[ranger_danger]

As a developer, the fact that F-Droid now compiles all your packages for you, using their own keys, is a non-starter for me. It means they are free to modify my code however they want or inject malware etc. (whether by mistake or not), and it's totally outside of my control, but still has my name on it.

[Draiken]

I guess we can't win, can we? I worried more about random developers getting compromised since the surface area is much larger, but at the same time one entity compiling all packages makes them a more attractive target.

We've seen the released bundles being different to the source code before too AFAIR, so whether it's a single repository or F-Droid, both can easily screw users up if compromised.

I don't want to be paranoid but the world's not making it easy.

[ranger_danger]

What I'd like to see is enforced reproducible builds from multiple sources with publicly published and verifiable results that don't fall out of date.