#AnySoftKeyboard, installed from #FDroid, asks for access to Contacts. Was it compromised? (EDIT: Unlikely)
I don't remember it asking me for Contacts before (but @lnxw37a2 does). [EDIT: I was] worried it may have been subject to a supply chain attack, and to be on the safe side, I uninstalled it.
It seems to be a mostly unmaintained app that I never use, but hadn't uninstalled. This is the first new version since 2025/07/25, and before that, 2022/01/14 (the first version shipped by @fdroid).
Seems I was going off half-cocked, out of an overabundance of caution. #MeaCulpa. I thought it would be worse if I ignored my strypey-senses tingling and said nothing, then it turned out it was compromised.
We need to be cautious in this age of copious vibe coding;
https://forum.f-droid.org/t/f-droid-policy-on-libre-ai/
I do think @fdroid crew need to do due diligence when apps appear to be abandoned, then revived. They probably do, but any links to policies and processes on this would be a great way to put my mind at rest.
I’ve noticed at least one app installed via F-Droid thay asked me to opt-in to on-device “AI”. Which made me curious about whether the F-Droid team has formulated a policy on this. Are apps with on-device “AI” built from source by F-Droid volunteers, or are they Reproducible Builds? If it’s the latter, what’s the standard for reproducibility here? I imagine the bar would be higher than in the watered down "Open Source AI Definition” that Mufelli pushed through the OSI. Which suggests a need fo...
#HatTip to the @fdroid threadiverse community, and others, for offering such rapid and thorough clarifications. Many thanks to @lnxw37a2 @hildegarde @alienghic @plm00 @Axolotl_cpp.
Thanks also to @tootbrute @kurikai for offering suggestions for other soft keyboard apps, and to @snek_boi for reminding me to format the first sentence of my Mastodon post so it becomes a good title in the threadiverse post.
@artyom
> Cool, I just installed a new version of CoMaps!
This strikes me as a chatbot style reply, chatty and positive, but completely out of context. Your profile doesn't flag you as a bot, which is the convention in the fediverse.
If you are a bot, your operator needs to state that clearly in your profile, or will fall foul of @rimu. Who takes a dim view of such things, and rightly so.
If you are a human, context is king! Love your enthusiasm, but might have been better as its own post ; )
BTW @rimu, my apologies again for unloading on you with both barrels last night. I stand by my objection to the way Stanton was being dogpiled, but in hindsight I was just as merciless to you as I saw people being to him. Which was not only hypocritical, but *not* good de-escalation on my part, quite the opposite.
I've got some intense stuff going on of late, and struggling with sleep dep. But that's my problem and my responsibility, not yours, or anyone else's. I hope you can accept my apology
@rimu In future I plan to restrict my online posting activities to mornings and afternoons, along with my caffeine intake, and improve my sleep hygiene. Working from my bed *must* stop.
I'm hoping that this will help me keep a cooler head, and avoid a repeat of this nasty posting behaviour on my part. If there's anything else I can do to repair our relationship as fellow green-left activist and fediverse devs, please do let me know : )
I will repost this in the thread with my PieFed account.
It sounds really concerning.
So that your title is read easily, you may consider editing it. To me it appears truncated.
Maybe something like
AnySoftKeyboard, installed through FDroid, asked for access to my contacts. Could the app be compromised?
or something like that could work?
@snek_boi
> [post title] appears truncated.
I need to remember when posting from Mastodon that the first Y characters of my post are used by @LemmyDev communities as the post title : P Truth is, many people won't even know they are also posting to the threadiverse.
I get that this title automation is better than no title. But are post titles editable by community mods, so they can remove truncated text and clarify as needed? If not, that might be a good feature.
I checked every version on F-Droid and they all have the contacts permission. Its a common request on software keyboards, because it lets it add the names of those in your contact list to the autocorrect dictionary. Its nice to avoid your keyboard wrongly correcting names.
It doesn’t have the network permission, so its not able to transmit any data it has. I don’t think this is an attack.
The app has a link to their privacy policy which explains what permissions it asks for, why, and affirms the app cannot transmit the data off the device. Last updated in 2017, and still matching the permissions of the current version. This isn’t an attack.
Strypey
Diane
tootbrute
plm00
artyom
Rimu
Axolotl