> Localization files for every language on Earth - [...] - Samsung really wanted to make sure everyone on the planet could experience this suffering equally
Why are you considering localization as bloat? I bet your reaction wouldn't be positive if your native language(s) were missing instead.
The alternative would be the installer only installing the languages that match the system settings. Which yes is imperfect, but not nearly as bad as separate downloads or god forbid the two tier base language and modification pack system Microsoft came up with.
I don't think that's standardized, it probably only has some heuristic to detect a subscription's associated payments and rejects them. It will not integrate in any way with merchants to cancel the subscription on their side, and in fact they suggest to first trying to cancel the subscription on the merchant side.
To be honest the limited popularity of F-Droid also helps it be less targetted by bad actors. If it was more popular I would bet the situation would surely be different
This argument can be refuted by considering Debian repositories. No malware exists there despite it being a good target. It's the FLOSS that solves the malware problem, with a bit of moderation.
I'd argue OSS isn't sufficient on its own and that I suspect moderation only plays a small role. I think it's primarily the separation of roles. For a complete outsider whose only interest is exploiting users publishing a sufficiently popular piece of software and also gaining the ability to add things to the debian repos is a huge barrier. You'd have to invest years of work to do both of those things and then hope that no one happened to notice anything before it was too late.
Of course the FLOSS aspect adds an additional hurdle that this popular piece of software will have to somehow avoid having much of a contributor community around it since that would greatly increase the risks of your malicious changeset being reviewed. I guess what happened with XZ was about the best case scenario that an attacker could realistically hope for.
There were a few mishaps with PyPI and npm - including in the past week and even today. Not sure if those meet your criteria of FLOSS, but if it does I wouldn't call it solved.
Yeah but supply chain attacks like that can hit literally anything. Debian repos, Play store, an individual publishing on his own website, it's all vulnerable.
> MEETS_STRONG_INTEGRITY also includes the requirement that the device has received a security patch _within the last 12 months_
Good luck with that.
reply