https://privsec.dev/posts/android/f-droid-security-issues/, the recent findings of bypass of certificate pinning [0], wireguard creator doesn't trust f-droid himself [1], continued harmful attacks to GrapheneOS devs [2] and a few more points regarding their build infra using a deprecated debian release.