a lot of Asian based apps that I have no interest in, nor do I play Pokemon/Ingress.

Categories for what country you're in or if an app is for gaming/banking/etc... would be nice. Maybe have the API levels it will work with too, and then just not show anything outside of that range.

I suppose someone could just make an F-Droid repo specifically for xposed/magisk apps too, though I would prefer it if it were officially maintained/sanctioned.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    So I look through the built in repo and I install a lot of things on my old phone to play with. However on the primary I only use FOSS. If a module doesn't have a git page then I don't install it.

    I was thinking it would be neat if someone maintained a separate F-Droid repo specifically for xposed modules which are open source. Since xposed itself is open source you could have that on there as well.

    It'd be nicer if there was a filter option in the program itself but I'm sure the devs are busy and the above would just be easier.
    1
    Waking up this thread. I would also really like to have a structured list of modules which are open source for security reasons. Is this available anywhere yet?
    1
    See https://github.com/rovo89/XposedInstaller/issues/249
    The information about the source code URL is available in the repository XML file already and could easily be read be the installer. The issue is up for grabbing. I would appreciate a quick outline if the intended implementation though, so I can intervent regarding architectural decisions before someone writes a lot of code. :)

    I can't give any "trust" recommendations for any but my own modules. It would mean that I would have to analyse the complete source code, verify that the APK actually matches that source code and repeat these steps for every new versions.
    1
    @rovo89, thanks for responding to this thread.

    I am just wondering if anyone has any updates on the development of an Open Source repository.

    Also, I feel that it would also be helpful if we had some sort of a "Developer Trust Rating" as well as a "Code Reviewer" status to ensure that the code of a particular module (or even revision if someone volunteers to take it that far) is both safe and/or that the code has been inspected.

    Without this, installing modules on devices means we could be installing software that can be as malicious as it can get.

    Lastly, where can I download the XML file that lists XPosed modules along with the "source code URL", and how can I validate that the source code in the URL matches that of the XPosed module itself?

    Thanks.
    1
    Also, I feel that it would also be helpful if we had some sort of a "Developer Trust Rating" as well as a "Code Reviewer" status to ensure that the code of a particular module (or even revision if someone volunteers to take it that far) is both safe and/or that the code has been inspected.
    That's a nice vision, but I doubt that you will find enough people to actually do this who you trust and who would be willing to take the responsibility.

    Lastly, where can I download the XML file that lists XPosed modules along with the "source code URL", and how can I validate that the source code in the URL matches that of the XPosed module itself.
    Check the source code of the installer for the URL, I don't remember it. But there is no way you can check an APK and find out whether it's built from a certain source. That would only be possible if the developer gave the source code to a trusted party, who would compile it and sign it with their keys. If you trust that third party AND inspect the source code, then you can be sure that it's not malicous. That's F-Droid's model, as far as I know.