From 8acf0f83fe56d3278eb3cb70c8b7e0bf863bdd52 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Mon, 10 Jan 2022 10:22:07 +0100 Subject: [PATCH] mention their basic process --- content/posts/fdroid-issues.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/posts/fdroid-issues.md b/content/posts/fdroid-issues.md index e9b93be..b6ac26d 100644 --- a/content/posts/fdroid-issues.md +++ b/content/posts/fdroid-issues.md @@ -24,6 +24,10 @@ On the other hand, Play Store now manages the app signing keys too, as [Play App F-Droid requires that the source code of the app is exempt from any proprietary library or ad service, according to their [inclusion policy](https://f-droid.org/en/docs/Inclusion_Policy/). Usually, that means that some developers will have to maintain a slightly different version of their codebase that should comply with F-Droid's requirements. Besides, their "quality control" offers **close to no guarantees** as having access to the source code doesn't mean it can be easily proofread. Saying Play Store is filled with malicious apps is beyond the point: the **false sense of security** is a real issue. Users should not think of the F-Droid main repository as free of malicious apps, yet unfortunately many are inclined to believe this. +> But... + +[You don't have to take my word for it](https://forum.f-droid.org/t/is-it-as-safe-as-it-is-from-fdroid-official-repo/15956/12): they openly admit themselves it's a [very basic process](https://forum.f-droid.org/t/is-it-as-safe-as-it-is-from-fdroid-official-repo/15956/2) relying on badness enumeration (this doesn't work by the way) and a few scripts. You are not exempted from trusting upstream developers. + > How can you be sure that the app repository can be held to account for the code it delivers? F-Droid's answer, interesting yet largely unused, is [build reproducibility](https://f-droid.org/en/docs/Reproducible_Builds/). While deterministic builds are a neat idea in theory, it requires the developer to make their toolchain match with what F-Droid provides. It's additional work on both ends sometimes resulting in [apps severely lagging behind in updates](https://code.briarproject.org/briar/briar/-/issues/1612), so reproducible builds are not as common as we would have wanted. It should be noted that reproducible builds in the main repository can be exclusively developer-signed.