Oddbean new post about | logout
Vitor Pamplona | 8 months ago (raw) | root | parent | reply | flag +1 
 If the dev is malicious, F-droid will compile the malicious code as well (F-droid doesn't review any changes to the actual code). There is no extra safety being added by F-Droid. They only check if the code is open source, that's it.
JohnyDoor | 8 months ago (raw) | root | parent | reply | flag 
 if the application has a sizeable user base, there will be users (most likely contributors) who will discover the change, they have about 1 day, but many FDroid users rarely update repositories, so more than 1 day.  Malicious functionality in builds can go unnoticed for years.
Braydon Fuller | 8 months ago (raw) | root | parent | reply | flag +1 
 Could be interesting to have an organization that would specialize in reviewing code with results integrated into a directory with nostr. Badges and additional marketing exposure could be a benefit. Members could be both producers and users and could pay for the service.
devsou.com | 8 months ago (raw) | root | parent | reply | flag +1 
 There is no need such "organization". Just trust your favorite developer. E.g. if you use Amethyst, that means you trust Victor Pamplona. And so on...