[Wonderfall]

I fail to see how it's fallacious since you're confirming my point.

> I'm not starting with an app, adding my trust of the developer, and adding my trust of F-Droid

You are. You seem to believe they actually read the whole source code when it's not the case: all they do is running their own scripts to scrap known trackers and the like (and again, I must say badness enumeration is a flawed approach), this is far from a stringent process and this would be a very weak approach in any threat model to rely on that.

You still have to trust the app developer, and you'd be much better off trusting the strong guarantees provided by the Android app sandbox anyway. Seems like there's a major disagreement here when it comes to our approach to privacy.

> Thirdly, Android's default app store, Google Play, also trusts a third party by default - Google, who insist on running a tracking rootkit on your computer, which is so much more egregiously invasive than trusting any one app that it renders any comparison with F-Droid moot.

Play App Signing is mentioned in the article.

[dTal]

>all they do is running their own scripts to scrap known trackers and the like

Which Google Play does not, happily serving you all the "known trackers". F-Droid is strictly superior on this front.

> You still have to trust the app developer

I don't have to trust the developer as much because I don't have to take their word for it that the compiled app matches the public source.

> and you'd be much better off trusting the strong guarantees provided by the Android app sandbox anyway

False dichotomy. I still have the sandbox with F-Droid. This is chaff.

> Play App Signing is mentioned in the article.

...Okay? What a non-sequitur. Signing is completely off-topic to the fact that Play Services is spyware (notwithstanding your assertion that it isn't). Unlike F-Droid. That's a huge difference.

It's like saying "when meeting a sketchy stranger, don't bring a friend along or meet in a public place because now you have to trust the friend as well, and also the friend might not be strong enough to overpower the stranger anyway. Safer to take an Uber to their house and lock the door behind you."

[Wonderfall]

> False dichotomy. I still have the sandbox with F-Droid. This is chaff.

I didn't imply that you wouldn't benefit from the app sandbox by using F-Droid. I meant that the practical approach to privacy should come from relying on the permission model instead of trusting third parties.

In that sense, F-Droid adds very little to the fact that you still have to trust the upstream code with the permissions you're willing to grant.

If you choose to trust F-Droid, that's perfectly fine and I'm not trying to convince anyone to stop doing that. I also won't comment on your statements that Play Store is spyware because I have very little interest in that topic. You're free to believe that, and I respectfully disagree given the great service (whilst not perfect by any means) offered by Play Store.

[flexagoon]

The "tracker checking" is useless because it just checks for a small list of libraries in the app. If an app has no tracker libraries, this doesn't mean that they do not track you. So it gives you a false sense of security.