Life with Sailfish OS, day 1, hour 2-4
Couple of important apps still missing: Signal and Discord
Discord: the proprietary chat platform with off-putting terms of services. It's not a great starting point. The reason I'm there to begin with is following Synthstrom Deluge and C64 OS development, those communities unfortunately only really exist in Discord. Discord has a web interface that works okay on desktop Firefox, but it's a no-go on a mobile browser. The Android client is this elephant class Electron app, and not something you want on top of a heavy compatibility layer on a lower end phone if you can avoid it. Plus, getting away from Android was kind of on the agenda. There's a native app called Sailcord in the Jolla store, the gotcha is that using 3rd party software for accessing Discord isn't something their terms of service exactly encourages. Apparently people have gotten banned from their Discord accounts for using such things. But, these clients wouldn't exist if everybody was getting banned, and OTOH people get banned for doing stupid things with the official client. So I guess it's fingers crossed and don't do anything stupid.
For Signal, there's an unnoficial native client called Whisperfish. Unfortunately this is not available from the Jolla store, instead it takes you down a bit of a rabbit hole: Release builds are available on OpenRepos, but to access that you need a client. Which is not available from the Jolla store either. To install, you need to download a storeman-installer package from either OpenRepos itself or their GitHub release page.
The package is an RPM package which does some rather questionable looking things in its installation scriptlets. What it appears to do is add OpenRepos to the system repository configuration and then automatically run the installer contained in the package, which turns out to be another shell-script that then refreshes the PackageKit installation service, and finally tries to install the actual Storeman software through PackageKit. I don't know the Sailfish OS ecosystem sufficiently (at all really, at this point) to judge whether all this hackery is truly necessary, just that in the desktop Linux world, that is a whole bingo line of "don't do that".
Also, the installer package is not signed. Apparently nothing on OpenRepos is. There doesn't even seem to be checksums that could be manually verified. I'm not letting an unverifiable software from the net run as root funky looking shell-scripts on a device with my banking app on it. Just no.
The whisperfish package itself seems okay, it just does a systemd user session reload in the scriptlets and doesn't run as root. It's just as unverifiable though, but maybe the repository is signed? Need to investigate that.
Signatures appear to be overlooked in this ecosystem: the official Jolla packages on the system are signed, but neither of the two Jolla keys imported in the rpm keyring actually match that. And community packages from the Jolla store don't appear to be signed at all. This is like going back to the nineties.
So that's about two hours gone and I still don't have a Signal app. I could of course go with the official Signal app, but that requires the heavy Android compatibility layer running and besides, Android.
