• Captain Beyond@linkage.ds8.zone
    link
    fedilink
    arrow-up
    15
    ·
    1 month ago

    There are those who believe that F-Droid’s role as a “middle man” vetting and building packages from source instead of blindly shipping builds provided by upstream makes it a security risk, because you’re trusting F-Droid in addition to (some say instead of) the upstream developer. Perhaps telling is that none of these critics can offer an alternative solution.

    Before anyone mentions Obtainium and Accrescent, these are not alternatives to F-Droid, they solve completely different problems.

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      19
      ·
      edit-2
      1 month ago

      It would be a single point of failure for many apps in case the curators of F-Droid were dishonest or hacked. They could insert bad things into lots of packages without having to change the public source code. But it also becomes the only point where malware or backdoors could be inserted that way, instead of having to trust every single developer to build honestly off the source code, which we’d have to do if they just stuck prebuilt binaries up there. I don’t know how rational I’m being, but it makes me trust F-Droid apps more that they build each one themselves.

    • stationary_melon@lemmy.ml
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 month ago

      I personally like F-Droid’s vetting process. It’s true that updates always arrive a few days later, but you can be sure they don’t contain any malicious code. Furthermore, they specify all of the antifeatures a program has, which makes it easier to avoid them. If you want faster updates, you can always download a program through Obtanium.

      • trevor@lemmy.mlOP
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 month ago

        I am not an F-Droid maintainer, but as far as I know the code is not vetted by F-Droid after the initial app submission process. Updates are pulled in, built and distributed automatically. The long delay is just because there are a lot of apps to build, and F-Droid is a volunteer-run operation.

        • stationary_melon@lemmy.ml
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          1 month ago

          I had no idea. Thanks for telling me! In that case, im going to try to use the ones from IzzyOnDroid if avaliable

          Edit: According to their docs, they do take some special security measures and I couldn’t find a case of an app offered on FDroid which had malware.