[rkrisztian]

On the GrapheneOS forum you will see a lot of bad opinions about F-Droid, for example this:

> It doesn't matter that the app is trustworthy, because F-Droid are extremely incompetent with security and the apps you install from F-Droid are signed by F-Droid rather than the developer.

https://discuss.grapheneos.org/d/20212-f-droid-security-in-s... https://discuss.grapheneos.org/d/18731-f-droid-vulnerability...

They also say, if you use F-Droid, at least use F-Droid Basic:

> Dont use the main F-Droid client. Android is pretty strict about SDK versions and as F-Droid targets legacy devices, it is very outdated.

https://discuss.grapheneos.org/d/11439-f-droid-vsor-droid-if...

> If the app is only available on F-Droid / third party F-Droid repo, use F-Droid Basic and use the third party repo rather than the main repo if available. > > If the app is available on Github then install the APK first from Github then auto-update it using Obtanium. Be sure to check the hash using AppVerifier which can be installed from Accrescent (available on the GrapheneOS app store).

https://discuss.grapheneos.org/d/16589-obtainium-f-droid-bas...

By the way, while GrapheneOS recommends Accrescent, I don't use it anymore because they can't even add apps like CoMaps, while some of the apps they actually added are proprietary.

[prmoustache]

>the apps you install from F-Droid are signed by F-Droid rather than the developer.

That doesn't seem like a con if you take into account the context: F-droid is not shipping pre-build binaries from the developper, it asks for a buildable project from the developper.

If the source repo of the upstream dev are compromised, so will be hid own binaries anyway.

[indigane]

> [A]pps you install from F-Droid are signed by F-Droid rather than the developer.

Having recently gone through the F-Droid release process, I learned that this is not necessarily the case anymore.

F-Droid implements the reproducible builds concept. They re-build the developer's app, compare the resulting binary sans signature block, and if it matches they distribute the developer-signed binary instead of their re-built binary.

This is opt-in for developers so not all apps do it this way. I'd sure like to know how common this is, I wonder if there are any statistics.

[strcat]

F-Droid only uses reproducible builds for a tiny portion of apps, and there are still significant disadvantages. It depends on the app developers always complying with F-Droid's rules otherwise users are left without updates. F-Droid only checks that the build matches, they do not review/audit the apps and will not catch hidden malicious behavior or simply non-compliance with their rules. WireGuard's app deliberately broke F-Droid's rules by including a self-updater which was not noticed by F-Droid and shipped by F-Droid. WireGuard used this to start taking over updates for itself to migrate their users away from F-Droid. F-Droid eventually found out when the WireGuard developer brought it up many months later and couldn't do anything beyond dropping the app. It had taken over updates for itself already and F-Droid wasn't in the picture anymore.

The process adds a significant delay for updates but it does not actually protect users from developers in any meaningful way. This real world example with WireGuard demonstrates that.

[rixed]

If the signatures are the same, what difference does it make which binary is distributed?

[Idesmi]

What is the same is the checksum of the result binary.