F-Droid maintains in Debian

Free software enables more efficient ways to run large scale software. F-Droid can serve so many people with minimal resources because of this super power. Instead of each project handling development and maintenance of the whole thing, free software enables sharing development and maintenance. This is why F-Droid is built on Debian. That only works when projects that use free software also contribute back. F-Droid works to ensure that as much of our work as possible goes back upstream to the original projects. For production code, we use the Debian packages. When we need to use a new library, we make sure it is added to Debian and maintained there. We use Debian Backports when we need some new dependencies in the stable release.

To illustrate this in action, let’s take a look at some recent security issues in one of our dependencies: GitPython. CVE-2022-24439, CVE-2023-40267 and CVE-2023-41040 are three vulnerabilities that affect mostly projects that feed untrusted input in and process it with GitPython. GitPython usages that operate on known inputs are not really affected. Since our build process accepts Git repositories from thousands of developers, our code processes inputs from thousands of people. There are layers of validation those inputs that provide protection, but no validation is perfect. So we need to ensure that each step is safe. So we patched the Debian packages that we use in production. We built on Ubuntu LTS’s patched package which was in turn built from the patched package made for Debian LTS, as funded by Freexian. It is a classic example of how free software makes fixing security issues much easier.

We are of course not alone in this, many other projects are also built on Debian. Recently, Tor Project outlined many key benefits of building off of Debian. What is clear is that the effort that we put into Debian maintenance more than pays for itself by reducing work and stress on our core contributors, especially those who are running servers. Software supply-chain attacks have become common across a range of packaging systems. A well configured Debian server has the strongest protection that exists for any server software distribution system.

There is a similar trend in software that ships all its own dependencies, like Android apps. There are a wide variety of bots that check that projects are including the latest versions of libraries. This is common in Android apps, since they have to include all of their own dependencies. Android provides only the core libraries. When we base our systems on Debian, then we only need to update the dependencies in Debian, and all the of the projects automatically receive those updates. When combined with Debian’s unattended-upgrades, this approach provides a very low effort way to keep software updated. Normally, automatic updates without human review are a dangerous thing to do in software. Silently installing new software provides a channel that can be exploited by malicious actors. Debian’s free software requirement, stable releases, reproducible builds, and strong package distribution channels make it possible to enable unattended upgrades in a trustworthy way.