[deleted]
GrapheneOS thanks heaps for the explanation, I'll keep it in mind!
GrapheneOS thanks heaps for the explanation, I'll keep it in mind!
GrapheneOS We cannot recommend F-Droid due to major security and trustworthiness issues. We don't recommend adding this as another trusted party instead of using developer builds. You do not truly avoid trusting the app developers since they build whatever is released with near zero scrutiny and even serious review would not realistically catch issues.
gplay doesn't scrutinize application developers either. And as far as trustworthiness goes, F-Droid packages a source code archive that matches the builds. That is a heck of a lot more trustworthy than the unreproducable crap you get elsewhere.
So what is the recommended way to download and obtain apps if google isn't an option, and it is not on Accrescent?
kebab_definite So what is the recommended way to download and obtain apps if google isn't an option, and it is not on Accrescent?
I believe the recommendation in that case would be to get it from where you need to. The developer's website or GitHub would be the next best option.
We cannot recommend F-Droid due to major security and trustworthiness issues. We don't recommend adding this as another trusted party instead of using developer builds
Not all developers publish their builds though. If you must have an app that is only available on F-Droid, then I guess you'll have to get it from there. But maybe consider if another app would work just as well.
You can also use App Verifier to verify the app's signature (only necessary on the initial installation - and doesn't really mitigate the risk of F-Droid, since they're signing the builds anyway).
Our own App Store, Accrescent and App Verifier are highly recommended by GrapheneOS.
secrec Do you know what percentage of F-Droid apps are currently Reproducible Builds though? Last time I looked into it, apparently only a small percentage of apps were actually Reproducible/Deterministic Builds, and that was according to F-Droid themselves.
That was a while ago though, so maybe they have made some good progress there? I like the concept of those at least, as you don't have to trust the app developer and F-Droid like you do with the rest of the apps in the F-Droid repository.
I've personally got nothing against F-Droid and would like them to improve in all the areas where their security is weak. The more secure and private App stores, the better for everyone after all
I agree. Personally, I trust the F-Droid team more than random developers and for me they're like a second pair of eyes. A recent example was when "Simple Apps" was sold to some adware company and F-Droid immediately stopped updates and then replaced them with the clean fork "Fossify Apps". Meanwhile, those who had installed the apps from Play Store received the "bad" closed source updates with ads & tracking included.