True. Same for Android. I feel some form of that should be part of the approach. Splitting it carelessly would likely either:

A) result in no real change: ie. instead of allocating budgets within Google, they’ll just exchange money through deals and partnerships, as separate companies, but still having pretty much the same relationship between projects and level of control (Android & Chrome would continue favoring Google interests, even as independent companies), and they’ll keep being monopolies each within their own fields (I don’t see how that’s being addressed with the split).

B) result in independent projects that push for monetization and shady schemes to try and be profitable on their own (although, to be honest Mozilla has proven that being non-profit is not a shield against this either). This actually might be a good thing if the enshittification manages to get people to switch away from Chrome to a better alternative… but I wouldn’t be so sure of that (both that they would move, or that they’d choose a better one …as opposed to say MS Edge which has just as bad of a ruler).

It’s true that they say both things out of comfort.

Though to be completely honest, both statements are not contradictory. They are not necessarily accepting that they do have something worth hiding, but just stating that hiding is too difficult these days anyway. That does not mean (sadly) that they would start doing it were it easier, just that they have even less of a motive to care about it now that hiding is so much harder (to the point of almost being “a myth”).

I’m not saying they are right, I’m saying that lack of consistency is not the problem with that attitude. It’s not a “shift”, just a consistent continuation of a lazy attitude towards comfort.

Stock Android does not have tools to do that verification. Just verify it from the desktop and then send it to your Android device.

But I don’t see how verifying the apk signature would help if your concern is that “you have bare to none knowledge how it works”. The only thing that would fix that would be if you actually learn how it works.

Luckily, unlike other stores that are closed source and actively and purposefully hide from you what they do, F-Droid is open source, so anyone can go to the repo holding their source code and learn how it works, or build their own themselves, as long as they wanna spend that much effort.

You share public keys when registering the passkey on a third party service, but for the portability of the keys to other password managers (what the article is about) the private ones do need to be transferred (that’s the whole point of making them portable).

I think the phishing concerns are about attackers using this new portability feature to get a user (via phishing / social engineering) to export/move their passkeys to the attacker’s store. The point is that portability shouldn’t be so user-friendly / transparent that it becomes exploitable.

That said, I don’t know if this new protocol makes things THAT easy to port (probably not?).

True. Though I don’t think we would be in a hurry for this one, both Mindustry and Shapez have similar concepts and are already open source and quite good.