Remove All Ads from XDA
Honor 7x
Win an Honor 7X!

Open source specific repo

327 posts
Thanks Meter: 38
 
By Scary Guy, Senior Member on 29th December 2014, 10:45 AM
Post Reply Email Thread
So I look through the built in repo and I install a lot of things on my old phone to play with. However on the primary I only use FOSS. If a module doesn't have a git page then I don't install it.

I was thinking it would be neat if someone maintained a separate F-Droid repo specifically for xposed modules which are open source. Since xposed itself is open source you could have that on there as well.

It'd be nicer if there was a filter option in the program itself but I'm sure the devs are busy and the above would just be easier.
The Following User Says Thank You to Scary Guy For This Useful Post: [ View ] Gift Scary Guy Ad-Free
 
 
29th December 2014, 04:55 PM |#2  
Senior Member
Thanks Meter: 2,338
 
Donate to Me
More
Maybe it is possible to add "Open source modules" in Sort mode (in Xposed Installer -> Download). It will simply check if Source link for module is not empty.

Who can take this idea and contribute this feature to Xposed?
1st March 2015, 08:33 AM |#3  
Senior Member
Thanks Meter: 59
 
More
Waking up this thread. I would also really like to have a structured list of modules which are open source for security reasons. Is this available anywhere yet?
The Following User Says Thank You to E--Man For This Useful Post: [ View ] Gift E--Man Ad-Free
1st March 2015, 09:25 AM |#4  
Senior Member
Thanks Meter: 2,338
 
Donate to Me
More
Quote:
Originally Posted by E--Man

Waking up this thread. I would also really like to have a structured list of modules which are open source for security reasons. Is this available anywhere yet?

Maybe we can get "repo db" and look for source code field. But "in app implementation" is prefered. @rovo89
2nd March 2015, 03:12 PM |#5  
Senior Member
Thanks Meter: 59
 
More
Exclamation
Quote:
Originally Posted by pyler

Maybe we can get "repo db" and look for source code field. But "in app implementation" is prefered. @rovo89

Where could we obtain the DB with those fields? I would never install any closed-source modules on my devices. Doing so is absolutely ludicrous in my opinion.

Also, is there a list of verified and trusted (by @rovo89 or someone alike) Xposed modules anywhere?

This is a very important topic...

Thanks,

E.
2nd March 2015, 08:14 PM |#6  
rovo89's Avatar
Senior Recognized Developer
Thanks Meter: 76,429
 
Donate to Me
More
See https://github.com/rovo89/XposedInstaller/issues/249
The information about the source code URL is available in the repository XML file already and could easily be read be the installer. The issue is up for grabbing. I would appreciate a quick outline if the intended implementation though, so I can intervent regarding architectural decisions before someone writes a lot of code.

I can't give any "trust" recommendations for any but my own modules. It would mean that I would have to analyse the complete source code, verify that the APK actually matches that source code and repeat these steps for every new versions.
2nd March 2015, 08:58 PM |#7  
Senior Member
Thanks Meter: 2,338
 
Donate to Me
More
Well, if module is open source, anybody can check code so I think there is almost zero chance for malwares or so...
Closed sourced and obfuscated modules are the worst ones. Avoid them. They can do basically everything in background and user knows nothing.

So any skilled dev who is able to create new filter in Xposed Installer for open source modules here? It could be good addition.
3rd March 2015, 06:30 AM |#8  
YaDr's Avatar
Senior Member
Flag Moscow
Thanks Meter: 1,805
 
More
Quote:
Originally Posted by pyler

Well, if module is open source, anybody can check code so I think there is almost zero chance for malwares or so...
Closed sourced and obfuscated modules are the worst ones. Avoid them. They can do basically everything in background and user knows nothing.

So any skilled dev who is able to create new filter in Xposed Installer for open source modules here? It could be good addition.

Really?..
Anybody can check sources, but who will?..
And can you trust their results?..

FOSS can be riddled with exploits like Heartbleed for years, and no one will notice anything. There are even competitions on hiding malicious code inside innocent one...
Only a small number of experienced and skilled developers will be able to find such malware, and believe me - 99% of them don't waste their time on reading, understanding and checking for exploits the sources of all software they use...
12th March 2015, 06:26 PM |#9  
Senior Member
Thanks Meter: 59
 
More
Question
@rovo89, thanks for responding to this thread.

I am just wondering if anyone has any updates on the development of an Open Source repository.

Also, I feel that it would also be helpful if we had some sort of a "Developer Trust Rating" as well as a "Code Reviewer" status to ensure that the code of a particular module (or even revision if someone volunteers to take it that far) is both safe and/or that the code has been inspected.

Without this, installing modules on devices means we could be installing software that can be as malicious as it can get.

Lastly, where can I download the XML file that lists XPosed modules along with the "source code URL", and how can I validate that the source code in the URL matches that of the XPosed module itself?

Thanks.
The Following User Says Thank You to E--Man For This Useful Post: [ View ] Gift E--Man Ad-Free
12th March 2015, 06:36 PM |#10  
rovo89's Avatar
Senior Recognized Developer
Thanks Meter: 76,429
 
Donate to Me
More
Quote:
Originally Posted by E--Man

Also, I feel that it would also be helpful if we had some sort of a "Developer Trust Rating" as well as a "Code Reviewer" status to ensure that the code of a particular module (or even revision if someone volunteers to take it that far) is both safe and/or that the code has been inspected.

That's a nice vision, but I doubt that you will find enough people to actually do this who you trust and who would be willing to take the responsibility.

Quote:
Originally Posted by E--Man

Lastly, where can I download the XML file that lists XPosed modules along with the "source code URL", and how can I validate that the source code in the URL matches that of the XPosed module itself.

Check the source code of the installer for the URL, I don't remember it. But there is no way you can check an APK and find out whether it's built from a certain source. That would only be possible if the developer gave the source code to a trusted party, who would compile it and sign it with their keys. If you trust that third party AND inspect the source code, then you can be sure that it's not malicous. That's F-Droid's model, as far as I know.
12th March 2015, 07:00 PM |#11  
Senior Member
Thanks Meter: 59
 
More
Cool
Quote:
Originally Posted by YaDr

Really?..
Anybody can check sources, but who will?..
And can you trust their results?..

FOSS can be riddled with exploits like Heartbleed for years, and no one will notice anything. There are even competitions on hiding malicious code inside innocent one...
Only a small number of experienced and skilled developers will be able to find such malware, and believe me - 99% of them don't waste their time on reading, understanding and checking for exploits the sources of all software they use...

Hello there my Russian friend. I will respectfully disagree with you on this point and I will explain why. Right here on XDA, we have many highly-skilled developers who are the authors of countless lines of code translating into ROMs, modules, enhancements, etc. Much (if not all) of these projects are free to distribute and created as a contribution to the community. In other words, to ask "who will check sources" is the same thing as asking "who will create custom ROMs for people?" or "who will create invaluable/indispensable modules such as XPosed?" or even the general question of "why would someone do this for free?".

It is evident that all of these exist already and that people do indeed contribute, so coupled with the fact that the XDA community is over 5 million members in size, I think there will be developers who may be interested.

The only reason I can see someone not supporting this is if they have an interest not to do so, such as being the author of a closed-source (or open-source) malicious module.
The Following 2 Users Say Thank You to E--Man For This Useful Post: [ View ] Gift E--Man Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes