Oddbean new post about | logout
Ava | 9 days ago (raw) | root | parent | reply | flag +1 
 The debate about F-Droid security and trustworthiness has been ongoing for a while now with passionate arguments on both sides, so I will let you go down that rabbit hole for yourself.

The main issue for me with F-Droid is having to trust not only the dev but also F-Droid. This is basic OPSEC. If you can get it from the source (GitHub usually) without also having to trust a 3rd party, then that is basic security practice. If the release is on GitHub, the Obtanium is just pulling from the repo.

If the dev releases the apk on F-Droid only, then that is the release repo (not GitHub/GitLab, Codeberg), straight from the dev. Using Obtanium, in this case, now introduces a third party, so while the risk is minimal compared to an alternative client like Neo Store, I still recommend following best OPSEC practices and just getting the apk from the source, which in this particular case is not Codeberg, or GitHub, or GitLab, but F-Droid. I already spoke about why I recommend F-Droid Basic in the post.

Here is more info on the subject: https://discuss.privacyguides.net/t/remove-note-about-getting-f-droid-apps-from-obtanium/14440
Electric Sheep | 5 days ago (raw) | root | parent | reply | flag 
 Thanks a lot for the detailed response. Just posting the link would have been quicker for you, so I appreciate you taking the time.

"If the dev releases the apk on F-Droid only, then that is the release repo (not GitHub/GitLab, Codeberg), straight from the dev. Using Obtanium, in this case, now introduces a third party"

I guess the underlying issue here is one of dev practice. If all mobile app devs ran their own  
release repo, independent of *both* code forge and app library, then something like Obtainium could always download directly from the dev.

Installing with F-Droid could then be an automated process of adding that repo, and installing from it. At least as an option, for those who don't want to trust the F-Droid team to compile from source.

As things stand, people using Android apps are usually forced to trust either Goggle Prey Store, GritHub, or F-Droid. I know which of the 3 I trust. F-Droid is the only one where full source code is available for *every* link in their distro chain.

In the long term though, the solution to all this is Reproducible Builds. Or some other way of checking whether a binary (or server) is compiled from the published source code.