In the GrapheneOS forum, I encountered a claim that F-droid is insecure (and not good at privacy as well). These links (and more) were given as an evidence:
- https://privsec.dev/posts/android/f-droid-security-issues/
- https://xcancel.com/GrapheneOS/status/1883895255142932816#m
- https://github.com/obfusk/fdroid-fakesigner-poc
While there are some attitude against FOSS app, I think the arguments are generally sound and in good-faith. Which makes me confused, as I’ve been hearing good words about F-droid in lemmyverse.
I am not good at assessing arguments, so I want to ask you guys for more aspects and information.
Also, if not F-droid, what should I use? Is Aurora store, a frontend of play store, not fine to use as well?
The biggest thing they cite is that you have to trust fdroid to build the applications properly without inserting changes.
The way to fix that is something called reproducible builds where the developer builds their app and says that their build has this ID and then the software provider builds the app and compares the ID.
If the IDs match 100% then you can be certain that the App Store has not tampered with the developers version of the app.
Thanks for the explanation.