I am on GrapheneOS, but this concerns Android as a whole. From the options of Fdroid and GitHub (Obtainium) which is the safest way to install an app?
From the GrapheneOS forums, I see many people recommending GitHub over Fdroid as it is straight from the source. I know its true, but if a developer adds a ‘not-so-safe’ piece of code or introduces tracking, Obtainium would automatically update my app without letting me know about the changes. But from what I have seen from Fdroid they usually pause or cancel the update or app if these changes were to take place (Example, Simple Gallery or Mull for Android).
So I am confused. Whom should I trust more, Fdroid with their own app builds or the Developers on GitHub?
Also I have seen that Obtainium when used with a VPN to fetch app updates, will get rate limited by GitHub. Also I don’t really like GitHub as a code repository, with their tracking and rate limiting. I don’t know if Fdroid tracks user.
You don’t have to trust F-Droid, you can verify that it’s the same build as the one from the original developer assuming they have done things right. I believe a good entry point is https://f-droid.org/en/2025/05/21/making-reproducible-builds-visible.html
I personally trust F-Droid and I believe their verification process with steps like https://f-droid.org/en/docs/Anti-Features/ is matching my needs. It’s not for everyone but I like it.